Locking the Digital Vault
Cyber security to protect banking customers
By Tracy Barbour

hen it comes to data security, people can be the weakest link. They can also be the strongest and best defense against cyberattacks—if they know how to respond to potential threats.

A thriving fraud industry has developed around the misuse of consumers’ personal information, often mined from social media, harvested through email schemes, or stolen using malicious software. The ill-gotten data is often sold on the dark web marketplace, where a Social Security number can go for $2—or more if it comes with a name and date of birth—and a person’s credit card information can fetch up to $35. Hackers and organized crime syndicates purchase the information for their own nefarious purposes or resell it to end users who commit various cybercrimes.

Erika Smith headshot
Erika Smith
Wells Fargo Alaska
In Alaska, most security breaches involve extortion, government impersonation, phishing, personal data breach, and identity theft. Proactive education is imperative, according to Erika Smith, Wells Fargo Alaska’s regional banking district senior manager. “We spend time educating our employees so that they are empowered to have robust conversations with our customers,” says Smith, who oversees ten branches from Soldotna. “Our customers are asking us to help them transition to digital platforms, but we need to create awareness with them about what we’re doing to protect them to give them peace of mind.”
A Multi-Layered Approach
Today most banks and credit unions incorporate multiple layers of security, says Keith Bennett, senior vice president of information technology at Nuvision Credit Union, which has ten branches in Alaska and nearly thirty branches in its five-state network. Hackers know this, so they tend to focus most of their attention on obtaining individual user credentials through phishing scams that attempt to trick people into divulging their personal information.

A significant threat that Nuvision frequently encounters is credential stuffing. “Credential stuffing is a cybersecurity attack where a hacker has purchased a list of stolen user credentials from other data breaches and then uses bots to automatically target online banking platforms to see if any of the stolen credentials match a user’s credentials at the financial institution,” Bennett explains. “This is why it is so important to use different user credentials for your online banking than from any other online account.”

However, Bennett adds, “If a member has their personal login credentials compromised and someone does manage to gain access to a member’s account, we do have measures in place that flag suspicious login access and suspicious transaction activity. Suspicious transaction activity is reviewed before any money is authorized to leave the credit union.”

Keith Bennett headshot
Keith Bennett
Nuvision Credit Union
Nuvision’s strategy includes leveraging artificial intelligence and machine learning with next-generation firewalls, endpoint detection and response, network monitoring and detection, web application filtering, and credential stuffing protection. “In addition, Nuvision has a very aggressive vulnerability management system, constantly scanning for vulnerabilities and mitigating them as soon as possible,” says Travis Rupp, vice president of network infrastructure and data security. “Since 2016, Nuvision has received the ‘Network of Excellence’ award from Digital Defense Inc. This award is only given to the top 2 percent of their 1,800-plus clients’ vulnerability management program.”

Nuvision’s security program also includes using traditional email and internet filtering, which can prevent sensitive data from leaving the organization, and one-time passcodes on high-risk transaction types. Several times a month the credit union sees hackers attempting to access online and mobile banking accounts using usernames and passwords from other data breaches. “Our two-factor authentication, web application firewalls, and credential stuffing protections protect the member from these attacks, but we recommend that customers have separate, long passwords for each financial institution and email account. We also recommend turning on MFA [multifactor authentication] wherever possible,” Rupp says.

Multifactor Authentication and Encryption
MFA adds elements, such as text message, email, or biometric (finger prints, face, or voice) tokens, so the user must complete more than one authentication process to verify their identity. Ninety-nine percent of account compromises can be blocked with MFA, according to Microsoft. A recent joint advisory issued by the FBI and Cybersecurity and Infrastructure Security Agency (CISA) promotes MFA as one of the most important cybersecurity practices. “Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available,” the advisory says.

Wells Fargo applies MFA to authenticate customers’ identity when they sign into their account or use certain services, such as mobile wallet. Customers can opt to sign in using their face ID and thumbprint instead of a username and password. They also can have the bank use voice verification when they call to inquire about their account.

Travis Rupp headshot
Travis Rupp
Nuvision Credit Union
In addition to these safety mechanisms, Wells Fargo restricts the number of sign-on attempts and limits the length of banking sessions. “Our systems automatically sign customers off after their online and mobile banking activities to reduce the risk of customers’ information being accessed,” Smith says.

Wells Fargo also encrypts online and mobile sessions and only supports the use of browsers that adhere to strong encryption standards. The bank also monitors accounts 24/7 for abnormal transactions. If a transaction falls outside the normal size or pattern, customers may receive an email, text, or phone call. “We’ve saved customers a lot of money by proactively reaching out to them,” Smith says.

First National Bank Alaska (FNBA), which operates twenty-eight locations in nineteen communities throughout Alaska, also has a multi-layered network security strategy. The bank stays current with system patching, an ongoing process to test and install patches to keep computer software and network hardware up to date, according to Mike Mason, information security officer and senior product manager at FNBA.

Mike Mason headshot
Mike Mason
According to Mason, the bank’s local experts closely monitor and quickly respond to advisories sent by the CISA and other threat intelligence sources. “It is essential to promptly remediate exploitable vulnerabilities, particularly ‘zero-day’ flaws where attackers are already using the vulnerability before the firm responsible for patching is aware it exists,” he says. “Internal multifactor authentication ensures administrator credentials are secure.”

FNBA uses vigorous technical and procedural sets of controls to mitigate anticipated risks, according to Mason. “Employees, vendors, and contractors only have the minimum level of access required to perform their work,” Mason says. “In addition, dual controls and appropriate separation of duties help ensure no employee can control transactions from their point of origin to their final disposition, including reviewing their own work. Finally, strong change management controls are in place to vet, approve, and review all system modifications.”

Additional Security Measures
Denali State Bank, which has about 11,000 customers and five branches in Alaska, also utilizes multiple security layers. The Fairbanks-based community bank has employed MFA for some of its cash management and other commercial services. These customers must enter their user ID and password, along with one additional component: a token. “We have a token [an image pre-selected by the customer] that we will send you to make sure you recognize it to, hopefully, prevent you from signing into a fraudulent website,” says President and CEO Steve Lundgren. “A few years ago, it was odd that somebody would… text a code to a reliable number and have the customer type in the code to access their account,” he says. “It’s much more standard now. I expect that multifactor authentication will become the norm.”

Currently, Denali State Bank does not require MFA for its mobile and electronic banking customers, but it is looking into the possibility, Lundgren says. The bank frequently uses other enhanced data security measures. With wire transfers, for example, the bank often will require a person-to-person phone call. “We have software that will identify transactions that are unusual for a particular customer, such as a high frequency of transactions, a certain geographic location, or a certain dollar amount. Then based on what that notice is, we will follow up,” Lundgren explains. “We will call a reliable phone number for that customer and have a personal conversation.”

“Individuals and businesses should be wary of any request for urgency or secrecy and be highly suspicious of any request for payment transmitted by email, especially if the email includes a payment instruction change with new account information… Individuals should be wary of offers that seem ‘too good to be true’ and safeguard their bank account information from others.”
Mike Mason
Information Security Officer
First National Bank Alaska
As another precautionary measure, Denali focuses on protecting customers from unauthorized credit card use. If the bank notices fraudulent activity or is notified about an external data breach, it proactively closes that card and reissues another one. Denali also scrutinizes requests to modify a credit card holder’s contact information, particularly a phone number. When this happens, the bank will reach out to confirm that the actual cardholder requested the change. “A bad actor, for example, could call to change the phone number and then later may call in to make a transaction,” Lundgren explains. “But if we’re calling the bad actor to verify the transaction and the phone number has been changed, that kind of defeats the purpose.”
Equipping Customers to Minimize Vulnerabilities
As part of its multi-faceted security, Denali State Bank maintains an extensive firewall to counter new threats.

But addressing human-related risk requires a different approach. Denali, like other institutions, educates employees to strengthen its security posture. The biggest incoming threat is through emails—particularly phishing and business email compromise. “We train our employees not to ever click on anything, and we test our employees,” Lundgren says. “We try to bait them into clicking so we can evaluate their response to suspicious emails. The human factor is a big vulnerability, so we are very thoughtful about how we train our people to defend against that.”

Sometimes, though, it’s customers who open the door to cyberattacks, Lundgren says. They might inadvertently reveal their password or click on a link that installs a keylogger or some other malware.

FNBA’s Mason suspects the most likely reason for a fraud loss is not a weakness in technology or security but human error. Fraudsters perform swindles that work best if the victim is unaware of the scheme. “Individuals and businesses should be wary of any request for urgency or secrecy and be highly suspicious of any request for payment transmitted by email, especially if the email includes a payment instruction change with new account information,” Mason says. “Individuals should be wary of offers that seem ‘too good to be true’ and safeguard their bank account information from others.”

Scammers consider older individuals to be soft targets, whether that’s due to declining mental faculties, unfamiliarity with technology, or the confidence that comes with age. Wells Fargo’s special report, Protecting Those You Love, indicates that 1 in 7 older Americans say they have fallen victim to elder financial abuse and exploitation; an estimated $2.9 billion to $36.5 billion is lost every year to financial exploitation of older adults; and in up to 90 percent of elder financial exploitation cases, the abuser is a family member or trusted person.

Thanks to a pilot program launched in March, Wells Fargo’s older customers can receive notifications about potential fraud. “It’s one of the first of its kind to proactively detect elder abuse and financial scams and intervene to prevent further losses,” Smith says. “This pilot relies on proactive detection strategies, including analyzing anomalous banking activities and common signs of abuse with customers 65 and older.”

If seniors—or any other customers—think their information has been compromised, they should change account numbers, phone numbers, and credit/debit card numbers to better protect themselves against fraudsters. They should notify their bank right away about any fraud schemes they have fallen victim to and can also submit reports to the Federal Trade Commission at and the FBI at

“The challenges we face today are not the same challenges we faced six or twelve months ago—and they won’t be the same ones six months from now,” Lundgren says. “We are committed as a bank to staying on top of cybersecurity challenges and risks. We will continue to monitor and change to protect our customers’ data and security.”