First phishing cyberattack
The first attack took place in late May 2016. An employee of the National Bank of Blacksburg, located in the state of Virginia in the United States, clicked on a targeted phishing email.
According to the investigation, this email allowed the attackerto install malware on the victim's PC. They then compromised another workstation at the National Bank of Blacksburg. This second workstation provided access to the STAR Network. This system is used to manage customer accounts and the use of their bank cards at ATMs.
The attackers disabled or modified certain settings through this access to the STAR Network. PIN verification, daily withdrawal limits, and anti-fraud protections were targeted.
The cyber attackers took the precaution of launching their operations on the weekend of May 28, followed by a public holiday on Monday.
In just three days, the criminals managed to steal $500,000 from customer accounts. They made withdrawals from hundreds of ATMs.
Eight months later, a second, even more costly phishing cyberattack was detected.
Following investigations into the first attack and in accordance with specialists' recommendations, technical measures were put in place.
This did not prevent an employee who was not aware of the risk from falling into the trap of a second phishing attack. The employee clicked on an infected Word document.
This time, the impact was even greater. The attackers managed to break into a second bank system, which manages the loans that customers are eligible for.
Before making further withdrawals from ATMs over a weekend in January 2017, the attackers were able to credit the bank accounts of the targeted customers with $2 million.
By the end of the cyber heist, $1.8 million had disappeared from the accounts of the National Bank of Blacksburg.
Cyber insurance that doesn't deliver on its promises
Having taken out two cyber insurance policies, the bank believed it was covered for more than $8 million. However, according to the insurer, the bank should only be entitled to compensation of a few tens of thousands of dollars in this case. The bank has taken legal action against its insurer.
How could the bank have protected itself from cyberattacks?
We cannot stress this enough: no technical system can eliminate the risk of a cyberattack. And no software solution can prevent an unaware user from performing an action that allows a hacker to achieve their goals.
Only awareness training tailored to each employee and monitoring of how long the knowledge was put into practice could have prevented such a disaster.
Avant De Cliquer is a member of the CPME, a confederation of small and medium-sized enterprises across all sectors, including industry, services, commerce, crafts, and the liberal professions, and a member of MEDEF, France's leading network of entrepreneurs.
As you know:
Avant de Cliquer helps organizations protect themselves from cyberattacks (80% of which originate from phishing). It does this by raising awareness and testing each user over time according to their risk profile.
