Digital-first banks are used to fending off external threats like data breaches and botnet attacks, but their cybersecurity measures can fall short of protecting against internal threats like phishing schemes. In the Digital-First Banking Tracker, Bala Nibhanupudi, chief technical officer at First Bank, discusses why financial institutions must pair digital security with employee vigilance and regular phishing drills to fight fraud from all angles.
Fraud and other forms of cybercrime are perennial challenges for digital-first banks and businesses of all types, as their extensive web presences open additional doors that allow bad actors to infiltrate their operations. Businesses lost $42 billion to cybercrime in the past two years, for example, and 1.1 billion fraud attacks occurred during the first half of 2020. The ongoing pandemic has made the problem worse, as cybercriminals have exploited customers’ economic insecurities and tricked them into surrendering their login details through various schemes.
One financial institution (FI) dealing with the growing threat of this type of fraud is Missouri-based First Bank, which underwent a digital transformation in 2016. These attacks have originated from several sources, which First Bank divides into two categories: external threats and internal threats, according to First Bank’s Chief Technical Officer Bala Nibhanupudi.
“Not only are external threats like hackers or state actors trying to get into our networks, but there are also internal threats where our employees had to do something to make the threat happen,” he said in a recent interview with PYMNTS.
Both threat types can be damaging to banks, their reputations and their customers, and they thus require equally potent fraud protection initiatives. However, the exact nature of this protection depends greatly on the source.
The Two Types Of Fraud Threats
External and internal fraud threats share importance but originate from divergent sources. The former involves hackers attempting to breach banks’ systems using their own malicious code or stolen data, often occurring when bad actors pounce on recently discovered security flaws before software developers can fix them with patches.
“We have a lot of predefined Microsoft exploits, and whenever they are made public, we see a huge rush [in bad actors trying to] hack us,” Nibhanupudi explained. “We also see [distributed denial-of-service] attacks, [and] we see brute force attacks quite a bit as well, depending on who the actors are. Usually, state actors deploy those types of attacks most often.”
Internal attacks — in which banks’ own employees help breach their systems, typically involuntarily — constitute the other major threat for digital-first banks. These employees do not generally willingly collaborate with hackers as inside actors but more often inadvertently surrender their login data through phishing scams.
“Sometimes it’s our employees making the threat happen, and sometimes it’s a lender compromise scenario,” Nibhanupudi said. “Phishing is the most common technique by which this happens, as a single phishing response from any employee can open a door for a hacker.”
Both of these dangers require vigilant and rigorous defenses, and one-size-fits-all approaches are likely to be ineffective. Digital-first FIs like First Bank instead leverage multiple layers of defense, tailoring each to a specific threat.
Picking The Right Tools For The Job
External threats necessitate deploying technologies in the right ways, Nibhanupudi said. First Bank leverages a pattern recognition system that monitors for unusually large transactions, but such systems cannot be tacked onto banks’ existing infrastructures as afterthoughts. They should instead be ingrained in every part of the banking system to make security a core feature rather than a secondary one.
“Most of our security protocols and monitoring and capturing we think of … not as an afterthought after the system is deployed, but actually embedded security into the basic code itself,” he explained. “In other words, it is transparent to the end user as much as possible. When we implement the [banking] system itself, we include security at that point, and we have a strong governance and control process.”
Facing internal threats requires a more human-focused and less purely technical approach. Employees must be trained to identify and counter security threats on their own, and strong fraud detection education is the key to enabling this expertise.
“Microsoft catches 98 percent of phishing emails, but that still leaves 2 percent that are slipping [through],” Nibhanupudi said. “We have an extensive education for our employees, and we do our own phishing tests on our employees just to make sure. If any of them fail a phishing test, they have to go through the training again. If they fail more than two or three times, it goes on their records.”
Fraudsters never rest when it comes to developing new schemes, and FIs likewise must work around the clock in defense. No security technique is enough to stop all forms of fraud, but multilayered defense approaches could go a long way toward convincing bad actors to shift their focuses toward other targets.