hen it comes to data security, people can be the weakest link. They can also be the strongest and best defense against cyberattacks—if they know how to respond to potential threats.
A thriving fraud industry has developed around the misuse of consumers’ personal information, often mined from social media, harvested through email schemes, or stolen using malicious software. The ill-gotten data is often sold on the dark web marketplace, where a Social Security number can go for $2—or more if it comes with a name and date of birth—and a person’s credit card information can fetch up to $35. Hackers and organized crime syndicates purchase the information for their own nefarious purposes or resell it to end users who commit various cybercrimes.
Wells Fargo Alaska
A significant threat that Nuvision frequently encounters is credential stuffing. “Credential stuffing is a cybersecurity attack where a hacker has purchased a list of stolen user credentials from other data breaches and then uses bots to automatically target online banking platforms to see if any of the stolen credentials match a user’s credentials at the financial institution,” Bennett explains. “This is why it is so important to use different user credentials for your online banking than from any other online account.”
However, Bennett adds, “If a member has their personal login credentials compromised and someone does manage to gain access to a member’s account, we do have measures in place that flag suspicious login access and suspicious transaction activity. Suspicious transaction activity is reviewed before any money is authorized to leave the credit union.”
Nuvision Credit Union
Nuvision’s security program also includes using traditional email and internet filtering, which can prevent sensitive data from leaving the organization, and one-time passcodes on high-risk transaction types. Several times a month the credit union sees hackers attempting to access online and mobile banking accounts using usernames and passwords from other data breaches. “Our two-factor authentication, web application firewalls, and credential stuffing protections protect the member from these attacks, but we recommend that customers have separate, long passwords for each financial institution and email account. We also recommend turning on MFA [multifactor authentication] wherever possible,” Rupp says.
Wells Fargo applies MFA to authenticate customers’ identity when they sign into their account or use certain services, such as mobile wallet. Customers can opt to sign in using their face ID and thumbprint instead of a username and password. They also can have the bank use voice verification when they call to inquire about their account.
Nuvision Credit Union
Wells Fargo also encrypts online and mobile sessions and only supports the use of browsers that adhere to strong encryption standards. The bank also monitors accounts 24/7 for abnormal transactions. If a transaction falls outside the normal size or pattern, customers may receive an email, text, or phone call. “We’ve saved customers a lot of money by proactively reaching out to them,” Smith says.
First National Bank Alaska (FNBA), which operates twenty-eight locations in nineteen communities throughout Alaska, also has a multi-layered network security strategy. The bank stays current with system patching, an ongoing process to test and install patches to keep computer software and network hardware up to date, according to Mike Mason, information security officer and senior product manager at FNBA.
FNBA
FNBA uses vigorous technical and procedural sets of controls to mitigate anticipated risks, according to Mason. “Employees, vendors, and contractors only have the minimum level of access required to perform their work,” Mason says. “In addition, dual controls and appropriate separation of duties help ensure no employee can control transactions from their point of origin to their final disposition, including reviewing their own work. Finally, strong change management controls are in place to vet, approve, and review all system modifications.”
Currently, Denali State Bank does not require MFA for its mobile and electronic banking customers, but it is looking into the possibility, Lundgren says. The bank frequently uses other enhanced data security measures. With wire transfers, for example, the bank often will require a person-to-person phone call. “We have software that will identify transactions that are unusual for a particular customer, such as a high frequency of transactions, a certain geographic location, or a certain dollar amount. Then based on what that notice is, we will follow up,” Lundgren explains. “We will call a reliable phone number for that customer and have a personal conversation.”
Information Security Officer
First National Bank Alaska
But addressing human-related risk requires a different approach. Denali, like other institutions, educates employees to strengthen its security posture. The biggest incoming threat is through emails—particularly phishing and business email compromise. “We train our employees not to ever click on anything, and we test our employees,” Lundgren says. “We try to bait them into clicking so we can evaluate their response to suspicious emails. The human factor is a big vulnerability, so we are very thoughtful about how we train our people to defend against that.”
Sometimes, though, it’s customers who open the door to cyberattacks, Lundgren says. They might inadvertently reveal their password or click on a link that installs a keylogger or some other malware.
FNBA’s Mason suspects the most likely reason for a fraud loss is not a weakness in technology or security but human error. Fraudsters perform swindles that work best if the victim is unaware of the scheme. “Individuals and businesses should be wary of any request for urgency or secrecy and be highly suspicious of any request for payment transmitted by email, especially if the email includes a payment instruction change with new account information,” Mason says. “Individuals should be wary of offers that seem ‘too good to be true’ and safeguard their bank account information from others.”
Scammers consider older individuals to be soft targets, whether that’s due to declining mental faculties, unfamiliarity with technology, or the confidence that comes with age. Wells Fargo’s special report, Protecting Those You Love, indicates that 1 in 7 older Americans say they have fallen victim to elder financial abuse and exploitation; an estimated $2.9 billion to $36.5 billion is lost every year to financial exploitation of older adults; and in up to 90 percent of elder financial exploitation cases, the abuser is a family member or trusted person.
Thanks to a pilot program launched in March, Wells Fargo’s older customers can receive notifications about potential fraud. “It’s one of the first of its kind to proactively detect elder abuse and financial scams and intervene to prevent further losses,” Smith says. “This pilot relies on proactive detection strategies, including analyzing anomalous banking activities and common signs of abuse with customers 65 and older.”
If seniors—or any other customers—think their information has been compromised, they should change account numbers, phone numbers, and credit/debit card numbers to better protect themselves against fraudsters. They should notify their bank right away about any fraud schemes they have fallen victim to and can also submit reports to the Federal Trade Commission at consumer.ftc.gov and the FBI at ic3.gov.
“The challenges we face today are not the same challenges we faced six or twelve months ago—and they won’t be the same ones six months from now,” Lundgren says. “We are committed as a bank to staying on top of cybersecurity challenges and risks. We will continue to monitor and change to protect our customers’ data and security.” 