When you hear about a billion dollar bank heist, maybe you picture a scene from an old Western, with masked robbers shooting guns in the air and carrying off duffel bags of cash. Or perhaps it's more like "Ocean's Eleven," with slick con men using stolen access codes and EMP devices to access the vault, while a trained gymnast does cartwheels to avoid laser beams. Either way, they used old technology.
Sadly, a byproduct of today's high-tech world is that stealing money is becoming easier, as evidenced by the Carbanak heist earlier this year. In that one attack, 100 financial institutions in 30 different countries were robbed of an estimated $1 billion. It didn't take guns, it didn't take drills and it didn't take acrobatics. All it took was unaware employees who opened attachments in malicious emails.
Recommended For You
The emails were sent as part of a spear phishing campaign directed at financial institution employees, in which thieves used information they'd collected from social engineering to create a legitimate looking message. The emails included an attachment containing malware that installed itself on the victim's computer. Once in control of the infected machine, the robbers explored the bank's internal networks and Internet banking platforms, learning how to access financial systems with key loggers and screenshots. Then it simply became a matter of draining funds by setting up fake accounts, executing a transfer or sending a remote command to an ATM machine.
Cyber thieves are getting more sophisticated – and spear phishing emails look more realistic than ever. In tests conducted to determine the effectiveness of phishing, more than 50% of employees opened the email, and some even entered their passwords on the fake web page to which they were directed.
How can your credit union protect itself?
Here are some steps to help thwart these types of attacks:
-
Provide regular security awareness training to your employees. Make sure they know to never open attachments within suspicious emails and to never click on a link within a suspicious email. Train employees to never provide privileged information, such as a password, in response to an email. Also teach employees how to determine the difference between a known authentic website address and a phishing URL that has been created by a criminal.
-
Regularly test employee practices. Some companies use software that creates phishing emails to send to their own employees. If employees open the email, they are directed to a site where they may be asked for information such as a password. Reports are then generated for your security team to use for further training of your employees. Some studies have shown that this tactic significantly reduces the number of employees who fall for suspicious emails.
-
Keep security software updates current. For the Carbanak crime, the thieves took advantage of known vulnerabilities within Microsoft Office for which security patches were readily available.
-
Regularly scan and update your anti-malware software. Use investigative detection so your security program learns from experience, which increases the chance of early detection.
-
Conduct vulnerability scanning. Perform both external and internal network scans, as these types of threats are delivered directly to your internal network when employees click on links or open attachments within malicious emails.
Unfortunately, there is no silver bullet for keeping criminals such as the Carbanak thieves or other intruders off your networks. But doing what you can to train employees and using software to detect threats helps mitigate the risk by limiting the amount of loss and keeping cybercriminals out of the credit union and away from members' sensitive information.
Richard Carberry is a senior information security services consultant for Sollievo. He can be reached at 855-605-5664 or [email protected].
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
