Commenting on an FBI warning that fraudsters are now targeting financial institutions using spam, phishing emails, keystroke loggers and remote access Trojans, PhishMe says that the rising level of attack sophistication means that the education techniques used by these organisations need to change.
According to Scott Greaux, vice president of product management with the anti-phishing security training specialist, “Education is always going to the best defence, but many of these organisations need to break away from the traditional security awareness model and employ creative, as well as immersive, education techniques,” he said. “It’s no good just informing users when they join the company what they shouldn’t do from a security perspective – you have got to change user behaviour. The reason criminals still use tactics such as phishing is because they know they work – which shows that all too often education is failing.
Greaux says that insulating critical business process from user devices is also a highly effective way to reduce the risk of cross contamination. It adds an important extra layer of defence, he says, because it allows organisations to implement more stringent controls – as well as monitoring – on their mission critical systems and processes.
Modern cybercriminal attacks – as the FBI’s in-depth analysis of the threat and its recommendations clearly show – are multi-vectored in nature, he adds, noting that the problem facing organisations is that it only takes a single click on a phishing email, or the execution of an email attachment, to infect the user’s desktop.
“From there, it’s only a short step before the security ship sinks. This is why we say it is critical that financial institutions – whose systems represent a high-yield target to cybercriminals – should also implement a mix of random and threshold based reviews for all their wire transfers,” he said.
“This will add an extra layer of human interaction to transactions, making it more challenging to fraudulent transfers to go unnoticed. In the longer term, adding more effective and interactive staff training can also help the financial institutions raise their security game,” he added.
“Using interactive education techniques – such as mock phishing exercises – will not only help improve awareness of these attack vectors, but it will also help to increase knowledge retention amongst employees. Adding a little fun and enjoyment to the mix also goes a long way to ensuring staff will respond positively, we have found,” he added.