Australian banking industry launches scam awareness campaign — but can banks do more?

The campaign’s tagline is “Hear the alarm bells”, and it focuses on clear advice for a range of scam types and explains the kinds of activities a bank will never engage in when it comes to customer interaction.

For instance, banks will never call people to ask for a funds transfer nor ever threaten to take immediate action. When it comes to things customers can do, they should never provide account details or PINs over the phone or log in to online banking systems via links received over email or SMS.

Anna Bligh, chief executive officer of the ABA, believes reminding customers to pause and think about the messages they are receiving is of paramount importance.

“As scams grow ever more complex and sophisticated, vigilance is required from all of us at all times,” Bligh said.

“This new national campaign has important messages to fight scams, reinforcing that we all need to stop and listen for alarm bells — if it doesn’t feel quite right, it might be a scam.”

However, while security professionals believe this is a move in the right direction, there is more that banks can do to support their customers rather than just educate them.

“With bank scams on the rise, the ABA provides sound advice to consumers on how to avoid becoming victims to personal information and money theft,” Nam Lam, ANZ country manager at SailPoint, told Cyber Security Connect. “As the cause of cyber attacks is still considerably connected to human error, and as people have varying degrees of understanding and appreciation of cyber threats, continuous education and awareness of scam tactics and techniques can only help consumers better protect themselves.”

“Banks, too, should look towards identity and access management to spot unusual accesses to safeguard sensitive customer data, govern access control to mitigate cyber risks, and in turn strengthen the derived security position of their critical data assets,” Lam said.

VIEW ALL

Thomas Fikentscher, ANZ regional director at CyberArk, went into even greater detail on the tactics banks should be using to protect their customers.

“Looking at this campaign, I would say it’s solely focused on avoiding human error. I agree it does make sense to improve communication with the customer base and raise awareness around methods used by attackers,” Fikentscher told Cyber Security Connect. “I think it is sound advice when it comes to human behaviour (what to do and, more importantly, what not to do). But education is only one piece of the puzzle.”

“Relying on customers alone isn’t a sound strategy. Human error will always occur, and the techniques applied by attackers are getting increasingly sophisticated. People will inevitably continue to fall victim to scams as the level of sophistication of these scams improves. Malicious actors often take such best practice advice and try to counter it specifically within their approach. Banks should therefore provide specific and timely advice to the current scam campaign.

“In addition to these education campaigns, it is essential to have a comprehensive security strategy that is founded on ongoing technology improvements to build a series of roadblocks for attackers so that, even if they succeeded with phishing, they would not be able to go far to inflict more damage.

“No single control is ever going to stop every stage of the scam. If one control fails, the other should kick in and prevent further damage. Going one step further, each control should be able to communicate with the range of other controls in real time to take proactive action depending on the path taken by the attacker.

“For example, endpoint security should already stop an attack from moving laterally. Proper step-up authentication will prevent it from getting to higher-value targets. Continuous authentication and authorisation should identify suspicious patterns. Privileged accounts must still be managed with sophisticated access management and session controls.

“If we take an identity security approach, we can start building up patterns of usual behaviour for individuals and have technical controls enabled depending on deviations from normal behaviour and a real-time view of risk.

“Finally, banks also need to run education campaigns across their entire workforce and immediate supply chain as these errors could well come from within,” Fikentscher said.

“In summary, education campaigns are useful to reduce human error but not enough to prevent serious breaches from happening. Banks must communicate to their customers about the threat, but intelligence should be fed into improving the defences of the banks’ security systems in place to stop it from happening again in the future.”

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.