How Banks Can Train Employees to Recognize Social Engineering Attacks

Avivah Litan, a financial fraud expert and analyst for Gartner, predicts social engineering attacks against bank employees will increase significantly in 2014. She suggests social engineers may call bank branches or visit tellers in person or they may phone call center employees or try to take advantage of IVR menus. Mobile spam and phishing may also dramatically increase as attackers work to gain access to sensitive bank account information.


If you want to protect yourself against today’s various social engineering attacks, start by investing in the best data protection solutions for business. Then, train your employees to recognize social engineering attacks. These attacks aren’t new, but they’re getting more aggressive, particularly toward bank employees. Although today’s virtual bank robber won’t come up to an employee’s desk and say, “Come here often?” your employees can learn to recognize today’s most common social engineering “pickup lines.”


“Your Computer Is Infected With Malware.”

Sometimes, a social engineer will pose as someone from a company’s IT department or as a help desk person from a company like Microsoft. He or she will call an employee and claim the network has detected a virus on his or her computer. The fake IT person then walks the employee through a series of PC screens. If the scammer senses the employee is uncomfortable with technology, he’ll ask for the employee’s username and password and offer to fix the problem remotely.


“I’m Here From [Official Company Name] to See Judy.”

Old-style bank robbers were known to “case the joint” before coming in for the robbery, and modern criminals do the same thing. After watching bank activities, getting to know routines and learning the names of bank managers, a person may approach a teller and claim to be there to install a software update. Because the person sounds confident, knows a manager’s name and may even wear an official-looking uniform, the teller may grant the scammer behind-the-counter access.


“I Forgot My Keycard.”

A scammer may pose as a bank employee or business partner, stand near the entrance and say he’s forgotten his keycard or the door code. Your employees are trained to be friendly and helpful, so they let the scammer into the bank.



“We Regret to Inform You You’ve Been Laid Off. Please Click Here to Register for Severance Pay.”

Today’s economy makes employees worry their jobs are vulnerable. An email like this one can look like it’s from HR, but seems suspicious; however, employees may feel panicked enough to click the link. The link either leaves malware on the computer or leads the employee to a malicious site and asks for login credentials.


A twist on this tactic occurs when a social engineer discovers a bank employee is looking for a new job. The engineer may send the employee a personalized email that looks like it’s from a potential employer. However, when the employee clicks the link to “set up an interview,” she may share information that will leave the bank vulnerable to financial fraud.

“Please Update Your Password.”

Many social engineers are good at using company lingo, so they can craft emails that sound just like typical internal messages. Employees may receive an email that looks like it’s from the CEO or another higher-level executive asking the employee to click a link to update his or her password. When the employee clicks the link to reset the password, the scammer gets the information.

“The SEC Needs Information About a Bank Customer.”

A vishing attack attempts to lure a bank employee into calling a malicious telephone number. For example, a bank employee may receive an email or voicemail indicating a customer is under investigation by law enforcement. The “official” will ask the employee to call a specific telephone number to provide sensitive information about the client such as Social Security numbers, account numbers or other types of data.


Many of today’s bank robbers don’t wear ski masks or carry guns. They lurk in the bowels of the Internet, trading weapons for the craftiness of social engineering. By exploiting the end user with social engineering tactics, the modern bank robber gets cash — without even leaving the house.

You must be logged in to post a comment