Preventing social engineering attacks: How credit unions are missing the mark
While credit unions focus their attention on technical defenses, social engineers are completely bypassing them. Even small credit unions are being targeted by phishing emails hiding ransomware or strange callers asking employees to verify their credentials to the core financial processor. Social engineering tests are required by many regulators, but are often performed incorrectly and therefore proving largely ineffective. What are credit unions missing?
Policies & Procedures
Procedures should also be in place to authenticate the identity of a caller or visitor, as social engineers often pose as third-party vendors. Information should only be given to a vendor over the phone if prior permission was given in person by an administrator. Credit union personnel must always check an onsite visitor’s identification, log the visit, and escort him or her at all times. Visitor logs should then be reviewed periodically by a member of management to verify that those visitors were expected.
Of course, once policies and procedures are in place, the next step is to ensure employees learn them.
Training
Training often comes in the form of a brief section in an all-hands meeting or a quick webinar. At worst, new employees are given a stack of policies covering the entire organization and simply asked to verify that they received them. Many employees do not have a comprehensive understanding of their organization’s social engineering procedures, nor the critical role they play in preventing social engineering attacks. When they think of high profile cases, like Target or Sony, they imagine the network administrators whose technical controls failed–not the everyday employee who clicked on a malicious link in a phishing email.
Training needs to address these dangers, as well as the tell-tale signs of a phishing email or vishing call. In addition, credit union personnel need to have working knowledge of procedures, including how to authenticate a visitor and who to contact if they think something is suspicious. Seminars or online courses need to be held regularly to cover these topics to keep the information fresh in employees’ minds.
Following a training course, it is imperative to know if the employees actually retained the knowledge.
Testing
Thorough testing is the only real way to assess the risk of social engineering to a credit union. Many credit unions use multiple choice tests, which can often be solved with common sense. Even if the questions are specific, the information is regularly discarded afterward. Employees need to have experience with what social engineering looks like in the real-world. A phishing simulator can be purchased to perform regular email campaigns, and professional social engineers can be contracted to perform vishing and physical tests. All of these tests should be done at least annually.
The scope of the test is important as well. Too many management teams value a clean report over an effective test. Organizations will often request misspellings be added into phishing emails or ask vishers to use the wrong name for an IT staff member. It is a mistake to assume social engineers will be careless. Most successful social engineers are expert information gatherers, and they will tailor their attacks to fit each individual credit union they target. In large scale operations, social engineers will spend weeks, if not months, perfecting their premise. Every employee needs to know how to recognize when something is wrong without obvious tells–and this includes all members of upper management, as they are the prime targets.
Another common mistake is to let technical controls take the brunt of the testing. While an email spam filter is a valuable and necessary tool for any organization, the most useful test is one that shows how individual users will react when that layer of security fails. That is why many phishing simulators request that administrators whitelist the emails to ensure they are delivered and not caught by the spam filter.
There is, however, always the chance that the employee will be the security layer that fails.
Incident Response
Even credit unions with thorough policies and procedures, excellent training, and high-scoring tests can fall victim to social engineering. Social engineering preys upon the weakest link in the security chain: employees. A bad day or a thoughtless mistake can lead to a serious breach of security.
Every incident response plan should include a section that outlines how to respond to a social engineering event. Management roles should be clearly defined, as should procedures for the investigative process following the event. Management should understand how to react the moment they learn a link containing ransomware has been clicked, as well as what documentation to review to understand what access a social engineer might have had while they were in a branch. This incident response plan should also cover which authorities need to be contacted and how the event will be reported to the media.
Having a well-defined incident response plan is the final component of an effective security awareness program intended to help protect a credit union from social engineering attacks.
Conclusion
Management should start by reviewing what their credit union already has in place. Does it cover all of these areas? Is each document, procedure, or test as thorough as it needs to be? If there is anything lacking, management should create a plan for implementation. It is easiest to start from policies and work through each area in the order they are presented here.
If a credit union wants to determine how susceptible they may be to social engineering attacks, a thorough set of social engineering tests (phishing, vishing, and physical) can show areas of weakness and opportunities for improvement. This also enables management to observe how social engineering tests are performed and understand the techniques a real social engineer might use to gain access to the credit union. Knowledge of the threat will help management to restructure the social engineering plan in the most effective manner.
Lastly, it is important for management to realize the danger that social engineering poses. Credit unions lose millions of dollars every year to social engineering attacks. It is only by strengthening personnel controls, not just technical controls, that a credit union can mitigate that risk.
