Why social engineering remains a threat to fintechs

By Andrew Avanessian | 21 April 2017

Social engineering attacks remain one of the most sophisticated threats facing the financial services sector. The use of emails, attachments, social media, telephone calls or any other communication to deceive and manipulate individuals into handing over confidential details is common, and the sensitive nature of this data, often including financial details, makes the sector a high-value target for cyber criminals. Research from Proofpoint found that social engineering was the top attack technique for beating cyber security defences in 2015, and it poses the same significant threat to businesses today.

Despite actions taken by businesses to prevent social engineering attacks, such as educating employees not to click on suspicious email links and being wary of who adds them on social media, social engineers are infiltrating organisations using increasingly sophisticated methods.

While obvious email scams such as fake phone bills or emails from unknown addresses asking you to click on a link are well known, other forms of social engineering are much subtler. Examples can involve an email which appears to be from a senior staff member asking specifically for something that you’ve been working on, and using the same language that this member of staff would use.

Of course, many organisations within the financial services sector believe they are more secure than the average business due to their compliance with stringent regulations, particularly those within the banking industry. However, anyone can become a victim of a social engineering attack. During the summer of last year, attackers obtained staff credentials at global financial messaging system SWIFT and submitted fraudulent messages asking for money by impersonating them, costing the company approximately £64 million.

Social engineering attacks are unique in that they specifically target and exploit an individual’s trust and curiosity. This is why it’s important for businesses to encourage employees and customers alike to be more suspicious, and train them to spot potentially malicious content. It only takes one employee clicking on one email link for malware to be downloaded and spread to an entire corporate system.

People are usually the weakest link when it comes to cyber security. Many employees will have access to sensitive corporate information, and more junior members of staff in particular may not be aware of the potential consequences of this information falling into the wrong hands.

Hackers are looking for increasingly creative ways to attack organisations by targeting their staff. Often, all they will need is one email address and the name of an employee, both of which can be found easily online. These can be used to create a carefully-crafted email designed to trick the recipient into clicking on a link containing malware, or parting with money or sensitive information.

This means that educating employees is extremely important. Training should cover basic cyber security hygiene such as regularly changing passwords and not clicking on links or attachments that staff aren’t sure about. Instead, staff should be encouraged to report any suspected phishing emails so that companies are aware of them.

That said, it is important to remember that no amount of education can fully protect a business from an employee clicking on an attachment in a convincing email purporting to be from a CEO. This is why companies need to step in to prevent users, or anyone who has control of their devices, from accessing data outside their level of responsibility. This can be particularly important for junior members of staff, who are often the first target of social engineering attacks as they may not understand the value of the data that they are handling. However, if they have no access to corporate information, they cannot compromise it. 

Content isolation is also an effective way of blocking any malicious links, email attachments or websites so that they don’t spread to an entire system, which could result in access to sensitive financial information. Keeping these web-borne threats isolated from sensitive corporate data means that even if an employee does fall for a social engineering scam, the attackers won’t be able to access any sensitive information and do any damage to the organisation. This technology, when combined with application whitelisting, which prevents malware from launching, creates a robust security posture that will go a long way towards preventing financial organisations from becoming victims of social engineering attacks.

These simple but effective security practices can make a huge difference and can form a foundation which will minimise the damage caused by most social engineering attacks. It’s important that the financial sector is aware of the threat and the different forms that it can take, and that organisations take proactive steps to keep themselves safe.