With the recent collapse of Silicon Valley Bank (SVB), we're seeing a culmination of events leading to a perfect storm for digital bad actors. As businesses experience the panic that comes with sudden financial insecurity, hackers and cybercriminals are being presented with a unique and nefarious opportunity to exploit emerging weak points.
Vulnerabilities Exposed By the Bank Collapse
It's easy to believe that the transfer of consumer data may be one of the easiest points of attack for cybercriminals. However, the real target will be (and has been) people. Employees of SVB and businesses that banked with it are particularly vulnerable to a targeted barrage of varied cyberattacks.
Criminals have already begun their efforts en masse, using relatively simple business email compromises and phishing techniques as a part of a larger social engineering attack. To facilitate these, people have rapidly been purchasing SVB-related domains that can be made to look like legitimate payment, employment, or other types of websites.
Social Engineering Preys on Heightened Emotions
Social engineering is a term that's sometimes used to describe organized cyberattacks that target employees or company associates who may easily be manipulated into sharing sensitive information.
According to a recent report released by IBM, the average cost of a social engineering attack on a business was $4.1 million and took companies 270 days to identify and effectively contain. Imagine the peripheral damage that can be done during that time frame. People lose their jobs, employers may panic, and the company's reputation can be irreparably compromised.
In the case of the recent bank collapse, cybercriminals are counting on the fear, uncertainty, and feelings of urgency that former SVB customers are likely to experience. Most will be in the process of trying to recover their funds and relocate them to a stable financial institution.
While this is happening, there is an abundance of opportunities for those with bad intentions to use various communication channels in an attempt to appear as legitimate entities. They may try to gain access to new account numbers, personal credentials, or passwords, or even try to manipulate someone into transferring money to a fraudulent account.
Social engineering attacks can be after a slew of information — from asking an employee in the finance department to confirm account details with an email from a legitimate bank to requesting employees to download new and necessary software that turns out to be malware.
Scare tactics run prevalent, driving urgency and less-thought-through actions. In the case of the SVB collapse, these emails may be asserting that a business owes "fees" of some sort or that they've received an overpayment from the Federal Deposit Insurance Corp.
Cybercriminal creativity seems to be boundless these days, even calling an employee to heighten the sense of fear or urgency.
How Can Employees and Businesses Protect Themselves?
Now is the time to think through what can be done to get ahead of this situation and future ones like it. The first step in preventing social engineering attacks is to make sure employees are educated in cybersecurity threats. Regular training and situational alerts should be a normal part of organizational operations. In addition to this, employees can:
- Verify the sender's email address with the company's security team and with the sender's parent company.
- Avoid responding to any email requesting personal information — especially when unexpected or containing a threat.
- Never click links in an email without first verifying both the validity of the sender and the purpose of the message.
- Always keep an eye out for bad grammar, poor graphics, unfinished websites, and strange word choices.
- Not download anything without first getting confirmation that it is required from an internal security team.
- Not act when in doubt about anything — reach out to leadership to confirm next steps, and always report suspicious emails.
Cybercriminals are smart enough to never let a crisis go to waste. And their attempts to defraud businesses and consumers are steadily becoming more sophisticated. As we face the uncertainty and fallout of this banking crisis, we must be diligent in our actions, continuing to cultivate awareness with employees and implement strict standards around external communications.