FINRA's BrokerCheck

Phishing and spoofing scams cost billions in losses

Each and every employee must serve as a first line of defense when it comes to protecting a bank from cybercrime, specifically phishing attempts and spoofing scams. According to the FBI, phishers range from computer geeks looking for internet fame to businesses trying to gain an upper hand by hacking competitor websites. They also include criminals who want to steal and sell personal information, and spies and terrorists looking to rob our nation of vital information or launch cyber strikes.Chart 1

In 2018, the FBI’s Internet Crime Complaint Center’s (IC3) received 351,936 complaints with losses exceeding $2.7 billion. Most consumer victims are in California, Texas and Florida, and are over age 62.

The IC3 Recovery Asset Team (RAT) was established in February 2018 to facilitate communication between financial institutions and FBI field offices to support the recovery of funds for victims who made transfers to domestic accounts under fraudulent pretenses.

One growing crime is a payroll diversion scam, and the IC3 received 100 complaints with a combined reported loss of $100 million in 2018. Here’s how it works: Cybercriminals target employees with phishing emails to get their online banking login credentials. Once logged in, the criminal changes alert preferences so the employee does not receive notifications related to direct deposit changes. They also change the direct deposit information by redirecting payroll funds to an account the criminal controls, often a prepaid card.

The most important step every employee can take to combat cybercrime is reporting any attempt to solicit sensitive information to the bank’s IT or security department. Here are some helpful tips from the FBI:

  • Never open an email attachment from someone you don’t know and be wary of forwarded attachments from people you do know because they may contain malicious computer code.
  • Although a high-speed connection makes it easy to get online at any time, leaving your computer “always on” makes it more open to fraud. Turning it off cuts an attacker’s connection so they cannot infect the computer with a bot, spyware or other malicious code.
  • Let customers know that if they receive an important email from your bank, they should not click on the link in the email, but rather visit your website by manually typing in the URL. If they are unsure about the legitimacy of an email, encourage them to call the bank and speak personally with one of your team members.
  • Advise your customers to be especially suspicious if an email requests a lot of personal information – this is a popular phishing technique.
  • Never make any payment changes without verifying all the changes with the intended recipient.

Read the FBI IC3 2018 annual report 

Phishing emails

Bank phishing attacks start with the phisher sending thousands of spoof emails that look nearly identical to legitimate bank communications in terms of logo, layouts, colors and language. The cyber criminals bet that since most people are busy, they won’t look closely at the email before clicking a link to a spoof site.

Spoof bank websites

Phishing emails almost always include links to spoofed bank websites that look nearly identical to the real thing. Spoofed bank websites frequently have a popup window that demands customer information and credentials.

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing a experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members