The state of cybersecurity has become more precarious than ever before, especially in relation to the financial services industry. Earlier this month, the Financial Services Information Sharing and Analysis Center issued a high alert warning that cyberattackers were attempting to purloin bank employee network login credentials in order to enact wire transfer fraud. Also this month, the Federal Bureau of Investigation issued its own alert cautioning credit unions and community banks that they were being targeted by cyberattackers.
As luck would have it, this increase in cybercrime is occurring as more mortgage banking companies begin to roll out online payment services. Lenders trying to build their online business presence need to keep their customers up to speed on the threats they might face from cyberattackers.
One of the most prevalent forms of online scams is referred to as a seemingly benign term: ‘social engineering.’ This practice, which is sometimes referred to as ‘phishing,’ refers to using trickery to get people to voluntarily hand over critical information, such as usernames or passwords.
In many cases, spam filters can easily detect the clumsier social engineering efforts and, thus, spare computer users from grief. However, there are a growing number of sophisticated efforts that are crafted to circumvent the spam filters – and unsuspecting customers that click into these cleverly disguised emails run the risk of facing serious repercussions.
Social engineering attacks mimic an email notification from a well-known and trusted source: financial institutions, LinkedIn, PayPal, the Better Business Bureau, Facebook and so forth. The attackers create an email that looks exactly like the normal system notices that are sent out by those entities, but they change the links to hit their own servers.
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem. When a person clicks on the link, it takes him or her to a page on the cyberattacker's servers that looks just like the well-known entity's login page.
When a person enters his or her username and password, this information is stored in a database on the phony server while an error box appears that says, ‘Invalid username or password, please try again.’ This error box message comes with an OK button that, when clicked, redirects the person to the real login page.
People may not realize there is a problem because passwords are obscured with asterisks, so it is natural to assume there was a typo during the initial password entry. However, the miscreants now have the person's username and password.
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam message really came from Facebook or LinkedIn? Quite simply, many people have the same usernames and passwords for multiple websites. Thus, a person who has unwittingly surrendered his or her personal information for a Facebook page might not realize that the social engineering scam artists could later use that information to gain access to online mortgage banking accounts.
Mortgage bankers need to take a proactive approach in educating customers on how to identify potential scams that pop up in their email in-boxes. Here are some safety tips that should be sent out by any financial provider offering online transaction services:
1. Don't click links out of emails. Instead, customers should be advised to open a Web browser and specifically go to the site in question and login directly. It is not common for financial institutions to have a ‘click here to login’ link within their email communications.
2. Be suspicious of serious ‘warnings’ and dollar amounts posted directly in emails. Financial services companies are not in the habit of sending customers panic-inducing messages of ‘low account balances’ or other account discrepancies with details plainly shown in the email. Warnings are more discreet and merely direct the customer to go log in for details.
3. Use mouse-overs to view a link before clicking. Although not all email software and hardware devices support them, a mouse-over can quickly and easily identify the links within an email message.
4. Try not to use the same password at multiple sites. Customers should be advised to use a password program to store and remember their online access date. Or, at the very least, they should segregate sites into two or three categories, with a unique password for each category: one for banking/financial, one for ‘medium importance’ sites and one for unimportant ‘fodder’ sites.
5. Routinely update passwords. In July, Yahoo! announced that 400,000 email addresses and passwords were breached and publicly posted online for all to see – and steal. People do not find out that their passwords have been pilfered until after the fact. Updating passwords, even once a year, is an easy way to stay one step ahead of the social engineering scammers.
Also, it would be a good idea to invite customers who are in doubt about the veracity of emails to forward them to your company for verification. Several sites that have been the subject of social engineering scams, including eBay and PayPal, have special email accounts that receive, review and keep track of these online frauds. These spoof-checking efforts will help empower the customer to ensure that your organization does not become the victim of the next big Internet fraud.
Eric Robichaud is CEO of 401 Consulting, based in Woonsocket, R.I. He can be reached at firstname.lastname@example.org.