Customer service is a key ingredient in banking, and it’s the con man’s pathway around your firewalls. Proper system preparation, employee training, threat awareness, and testing are all essential to creating a secure environment with effective service and appropriate employee restraint.
A core differentiator of community banks is customer service. The relationships we establish with our customers is what drives our business by bringing customers back for repeat business and sending them away happy enough to pass along positive feedback to others. The basics of customer service; such as answering the phone with a smile, listening to the customer's and keeping your promises; are well known and essential to ensuring happy customers. But there are other, liars and con men, who would take advantage of our good will to attack us and gain access to the information we're trusted to protect.
The Threat beyond Technology
Our IT departments install firewalls, antivirus, and intrusion prevention systems to protect us from network-based attacks meanwhile we, the employees, might be disclosing the keys to the kingdom to callers over the phone.
Social engineering is the act of psychological manipulation of a person into divulging information or performing actions that the person wouldn't or shouldn't do otherwise. It's used by attackers as a type of confidence trick to gather information, perform fraud or gain system access and can be performed over the phone by email or even in person.
Simple attacks typically present a false but plausible scenario that is used to entice or incite the target to an action desired by the attacker. For example, a target might be enticed to insert a CD or thumb drive into their computer by a tantalizing label or they might be incited to browse to a web site to install a critical security patch. These simple attacks, and more complex ones too, aim to take advantage of our penchant for outstanding customer service.
Our initial reaction to a petition for help is to try and satisfy the request, to resolve the issue, to fix the problem. Ingrained with that desire for resolution is the assumption that the petition is legitimate. We are honest and we assume that others, and specifically the petitioner, are as well. While that assumption is right most of the time, it might be wrong occasionally with disastrous results. When working in a position of trust, community banking is really about trust. We must restrain our initial reactions, rethink our assumptions and proceed cautiously.
Until we can verify the identity of a caller or the authenticity of an email we must distrust them. There is little about an email that can't be faked. Callers can and will lie. To implicitly trust either source without verification opens us to exploitation.
The Proper "Customer Service" Reaction
Verification of a caller should be performed according to the stipulations detail in your institution's policy which should be sufficiently robust to ensure their identity and the veracity of the call. For example, if an unfamiliar caller claims to work for another department and is requesting internal-use or confidential information you should place them on hold, call that department and confirm their employment and position, before releasing the requested information. Similar precautions should be used to confirm the veracity of email requests prior to fulfilling them. If warranted, the supposed sender of the email should be called to confirm the source and contents of the email.
We shouldn't be embarrassed by the stipulations required of us in our security policies. We shouldn't be ashamed to enforce them. We should proudly proclaim these requirements to the customer and explain how they are used to ensure the continued security of their data. Most of our customers have either direct experience with identity theft or know someone who has had their data exposed and they will therefore recognize the importance and usefulness of our policy stipulations. Far from being a detractor our customers will appreciate the seriousness with which we take security.
Once we've confirmed the truthful identity of the caller, then and only then, should we bend over backwards and provide the exceptional customer service as expected of us by our customers.
Test your Vulnerabilities
Banks, regardless of size, should have at least an annual internal and external vulnerability assessment audit or assessment that includes robust "Social Engineering" test protocols. These tests might include areas such as:
- Coordinated Email Solicitation – “Phishing”
- Phone Attacks and Telecommunication vulnerability assessment
- Fax Attempts
- Solicitation through other electronic media or "social media", as applicable
- Physical Attempts at access to routers, servers, etc. at banking offices
To ensure that there is no real compromise of an institution's data, security, or customer information, but still achieve the element of "surprise", the attempts should be well coordinated with key Bank Management, but not generally shared with Bank staff. The results of the tests should be documented in a Vulnerability report and provided to Executive Management and the Audit Committee for immediate remediation and staff training, as applicable.