Is Your Credit Union Safe from This Psychological Hack?

With the proliferation of breaches in today’s environment, many credit unions are spending thousands and thousands of dollars on technical security including unified threat management (UTM) devices, firewalls, intrusion prevention/intrusion detection, web filtering, penetration/vulnerability assessment testing and anti-virus solutions. 

While all of these protections are valuable and important to have in place to reduce risk, many credit unions are overlooking their weakest link – staff.  All it takes is one successful social engineering attack on your staff, and a hacker has just thwarted the thousands of dollars spent on technical and physical security protections you've in place.

Social engineering is defined as a psychological attack where a hacker tricks you or manipulates you into divulging sensitive information. Examples of social engineering attacks include:

• Phishing — Fraudsters defraud an online account holder by posing as a legitimate company.
• Pharming — Fraudsters direct users to a bogus website that mimics the appearance of a legitimate one to obtain personal information like passwords, account numbers, etc...
• Phone Calls — Fraudsters pose as a trusted third party or regulatory body to obtain sensitive information over the phone. 
• Physical Bait — Fraudsters will leave USB drives around an office and wait for someone to plug them in (one study showed that 60-90% of people plug in unknown USB drives they find around the office). When the USB is inserted into a computer, the computer automatically runs programs on the drive that can install malware.

Social engineering is a very successful form of hacking because humans are inherently trusting, courteous, social and interested in helping — especially in the credit union industry! In fact, according to the 2013 Data Breach Investigations Report published by Verizon, social engineering accounted for approximately 30% of all breaches. This is four times higher compared to the 2012 report.

So what do you need to do? The answer is training and testing often! Your staff is your front line of defense, and a good security awareness training program is imperative to preventing a social engineering attack.

One of my favorite examples of a social engineering test involved a credit union that dropped 20 USB flash drives around their property and branches. They were shocked when they found that 17 of the drives got plugged into credit union computers. The most interesting part? This test was performed only a few months after security awareness training! I was at a credit union recently performing social engineering testing as part of an information security risk assessment, and a staff member gave me full access to their server room without verifying who I was or if I was approved to be there!

Again, your staff is your first line of defense. How confident are you that they would recognize and appropriately respond to a social engineering attack?