Over the past decade, large-scale cyber compromises affecting millions of consumers have made big headlines. Sadly, media coverage of large-scale security breaches and cyberattacks can have a desensitizing effect on the public. But as more people rely on online and mobile banking services, the more they can be vigilant as partners to help their financial institutions thwart potential fraud.
Anxieties among American consumers run high, with 92 percent expressing concern for their cybersecurity in a 2019 survey of more than 2,000 U.S. adults age 18 and above, conducted online by global market research firm The Harris Poll on behalf of banking technology company CSI.
Rest assured, the very nature of the financial services industry has been centered on protecting customers’ funds from the beginning. Today, protecting clients’ sensitive information and their money continues as a top priority in the form of high-tech security. Indeed, banks have the highest level of security among critical U.S. industries — including energy and telecommunications — and the most stringent regulatory requirements, according to the American Bankers Association.
Banks use a combination of safeguards to protect customer information, such as employee training, strict privacy policies, rigorous security standards and encryption systems. While banks have made major investments in technologies and services that prevent cyberattacks, consumers ought to view the protection of their money in a bank as a partnership. The bank and the client have to work together to prevent fraud. This means customers should monitor their accounts regularly and alert the bank right away if they suspect they are a victim of fraud.
Following are some ways consumers can bolster a bank’s efforts to protect them from cybercrimes:
Strong Passwords Make a Difference
A quarter of all consumers — and more than one-third of adults 34 and under — say it is OK to use the same passwords for their bank accounts and other online accounts, according to the CSI report. From a bank’s perspective, this means that almost 25 percent of their customers could be susceptible to account takeover resulting from lax password habits.
Over the course of each day, users log in to various accounts — from online shopping to media streaming services to social platforms — sometimes dozens of times. While keeping the same username and password may seem easier to remember, it’s not an ideal practice when it comes to bank accounts.
Across many industries, information security experts are seeing a rise in so-called “credential-stuffing attacks.” Hackers can employ username and password combinations that have been leaked via data breaches at other companies and attempt to use them in hopes of gaining access to accounts on other sites.
While banks are constantly monitoring the security of their systems, customers can help as the first line of defense by creating a unique login ID and password for their bank accounts. It’s also wise to review and verify the personal information clients share with their banks — such as mobile phone numbers and email addresses — is up-to-date so that banks can reach out quickly if suspicious activity occurs.
Following are some online and mobile banking password management tips:
• Never reuse the same password for multiple sites or applications.
• Use strong and complex passwords when possible. Try using a password or passphrase including a mix of letters and numbers.
• Eight to 15 characters are considered optimum for password safety.
• Update your passwords periodically.
• Never write your passwords down.
• Do not use your Social Security or ATM card number.
• Use a password manager to safeguard your login information in an encrypted format and to generate random passwords for you.
As Cybertheft Accelerates, So Does the Need for Caution
Phishing is another increasingly pervasive cyberthreat, with losses growing to nearly $30 million in 2017 from $8 million in 2015, according to the FBI.
According to the Anti-Phishing Working Group, the financial services industry remains one of the most targeted industries for phishing scams. The Anti-Phishing Working Group documented more than 1 million unique phishing email campaigns in 2017.
Phishing scams often involve emails, texts or calls that come from seemingly trusted source — such as a bank — that attempt to trick victims into clicking a link or handing over personal information. Scammers are becoming more sophisticated. With the consumer’s information, they can use it to steal the victim’s money or identity or gain access to their computer. While it can directly harm consumers, phishing can also be a vector for costlier frauds like ransomware and business email compromise.
Consumers need to know that banks will never call, email or text clients for a request for your account number or password. If they receive an email that appears to come from their bank, consumers should look at the information after the “@” in an email address and beware of non-bank domains. They can also hover over false hyperlinks (without clicking) to review the URL to ensure it connects to a legitimate bank website. Sometimes, malicious phishing messages have an element of urgency or threats; they want victims to respond quickly without thinking through their response.
Banks combat phishing schemes by educating their employees and customers, installing fraud detection software and working with industry coalitions. Banks have software — such as “neural network” technology — that can detect unusual spending patterns and alert bank employees, who can contact the customer and re-secure a compromised account.
Banks’ Regulatory Systems Protect Consumers
Unlike other businesses sectors that have experienced security breaches and work from scratch to respond, banks already have a regulatory system in place requiring them to address cyberthreats and notify their customers when a data breach occurs. Federal and state regulators have issued rules telling banks what to do if they have a data breach, including when to notify customers. The rules require banks to immediately investigate breach incidents and determine if any fraud has occurred. Additionally, all banks are required to develop and have in place a cybersecurity risk management program that includes data breach-response procedures.
In addition to reporting incidents to the federal banking regulators, many incidents, including data breach and cyberattacks, are also reported to the Financial Crimes Enforcement Network (FinCEN) and state banking regulators.
For decades, consumers have put their trust in the banking industry. Unfortunately, cybercriminals hijack that relationship of trust. As banks work hard on the back end to monitor and protect their clients, they likewise want clients to be scrupulous and take precautions to prevent crimes.
Howard Headlee is president of the Utah Bankers Association, the professional trade association for Utah’s commercial banks, savings banks and industrial loan corporations. Established in 1908, the UBA serves, represents and advocates the interests of its members, enhancing their ability to be preeminent providers of financial services.