The SVB demise is a fraudster’s paradise, so take precautions
For those who haven’t followed the drama, Silicon Valley Bank has been shut down by the California Department of Financial Protection and Innovation, after a bank run that followed an insolvency risk and a stock crash. The Federal Deposit Insurance Corporation has been named the receiver, and has established a deposit insurance national bank, through which SVB customers will be able to access the insured part of their deposits.
Understandably, there is a lot of attention on this crisis. It is, however, mostly focused on the financials; namely, what led SVB to this point and what the risk is now for the deposit owners.
In this article, I’ll outline another kind of risk posed by the event: the huge opportunity this frenzy around SVB presents for cyber attackers, and the cyber risk this creates for thousands of SVB account holders, and their customers and suppliers.
The cyber fraud potential of the SVB shutdown
Most successful cyber-attacks leverage – at least in part – the human element, through social engineering, deception, and fraud. According to IBM’s Cost of Data Breach Report 2022, in about a third of cases, the initial attack vector are compromised credentials, which are mostly compromised via phishing or other fraudulent action. At the same time, business email compromise (BEC) is the second most profitable attack type for organized cyber criminals.
Chaos and confusion feed these types of attacks more than anything! Cyber-criminals are well organized and are known to seize opportunities when they see them. This moment presents an outstanding opportunity for them to target not only former SVB account holders, but also the customers that they serve. SVB customers now make perfect marks for phishing and fraud attacks.
Adding fuel to attackers’ fire, founders, CEOs, CFOs and finance teams are under a lot of stress right now, managing uncertainty and a lack of Information. At times like these, people’s guard goes down, making them more likely to fall prey to an email which contains any news (and preferably good news). Attacks like these can come in the form of an email, but also through other media which serve founders and finance communities, such as Signal / Telegram / WhatsApp groups, forums, etc. Everything becomes a possible attack vector.
Gaining access through this kind of social engineering — or through other more traditional means — is only the precursor to what we expect to see as the main campaign: a massive BEC campaign that takes advantage of the incredible number of account changes already under way.
Over the next few weeks, as SVB account holders move their finances and operations to other banks, they will notify their customers with their new account details for future wires. Additionally, in today’s supply chain landscape, companies work with dozens to hundreds of suppliers, and finance departments will be bombarded with requests related to changing these accounts, too.
Managing this significantly increased volume makes it far more likely to accidentally approve a malicious bank change request. This becomes an even easier attack in cases where the threat actors are working from a compromised account with internal information they gained through a phishing attack.
It’s only been three days since SVB has been closed, so we haven’t yet seen any such attacks in the wild, but it’s highly likely that they will begin presenting themselves in the next few weeks.
What can you do to protect yourself from SVB-related attacks?
At their core, phishing, BEC, and similar attacks are all forms of fraud. They include some form of impersonation (through a website, email, text message, Slack or other messaging technologies), that encourages actions to be taken by a victim.
As a result, the first layer of defense you have against these attacks is awareness. If the potential victims know to look out for these types of attacks – and telltale signs to look for in them – they will stay more alert and will be less likely to fall for such schemes.
We strongly recommend mandating refresher phishing and BEC training for everyone who is on the front lines of your company: founders, C-level executives, finance departments, customer success representatives, etc.
With everyone already busy and stressed, this might not seem like a top priority to them. It will be important to explain how this training can prevent turning one crisis into an even bigger one! Help them understand the potential magnitude of a breach. Also, if you’re a vendor, plan to send an email to your customers right away, explaining the exact expected process for wire changes, including all the expected manual verification. This can help people differentiate between the real and the fake and increase awareness against potential future attacks.
In parallel to awareness, make sure that your processes around payment changes are robust, and if needed, add another layer of manual verification or signature—at least for the next 30-60 days. It’s important to ensure there is no way for a bank account to be changed without an actual call, with human interaction with every vendor you work with.
Finally, it’s worth setting up additional monitoring of both account activity (phishing) and financial activity (BEC). For phishing, make sure to heighten your SOC’s awareness around any potential phishing attacks. Pay extra attention to failed logins, multifactor authentication (MFA) failures, etc. Special vigilance should be applied for executive accounts and finance departments, as they’re the most likely targets for these attacks.
If you are a (former) SVB account holder, make sure that you monitor any account change notifications from your customers and carefully check each one of them.
For the finance teams: Set up monitoring to check every receivable account change after it has been changed. Your finance platform should be able to generate a daily report on this, which should be reviewed by an individual that’s not the person responsible for the actual changes.
Furthermore, add a policy that does not allow for the transfer of funds to accounts that have been modified in the last 7 or 14 days. This will give enough time for the vendor or the auditor to notice it before any money has been wired.
In summary, while these times present a significant opportunity for attackers, you can make sure your company and your customers don’t become affected by it, simply by raising awareness, implementing better processes, and undertaking tighter monitoring. These small steps will prevent the SVB crisis from having even wider repercussions on your business.