Pub. 5 2016 Issue 7

September 2016 31 l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s illicitly obtaining taxpayer names and social security numbers, opening credit accounts in those names, and then falsely submitting tax returns and collecting refunds before the actual taxpayer has even filed the paperwork. Such fraudulent activities can cause additional time and financial costs for employees and customers in many ways, including recouping lost funds, re-issuing cards, closing accounts, and monitoring account and credit activity. Besides the financial fraud taking place, these schemes can be used to install malware on financial institution systems and both consumer or corporate customers. One of the most recently common forms of malware includes ransomware, which can cost money (if the ransom is paid), cost time (in recovery efforts if adequate backups are in place), or can be a total loss (if data stored on the system or server is unable to be recovered). Use Layered Security to Mitigate Risk The solution to preventing these attacks from affecting financial institutions and your customers is layered security. Layered security includes putting the proper technical controls in place to help prevent phishing emails from reaching inboxes, building procedural controls, such as proper backups and restricted user access controls to ensure the technical controls are properly implemented, and – perhaps most important – properly educating and testing personnel and customers. Technical Controls There are a multitude of different technical controls (controls implemented on computer systems) to mitigate the risk of phishing emails. Making sure your institution utilizes strong email and spam filtering will help cut down on the sheer number of phishing emails your users will receive in the first place. Ensuring that anti-virus software is up-to-date and scanning all email attachments before your users open emails is also extremely important. While anti-virus won’t stop everything from getting in, two additional controls will help to ensure the risk of malware getting onto your network is reduced: patch management and removing administrative privileges. Most malware attempts to take advantage of known vulnerabilities on existing systems, so making sure those vulnerabilities are patched and fixed on a timely basis is absolutely imperative. Removing administrative privileges will help keep bad guys from getting access to information and areas of your network that you want to keep safe. While implementing these controls, among others, will not ensure 100% security, they will prevent your institution from being the “low hanging fruit.” When bad guys encounter adversity and resistance when attempting generalized attacks, they will most likely move on to an easier target. Training and Education For all the money spent on spam filters, firewalls, patch management, and antivirus, it only takes one click of a button or a slip of the lip by a customer or employee to compromise a system or an entire network. Proper education of your “people” is one of the most integral steps in protecting customer information. Training and education needs to happen for every single individual with access to systems and sensitive information, including commercial and consumer customers, all employees (especially senior management), and the Board of Directors. Such education cannot be a single one-time-a-year instance, it must be continuous if you expect your employees to remain vigilant in helping to identify and protect your institution’s customer information. Testing Training and education should be followed up with regular testing of your people, like the way technical controls are tested. People are considered the greatest risk to any organization, and we should therefore test our people as frequently, if not more frequently, than anything else. Testing our people helps to ensure that the training and education you have provided is effective or where extra training needs to be performed to ensure customer information is secure. The financial institution must work toward building a culture of security so it is on the forefront of everyone’s mind and is ingrained in every action taken throughout the day. For more information, please contact SBS at 605-923-8722 or visit www.protect- mybank.com. Submitting your taxes requires all the sensitive information, as well as financial information, needed to steal your identity and perform financially fraudulent transactions. Additionally, most people in the US are required to submit tax returns, but few really understand the details of the process. Using taxes as the subject of a phishing email makes the majority of the nation vulnerable to these types of attacks.