How Brand Impersonation Can Devastate Small Regional Banks. And What to Do About It.

• Oct 6, 2022

Banks and other financial institutions regularly find themselves the target of systematic cyberattacks. Cybercriminals, employing a vast and ever-evolving range of tactics, are constantly seeking to infiltrate security networks and private banking accounts where they can steal customer information, employee data, and banking funds. IBM?s most recent report on cyber attacks found that the financial industry spends an average of $5.72 million on responding to and recovering from a single data breach. Naturally, these high costs put a lot of strain on banks that must allocate more of their IT budget toward cybersecurity. One February 2022 survey found that the majority of surveyed financial institutions had plans to increase their cybersecurity budget by 20 to 30 percent this year alone. But where does that leave small regional banks, which may not have the ability to massively increase their cybersecurity budget? For a long time, many regional banks believed that their small size would allow them to fly under the radar of cyberattacks. But in recent years, cybercriminals have become much more sophisticated and targeted in their attacks. They also recognize that many small banks have far more security vulnerabilities than larger institutions do, making small banks a prime target for cyberattacks, attacks that are growing in scope and severity. One of the more common methods these cybercriminals use to scam small banks and their customers is brand impersonation fraud.

The Risks of Brand Impersonation Fraud

Brand impersonation fraud, also known as business impersonation fraud, is when a cybercriminal impersonates a recognizable brand in an attempt to steal login credentials or other sensitive information. Anyone who owns a smartphone or an email account will be very familiar with receiving bogus SMS texts or emails purporting to be from their bank. The message tells the user there is a problem with their account and they must sign in through a provided URL directing them to a website that looks a lot like their bank?s website down to almost the last detail. Except it?s not their bank?s website; it?s a scam site that will steal their login credentials should they be unfortunate enough to proceed any further. Despite the typical crudeness of this method, it can be very effective against people who aren?t aware of the dangers. Simply clicking the link can be enough to trigger a ransomware or malware infection on your device. Mass attacks like this can be sent out to a million recipients at once and even if only 0.5% of recipients fall for it, that?s still 5,000 compromised accounts. The sophistication of such attacks is also growing. For instance, fraudsters are building sites that will steal two-factor authentication codes from a user. Or, they?ll purchase online ads that impersonate a brand?s imagery and messaging but direct any consumer that clicks on it to a malicious website.

What Can Small Banks Do?

While large banking institutions tend to be the main target of brand impersonation, small regional banks are increasingly coming under attack. It?s no longer enough to think your small size means you are undeserving of a scammer?s attention. If anything, your small size?and the assumed limitations in security resources?makes you an easier target. In fact, we recently found that at least 1 in 5 regional banks experienced an online brand impersonation attack over a 90 day time period. To ensure better protection for employees and customers, regional banks should begin by implementing a few cybersecurity best practices:

1. Educate Your Customers and Employees on the Dangers

It's often said that the weakest part of a security system is the human element. As cyberattacks become more sophisticated, it is increasingly important that banks educate both their customers and employees on these dangers. Fraudsters have evolved so that a fake website can be nearly indistinguishable from an official one. With that in mind, customers and employees could probably use a few pointers on how to deal with suspicious messages, such as:

• Be vigilant: Always be skeptical of unsolicited messages that include URL links, especially when they sound urgent.
• Don?t click & double-check: Instead of clicking on a link in an SMS message or e-mail to log into your bank account, visit the site directly. Open a browser window and type in your bank?s website URL. You can also call the official customer service number?not the one listed in the email?to ask about the suspicious message.
• Educate customers: Inform your customers of the type of information that you will never solicit from them in an SMS or email. For example, ?We will never ask you to enter your banking details or provide other sensitive information on your account in an email or on the phone.? Also, if the purpose of a communication is to get the acocunt holder to log-into their account and take action, don?t include a link in the message and instead recommend that they visit your official website (as suggested in the second pointer above.

2. Modernize Your Approach to Protecting Your Brand & Customers Online

Finding room in your annual budget for cybersecurity can be a challenge for small banks, but it?s an investment that?s well worth making room for. The Anti-Phishing Working Group tracked millions of unique, newly published phishing websites published in the second quarter of 2022. This set a new record (quadrupling compared to 2020 levels) and was the worst quarter for phishing the organization has observed in its 18 year history. With such an incredible volume of spoof websites published each day, manual approaches to monitoring for the abuse of your brand online not only takes too much time and costs too much ? it?s also ineffective and misses up to 70 percent of today?s online brand impersonation attacks. Online brand protection is a constantly evolving practice that requires a dedicated team who can monitor for impersonation sites and  manage site takedowns. Time is of the essence when it comes to finding and destroying spoof websites because the longer a site goes undetected, the more account holders will fall victim. Working with a vendor that can automate the monitoring of the Internet for the misuse of your brand can cost less per year than you might spend responding to a single incident on your own. Whether you choose to handle all your cybersecurity in-house or turn to a security vendor, make sure that all your systems are up-to-date and your people are aware of the latest threats.

Final Thoughts

Increasing digitization and connectivity have brought about amazing benefits in almost every industry. But with those benefits has come the need for effective cybersecurity practices that must constantly stay ahead of cybercriminal activity. As the threats evolve, so must your cybersecurity practices, and that goes for all financial institutions both big and small. About Author: Josh Shaul is the CEO of Allure Security. He is known as a visionary security leader with expertise in building teams, creating strategy, and driving growth for security companies of varying sizes. He is passionate about providing comprehensive digital protection to businesses while inspiring trust and confidence in their customers and clients. He is recognized as a leader with strong diplomatic skills, a natural affinity for cultivating and nurturing global relationships and for possessing unwavering personal ethics and integrity.

---