Banks & Insurance Companies in the Crosshairs

Executive Summary

It’s no surprise that banks, insurance companies and other financial institutions make particularly attractive targets for cybercriminals. What may be surprising is how weak these organizations’ defenses seem to be against an often overlooked but growing source of criminal intrusion – enterprise voice networks.

Leveraging a combination of stolen data, caller ID deception and psychological manipulation, scammers are taking advantage of the significant operational disruptions and flood of phone call activity prompted by the Pandemic to perpetrate lucrative data and financial heists. It is imperative that organizations find a way to close this “weak link” in their cybersecurity shields.

It All Begins with Data

The cybercriminals who are using the telephone as their weapon of choice begin their nefarious efforts by first acquiring personal information, or data, about their targets.  This past March, one of the nation’s largest commercial property and casualty insurance companies, CNA Financial, became the latest high-profile victim of a “sophisticated cybersecurity attack,” an occurrence that more and more frequently is targeting financial institutions. The incident prompted the $45 billion corporation to suspend all network operations for several weeks and temporarily replace its website with a single page announcement listing alternate email addresses and phone numbers for customers to use during the investigation.

“Should we determine that this incident impacted our insureds’ or policyholders’ data, we’ll notify those parties directly,” the announcement concludes.

While the CNA attack is still under investigation, what is now known is that experienced hackers, reportedly linked to Evil Corp, a group well-known to cybersecurity experts, were able to infiltrate the organization’s networks and infect critical systems with a newly-devised version of the Phoenix CryptoLocker ransomware. Once the initial breach was made, the trojan horse-style malware quickly worked its way through CNA communication systems,  encrypting more than 15,000 company devices, including computers of remote employees logged into the organization’s VPN. Rendered unusable, encrypted devices displayed the following ransom note (source: bleepingcomputer.com):

CNA is no lightweight when it comes to understanding the impact of data breaches. Notably, the company includes in its own product portfolio cybercrime-protection policies and reportedly will be restoring systems through backup files rather than succumb to the hackers’ extortion demands. Nevertheless, full recovery will take time and resources, with no guarantee of future fallout if the attackers were successful in gaining access to customer information. Sadly, this is not an isolated incident.

The fact is, more than 1,000 U.S. organizations experienced significant data breaches in 2020, with financial institutions representing the largest portion. Why? Because financial organizations, with their monetary resources and large customer databases, have the most to protect and, as such, are particularly tantalizing targets for highly-skilled thieves.

Cost Calculations

Cyber attacks can be extraordinarily damaging.  According to the Ponemon Institute’s 2020 Cost of a Data Breach Report surveying 524 organizations spanning 17 countries, more than half of all data breaches were perpetrated by malicious attacks. The average cost per breach overall was calculated at $3.86 million, jumping to $5.85 million for those in the financial sector. These figures assume the costs associated with breach detection, notification of affected parties, customer redress (such as credit monitoring, credit card reissues, escalated customer service etc.), legal expenses, and regulatory fines. However, the greatest damage – accounting for nearly 40% of estimated cost – is the impact of lost business, not only due to the disruption of operations but also resulting from lost customer trust and damage to the organization’s brand.  

Ponemon’s 2020 report also notes that those attacks that were enabled through stolen or compromised credentials caused the most financial damage. 80% of those breaches included the exposure of customer Personal Identifiable Information (PII) such as social security numbers, email addresses and phone numbers, and affected nearly 155.8 million individuals.

Data is Currency for the Cybercriminal

While enormously costly to the affected organization, stolen customer data is, in turn, particularly enriching for the cyber-thieves. Most of that data will likely end up on the “Dark Web,” a network of websites that is accessible only to those with specialized software that encrypts browsing activity and obscures IP addresses, rendering users untraceable. Commonly used by those who require complete anonymity when sharing or seeking information (think investigative journalists, whistleblowers or political activists under repressive regimes), the murky Dark Web underworld has also become a haven for nefarious actors and criminals looking to trade in weapons, drugs, and, increasingly, stolen data. Once that data is shared within the cybercriminal network, it can be used to further victimize those individuals through identity theft and targeted scams.

Financial Institutions have the Greatest Risk

According to a risk analysis posting from management consulting firm Deloitte, cybercriminals are increasingly setting their sights on insurance companies like CNA because they, like other financial institutions, hold a large amount of personal and confidential information about their customers – data that can be easily converted to cash on the black market.

Banks, as well, have seen a dramatic surge in cybercrime activity for similar reasons; cybercriminals are drawn to the allure of access to both cash and customer data through a single hack.

The Pandemic Created a New, Huge Opportunity for Cybercriminals

Over the past year, the trend of attacks on financial institutions grew to dramatic proportions largely due to the chaos of the Pandemic. According to a threat report issued by VMware Carbon Black, attacks on banks spiked 238% over the past year. Clearly, the disruption to normal business operations combined with 80 million anxious Americans seeking debt relief, financial guidance or stimulus check information created the perfect cover for scammers intent on exploiting chaos and confusion to defraud company employees and their customers.

While organizations have been focused mainly on upgrading computer network security systems and practices to address rising cybersecurity threats, nefarious actors have been quietly eluding those efforts by turning their attention to alternate, under-the-radar pathways into organization networks. Among the tools gaining their increasing favor is the common, and thus easily overlooked, phone.

Enterprise Phone Networks Provide Unprotected Pathways for Scammers

As a network security provider for many of the nation’s largest financial institutions, Next Caller recently published a report on its call tracking data from 2020 gathered over a five-week period. Among other observations, the author cites “an alarming trend” showing an 800% increase in call volume coming into those institutions over a single week. More troubling, within that call surge was a 50% increase in calls identified as “high risk,” with one Fortune 100 bank suffering a high-risk increase of 60%. The assumption is these “high risk” calls are from scammers looking to gain access to customer information by taking advantage of overworked and underprepared customer service agents in the midst of a pandemic.

Threat Vectors Related to Phone Networks

Among the most common forms of unwanted voice traffic is the ubiquitous robocall. Unlawful robocall campaigns rely on automatic dialing to blast mass numbers of prerecorded scam calls to as many potential victims as possible, hoping to ensnare anyone who answers into a scam. However, as consumers have become savvier about robocall avoidance, so, too, have scammers become more sophisticated in the tools and techniques used to fulfill their criminal intents.

Today’s voice scammers are usually armed with stolen or mined information used to impersonate a familiar call source or gain credibility with the called party. Next, they use a “spoofed” caller ID to disguise the actual source of the call. Spoofing a caller ID is relatively simple using a Voice over Internet (VoiP) connection and open-source software. The spoofed number ID display may mimic one from a familiar area code (neighbor spoofing) or an actual organization’s name (enterprise spoofing). Either way, the intent is the same – to trick the call recipient into answering a call from what they presume is a trusted caller, and it makes Cybersecurity for Financial Institutions that much more difficult.

And once that phone connection is made, the scammer launches into the most critical part of the scheme, using the persuasive power of voice and other psychological “social engineering” techniques to trick the call recipient into divulging information that can be used for future attack or to allow access into other company systems. From start to finish, this technique has come to be known as voice phishing, spear phishing, or simply “vishing.”

One variation, known as the “Friday afternoon scam,” is notable for its record of success as documented in Insurance Journal. In this approach, vishers target investment firms or other high value financial institutions at the end of the workweek in hopes of of reaching a fatigued employee who may be less inclined to challenge the fraudster’s request for information.

As noted in the Next Caller report, “The phone channel has long been a criminal’s gold mine.” In light of recent cyberattack activity on those institutions, the growing use of voice channels to perpetrate fraud on financial institutions and their customers can be seen as a direct manifestation of how a continuous cycle of criminal activity is fed through stolen data.

Humans – the Weak Link

In an interview for Bank Info Security, Chris Hazelton, a director at security firm Lookout, notes that this type of scheme using a voice call rather than other digital phishing methods has proven to be remarkably effective. 

“Receiving a call from a confident, well-spoken actor who is using public information from social networks, or corporate data from already breached corporate directories, goes a lot further than a phishing email with misspellings or incorrect terms,” he states. “Attackers that guide targets through a multistep authentication process that mirrors the real procedure is something that few users are confident or knowledgeable enough to question as suspicious.”

While one would think that the more sophisticated or tech-savvy companies would be less susceptible to deceit, that is not the case.  Social media giant Twitter was victimized by just such an attack in July, 2020, when targeted employees, fooled by phone calls from voice phishers posing as IT staff, divulged credentials that allowed hackers to highjack numerous high-profile accounts in order to spread a bitcoin scam – an action that caused significant disruption of internal systems, full lockdown of affected accounts and restricted account access throughout the network during the duration of the investigation.

Having assisted the FBI in its investigation into the Twitter hack, Allison Nixon, chief research officer at cybersecurity firm Unit 221b, observed in an interview with Wired magazine that, in the following days, “We saw this big increase in this type of phishing, fanning out and targeting a bunch of different industries. I’ve seen some unsettling stuff in the past couple of weeks, companies getting broken into that you wouldn’t think are soft targets. And it’s happening repeatedly, like the companies can’t keep them out.”

Which takes us back to that Dark Web. Sixgill, a cybersecurity firm specializing in analyzing Dark Web content, produced a report in 2020 covering the nature of data for sale on the black market. Apparently, customer records are not the only sought-after asset. Sixgill investigators revealed that, within the stockpiles of information was “a trove of bank employees’ data from a Russian hacker.”

Relatedly, Gemini Advisory, a New York-based company that also monitors underground markets, estimates that more than 40 percent of stolen records include the victim’s phone number. 

The significance of these two revelations cannot be overstated. Access to an individual’s phone number is key to data mining other personal information from reverse phone lookup sites. Combining that with other mined or stolen data, a sophisticated fraudster can make their spoofed call from what appears to be a legitimate customer or colleague to a targeted individual at their financial institution, pass the authentication process, and gain access to other accounts or internal networks that would then allow intruders to implant malware, download company data, redirect funds and, in general, wreak havoc on company operations.

The fact is, while organizations are getting better at security measures and fraud detection technologies to protect other networks from cybercriminal behavior, voice networks remain uniquely vulnerable because of their “weak link – human behavior.

It is clear that customer-facing organizations, and especially those in the financial sector, need to broaden their cybersecurity employee training in order to cover not only employee interactions over the Internet but also over the phone. That said, the innate instinct to be helpful when a caller convincingly presents as a customer or colleague makes approaching those calls with a posture of suspicion extremely difficult for many. There will always be a vulnerability in human nature that criminal intruders are more than happy to exploit.

New Technology Shields Voice Networks from the Fraudsters

As an enterprise voice communications software developer with more than 30 years of experience finding innovative solutions to complex problems for its customers, Mutare, Inc., understands the business value of open voice communications. Voice is how trust is built, deals are made, relationships preserved. But it is also an effective tool of deception in the wrong hands. For Mutare, the solution is not just better employee training – it is better voice network protection.

Employing the multi-layered filtering and reporting capabilities of its enterprise Voice Traffic Filter (formerly Voice Spam Filter) solution, Mutare has, over the past year, analyzed millions of call records from a large spectrum of industries and has compiled that data into highly-detailed Voice Traffic Assessment (VTA) reports for each organization. In the process, Mutare has drawn some industry-specific conclusions. Affirming what was revealed in the Ponemon Institute’s report, Mutare’s analysis shows that, as of this writing, nearly 30% of calls to financial institutions are unwanted. What’s more, nearly 20% of those calls are using spoofed Caller IDs, which is a red flag for scams. Notes the company’s Chief Operating Office Sean Blair, “It is no coincidence that, during a time of economic upheaval, these institutions have become favorite targets for criminal intrusion. Strong cybersecurity for financial institutions requires a multi-front effort. Clearly, one of those fronts is the voice network.”

Mutare’s Voice Traffic Filter is designed specifically to protect enterprise voice networks from unwanted or high-risk calls. Its “5 Layers of Protection” firewall approach employs an ever-expanding, proprietary dynamic database of known spammer IDs along with a spectrum of integrated analytic tools to identify and block or redirect suspected spam, scam, vishing, and robocalls before they ring through, so call recipients are protected from call disruption (which constitutes a significant expense in terms of lost productivity) as well as potential fraud. Beyond its filtering capabilities of known spam, one of the most innovative features of the Mutare system is its proprietary “spoof radar” detection technology that that can flag incoming calls suspected of using the kind of “spoofed” Caller IDs favored by voice phishers. The solution gives administrators full control over how their system should respond to these flagged calls – allow, drop, redirect or deliver to a voice CAPTCHA for further vetting. All together, these capabilities create an effective shield for companies against robocalls, spam calls, and other dangerous voice scam intrusions.

For high-value institutions concerned about the protection of their assets, their people and their customers, the Mutare Voice Traffic Filter should be considered as a first line of defense.

To learn more, click Here.