PUB. 11 2021-2022 Issue 2

coloradobankers.org 22 P erpetrators of cyberattacks threaten daily to infiltrate your systems with malicious intent. A cyber resilience strategy can help you withstand attacks and minimize business disruption to protect your data – and your profits. If you’re like many of our clients, the notion of a “cybercriminal” and the term “cybercrime” conjure up the image of a rogue teenager hiding out in their parent’s basement, hacking on a computer for hours on end. Most cybercrimes are considered threatening rather than devastating, primarily causing headaches and inconvenience but not overly disruptive to an organization’s ability to operate. Unfortunately, that impression is not reality. The cybercriminal and cybercrime landscape has vastly changed. We’re dealing with organized cybercrime groups that function with business plans, operating protocols, organizational structures, and strategies that mirror the formats of some of today’s most successful and ethically run organizations. Their resources, expertise, attack sophistication, and hacking toolkits continue to grow, as does the volume and severity of cyberattacks against organizations. History has shown that cybercriminals pose significant threats, and their mechanisms can and have resulted in devastating impacts to organizations. Here are just a few notable examples that impacted the financial institution industry in 2020: • Ransomware: Cybercriminals repurposed the traditionally known ransomware attack by replacing some typically automated processes with targeted manual processes. Rather than releasing a virus that auto-encrypted (locked) all of the financial institution’s files, the hackers found a foothold on the network, sat quietly, and worked to identify the most critical, sensitive, and business proprietary information and systems before initiating the attack. Once identified, the hackers deleted all backup files then quickly encrypted the sensitive files and systems previously identified. The ransom requested was two bitcoin or around $65,000 at the time of execution. • Wire fraud: Cybercriminals identified the protocol that the financial institution’s customers were required to follow to initiate a Customer Information File (CIF) change. This was done by calling the institution periodically over a few weeks and inquiring about the wire transfer and CIF change processes. The attackers then changed customer email addresses on file, leveraged the newly added email addresses, and initiated multiple wire transfers, successfully stealing more than $500,000. • Payroll system compromise: Cybercriminals strategically compromised a user account from the financial institution’s cloud-based payroll system with privileged access, giving the new user account creation capabilities. When leveraging the account at its authority level, the attacker created several new accounts that emulated standard new hire employees with typical job titles, appropriately tailored salaries, personal information, etc., all done without detection. Payroll jobs were created, and paychecks were scheduled in alignment with the institution’s normal payroll cycle. Although the institution detected the incident shortly after the first payroll cycle, losses incurred totaled roughly $250,000. • Business email compromise: The cybercriminal’s goal was to hijack the targeted financial institution’s process for requesting, authorizing, and administering wire transfers. Over a short period of time through reconnaissance, the bad actor gathered information identifying the institution’s email-naming convention, their personnel with capabilities to request and authorize wire transfers, and then compromised and