The odds of a person eventually suffering a cyberattack are “pretty much 100% at this point,” according to Bill Slattery, a former FBI special agent in the cyber division who now investigates cybercrime for Facebook.
Slattery spoke on an information security panel at the eMoney Advisor Summit Thursday, along with Michael Rappe of TD Ameritrade’s Fraud Group and Bill French from the Fidelity Customer Protection and Financial Intelligence Group.
Among the biggest cyber risks financial firms face are email communications with clients that aren’t actually from clients, Rappe said. “The days of [making] financial transfers out of client accounts by email just need to end,” he said.
Fraudulent requests used to be easy to spot, but hackers have learned how to do “like title” requests, or ask for ACH transfers instead of wires, Rappe warned.
Attackers are going after email for good reason, French said: those accounts have “a tremendous amount of information” regarding finances, as well as personal information like electronic documents and communications with friends and family that allow hackers to create social engineering hacks.
Even a birthday greeting can be useful to a hacker, Slattery added, because that information is frequently used to verify accounts.
“People often don’t realize there are lots and lots of little pieces of information about each and every one of us out there on the Internet that can be put together like a puzzle that can be used to exploit you,” he said. “Simple things that look harmless by themselves, when put together en masse can be very harmful.”
“Should we just stop using email?” Jason Novak, eMoney’s chief security officer and moderator of the panel, asked.
“There are definitely other technologies out there that offer more security,” French said, but that doesn’t mean people will use them. An encrypted client portal is probably safer, but if there we too many barriers to access, they won’t use it.
An attractive enough target—like a HNW client—will keep hackers’ attention until they get what they want, Slattery said.
Rappe of TD is turning the social engineering techniques on employees by building behavioral analyses to identify deviations as potential attacks. He recommended using very granular access controls to give employees access to only the information they need to do their jobs.