Simulated phishing attacks can identify holes in advisors' security practices before real attacks are encountered.
As more financial applications and services move online, financial advisors manage an ever-increasing number of logins and passwords that are used to gain access to websites of all kinds. Hackers are well aware of this trend, so instead of attempting to break military-grade encryption or hack into well-defended servers, hackers are going after easier targets: people who type in their credentials online.
Hackers are using sophisticated techniques to fool unsuspecting users to turn over their login credentials in schemes commonly known as phishing attacks. Financial advisors likely aren't aware of how vulnerable their business is to a phishing attack until after the attack is committed and damage is done.
Fortunately, advisors can deploy simulated phishing attacks to determine their vulnerability to such events before they happen and make sure colleagues and employees adhere to good security practices.
Phishing for Billions
If you weren't watching the equity markets in real time on April 23, you may have missed five minutes of brief turmoil. At 1:07 PM Eastern Time, a tweet was posted from The Associated Press Twitter account declaring a bomb had exploded at the White House and President Barack Obama had been injured. The Dow quickly dropped nearly 150 points, but largely recovered just a few minutes later after The Associated Press reported its Twitter account had been hacked.
How did the Twitter account get hacked? According to The AP, the attack was preceded by phishing attempts on AP's corporate network. Several AP staff received "an impressively disguised phishing email" prior to the posting of the fake tweet.
While the attack may have been nefarious in nature, the consequences of the event were very real. The brief sell-off in the wake of the false tweet erased some $130 billion in value among companies included in the S&P 500 before equities rebounded shortly thereafter.
If this kind of attack can have such a significant impact on the equity markets, imagine what can happen if a financial advisor's login to his or her investment custodian website is compromised.
Prepare for the Real Thing
Financial advisors are required by law to routinely test their policies and procedures in a number of business areas, including disaster recovery and business continuity plans. Testing such policies and procedures ahead of a real emergency can reveal problems and weaknesses in the plans so that steps can be taken to improve the business's ability to respond when a true interruption occurs.
Financial advisors can follow a similar approach when it comes to protecting against phishing attacks. This is accomplished by simulating a phishing attack in an attempt to identify vulnerabilities in the business and take steps to correct them.
The first resource to simulate phishing attacks comes from TraceSecurity Inc. The TraceSecurity Phishing Simulator features a simple three-step process to implement a simulated phishing attack. Just enter the email addresses of the employees to be tested, confirm the simulation, and then view the results of the simulation in a Web-based dashboard.
A free trial of Phishing Simulator is available for up to five email addresses to help evaluate the efficacy of the simulation tool. Note that simulations can't be sent to public email domains such as gmail.com or outlook.com; one must use a business email domain to conduct simulations. Phishing Simulator first sends a test email to determine if a spam filter prevents delivery of the phishing email bait.
Attacks from Phishing Simulator take the form of an e-card, similar to those sent by online greeting card companies. Under the guise of a message from a "Secret Admirer," the message encourages recipients to click an included URL to view the message.
Phishing Simulator tests two attack points. First, the program shows how many employees clicked the URL included in the e-card. Second, the report shows whether the recipient followed prompts on the fake e-card website to update their computer and install "recommended" software.
Pricing for Phishing Simulator starts at $699 for up to 25 email addresses, which I find to be fairly high for its limited features. Phishing Simulator's only test is based on a mysterious e-card, an aging technique to which more Internet users are suspicious.
Array of Attacks
Another simulated phishing tool is PhishGuru from Wombat Security Technologies. PhishGuru works much like Phishing Simulator, but it features a library of prebuilt email campaigns with a variety of phishing scenarios. Advisors can select among templates divided into eight categories: Financial, Personal, Work-Related, Social Network, Logistics, Attachments, Seasonal, and Custom.
Example PhishGuru messages prompt recipients to change an expired password, log in to audit unusual account activity, or view pending notifications in social media accounts. If the recipient clicks a link in a simulated phishing email or attempts to view email attachments, PhishGuru presents one of three comic book-style images with education about phishing attacks. As an alternative to the images, PhishGuru can be customized to show recipients education materials published on the company's website.
Wombat Security Technologies claims its anti-phishing training simulations "have been able to reduce the likelihood of a user falling for an attack by 60%." But in return for such effective simulations, advisors will need to commit to a non-trivial investment to purchase PhishGuru.
According to Amy Baker, director of marketing for Wombat Security Technologies, fees start around $8,000 per year to use the simulated phishing application. An unspecified number of licenses are included, but the quantity should be sufficient to cover all employees of the average wealth management firm.
Previously, PhishGuru licenses were offered at a lower monthly price point, but as Baker explained, the company recently adjusted its pricing in response to increased customer demand for simulations that circumvented sophisticated email spam filters and antivirus protection.
Nevertheless, one successful phishing attack on a financial advisory firm could result in tens or hundreds of thousands of dollars in losses, so PhishGuru represents prudent insurance to reduce the chance of loss due to phishing.
Before committing to a paid program, advisors can run additional phishing simulations for free using the service from OneLogin. OneLogin offers a one-time test based on phishing emails designed to mimic administration emails from Google Apps, so the free test will work best for advisors who use Google Apps in their business. The free simulation requires an advisor's name, email, company name, and company domain followed by any number of employee email addresses to be tested.
Real World Training
Everyone in a financial services business, from new hires, existing employees, and owners, must stay informed on the latest techniques attackers use to compromise Web-based accounts. The purpose of phishing simulations is not to catch employees for poor security practices, but to provide real experience with the kinds of attacks these businesses can expect to encounter.
Phishing simulations reinforce appropriate practices when a user is subject to a phishing attack. When in doubt, don't click on links embedded in an email. Instead, manually type in the URL to the online service provider's website. Also, look for "https://" connections and security certificate information provided by the Internet browser. The certificate information should be issued by a trustworthy source. Finally, confirm any suspicious messages with a follow-up phone call. Authenticate the message by asking the service provider if they really did send the communication.
Hackers are using increasingly sophisticated attacks to compromise the financial applications and programs that advisors use online. It is critical that advisers stay informed on the latest phishing techniques, but also verify that everyone in the organization follows good security practices to avoid becoming a victim to phishing attacks. Deploying phishing simulations is a practical way to evaluate how well the organization's employees are prepared to defend against phishing attacks.