Case Study: One Small Institution Fights Back Big-Time Against Social EngineeringTucked away in the rolling hills just south of Lexington, KY is the farming community of Mt. Vernon, KY. Dennis Weiskircher, IT Manager and Security Officer at Citizens Bank www.citizensbankrb.com, has seen his share of Social Engineering scams.
"I find it surprising how many smaller banks are being targeted by criminals," he says. "I think they've realized that the big banks have the budget to fight online crimes, and so they've come down the food chain to hit the smaller banks that have fewer staff to fight these things."
After 20 years in IT, with 10 years spent at community banks, Weiskircher notes the target area the criminals have chosen is a rich one. "They are less protected and less educated (customers at smaller community banks) but there are things you can do to help them," he says.
The types of social engineering scams Weiskircher sees hitting his bank's customers start with phishing emails (despite the fact that Citizens Bank just initiated online banking in August 2007). Emails flood his customers' inboxes, including the Nigerian 419 scams and variants, as well as the ubiquitous check fraud scams. All of these are a type of Social Engineering, which try to convince the recipient they've got to do something that will make them rich. "Of course, these are all fraudulent scams where the customer could lose a great deal of money. Thankfully, the vast majority of our customers have been stopped before any money is sent to these criminals."
Weiskircher has trained the bank tellers in the bank's four branches to spot possible scams, and has shown the tellers how to nicely point out to the customer that this is not a real offer, and that if they send money or cash the check they will be liable if the check bounces. Or if they send money, the customer is not going to get the expected return.
"We've only had online banking since last August, and we've had a website for two years," Weiskircher notes. "But we learned quickly, and have helped our customers avoid becoming a social engineering victim."
The bank has initiated "push" messages to its online users to inform them about new internet threats, including phishing emails that they may receive. "We can make that be the first thing they see on screen before they log in, and we've done some training and awareness through that method."
Citizens Bank is also organizing local community training to educate Mt. Vernon about internet safety and the surrounding computer security issues. "We'll have a half-day training for people, whether they're our customers or not, on protecting themselves from phishing scams and identity theft," he notes. The bank views the community training as a long-term benefit. "I will spend a day training people on computer security issues, rather than spending a week or more cleaning up one customer's mess left behind after a phisher has hit their online banking account," Weiskircher says.
Here's what happened a couple of years ago to several banks in the area: There were bomb threats phoned into local banks in the Berea, KY area. The caller stated that there was a bomb in the bank, and instructed the teller to put all of the money in the vault into a bag and put it outside of the building, or the caller would detonate the bomb. The caller then told the teller to wire a sum of money to a Cayman Islands bank account. Of the two banks contacted in the area, one bank did wire the money, the other bank didn't. When law enforcement arrived to sweep the banks, no bombs were found, and no one ever appeared to pick up the bags of cash. "It was all just a scam to get the bank to wire money overseas," Weiskircher says.
Citizens Bank has taken these threats and scams seriously, and incorporated them into its training program. "We do regular monthly meetings with staff, usually after hours, to update staff on changes to procedure, emerging threats and other security measures they need to know about," Weiskircher says. He goes to each of the bank's branches to meet with employees.
The bank's intranet website also updates staff on news and policy changes, but the face-to-face meeting each month is where Weiskircher sees the most learning happening. "We've found it's good to meet with staff to keep them aware and let them know of new types of fraud or how to spot something that someone is saying that is just outlandish," he says.
"Our rule is if it seems like it wouldn't be true, it probably isn't," he says. "'Trust but verify,' is what I tell people to do when it comes to situations where they're asked to make a decision or suspect that something isn't 100 percent."