Cyber Security Month: Being prepared all year round

What are some of the highlights from the activities Nordea has been running or been a part of to raise awareness around cyber security and fraud in October?

Why is this subject still one of the key points on the agenda for Nordea and the financial industry?

Unfortunately fraud and other types of cybercrime are here to stay. You never see it slowing down no matter the kind of resources that are used to combat it. In fact it’s a growing problem, not only for our customers and for financial institutions, but for society in a larger sense. These types of criminal activities are unfortunately the dark side of becoming more digital. No matter how strong or smart bank’s technical defences are, people are still people and can be tricked or mislead. Threat actors and fraudsters are agile, opportunistic and very good at finding new ways to exploit any vulnerability they find. They spend all of their time monitoring all sorts of different systems, thresholds and limits so they can adjust very quickly.

In the Nordic market, financial institutions like banks have solid security solutions in place, at least if we compare globally to other markets where you can enter your bank account simply with a username and password or create an account and prove who you are by showing an energy bill. Still, people are just people and can be fooled. Anyone can in fact become a victim under specific circumstances. This is why it is so important to continue to educate, to raise awareness and remind both company employees and customers on what to avoid and what to look out for. Repetition is key.

Cybercrime and fraud attempts are instigated by both local and internationally located threat actors. Currently we have a big problem in the Nordics, especially in Sweden with the scenario known as vishing. Vishing is a type of phishing (any type of message from an email, SMS, chat or other source that aims to steal a person’s identity or personal information) which uses the voice to try to commit the fraud. In vishing scams, typically fraudsters will call pretending to be the bank, the police or the telephone company, etc, and run a story that tries to trick the potential victim into sharing their bank or ID information so that they can then issue new credentials and empty any associated bank accounts.

Internationally, we are also seeing actors, of course, continuing to attempt to put malicious software on people’s phones and devices. For companies, a common trick employed by fraudsters is known as ‘compromise fraud’ and is related to business e-mails sent between two companies doing business with one another. A cybercriminal will attempt to intercept email communications or even place malware on one of the e-mails which picks up an invoice that is going to be paid and then changes the account number resulting in the money ending up somewhere else. When we talk about these types of fraud cases, the attacker might be located anywhere in the world.

What 3 tips can you give private people to try to reduce the chances of becoming victims of digital fraud?

Even though fraud and cyber-attacks develop and change over time, there are still actions that you can take as a matter of course to increase the security of your digital activities.

1. Don’t ever follow instructions in SMS’s, emails or even phone calls to use your security credentials, unless you yourself have initiated the process by for example calling your bank’s Customer Service helpline. If in doubt, always double-check!
2. Be careful about the things you disclose on social media and don’t accept strange or unusual procedures when selling or buying in online marketplaces.
3. Always read very carefully what you are signing.

What 3 tips can you give companies to try to reduce the chances of becoming victims of digital fraud?

1. Make sure to raise awareness amongst all employees on the common cybercrime and fraud types being used to target companies such as business e-mail compromise where account numbers on invoices are manipulated. Have a policy on how such account changes should be verified before execution.
2. Educate employees on the risks of phishing of company mail credentials which is often the weak spot in business e-mail compromise but also the risk of employees clicking on attachments and links and exposing the company for a ransomware attack.
3. Use the ‘four eyes’ principle in handling transactions – always have at least two people check any payment.

For both private and corporate customers, consider the need to have antivirus software installed also on mobile phones and not only just on computers.