How much could you afford to pay if one of your employees fell for a phishing email? If you’re National Bank, the answer is around $2.4 million.
Major Withdrawal In May of 2016, an employee at National Bank opened a suspicious email that allowed hackers to install malware on the victim’s PC. The hackers quickly gained access to the software system that handles debit card transactions and National Bank customer accounts nationwide. With this access, the hackers were able to disable anti-theft and anti-fraud protections on ATMs across the country. In a matter of days, they made off with $569,000.
Bad Response National Bank hired a cybersecurity forensics firm to investigate the heist. The attack seemed to come from a Russian-based internet address, but there was little chance of apprehending the criminals. National Bank had to decide what steps to take to keep this kind of thing from happening again. The decision they made was the wrong one.
The bank added new security protocols to help flag specific types of repeated transactions. Unfortunately, this didn’t do much to root out the problems already in their system. Less than eight months later, National Bank suffered another attack, again triggered by a bank employee opening a phishing email.
The second email contained a booby-trapped Microsoft Word document that let the hackers take control of additional software systems, removing security controls and enabling them to withdraw money from hundreds of ATMs. After walking away with over $1.8 million, the hackers deleted all evidence of the fraudulent debits.
Insurance Won’t Pay At this point, you might be thinking, “That sucks, but at least banks are insured, right?” As it turns out, cybercrime is still a gray area for insurance companies. While National Bank says it had insurance that covered cybercrime losses, the insurance provider, Everest National Insurance Company, insists the policy in question doesn’t cover the breach National Bank suffered.
This whole mess is pretty complicated, and I’m not an insurance guy, but here’s the long and short of it: Because the losses occurred at physical ATMs, the insurance company claims they aren’t cybercrimes and therefore fall under a policy that covers debit-card losses, which caps out at $250,000. National Bank is calling BS and says that because the robberies wouldn’t have happened had they not been hacked, the heist is a “computer and electronic crime.”
The courts will have to settle this case, but I hope National Bank learned their lesson after the second heist.
Stop Ignoring Your Weakest Link National Bank lost millions of dollars because someone on their team fell for a phishing email not once, but twice! It’s what I keep saying: Your fancy security doesn’t mean anything if your employees are inviting criminals to walk in through the front door.
When National Bank realized they’d been hacked, they thought they could solve the problem by adding new security protocols. But the protocols weren’t the reason they got hacked! They got hacked because someone at National Bank doesn’t know how to recognize a dangerous email. If they hadn’t stopped with security and had taken the time to educate their team on the dangers of phishing emails, they could have saved themselves $1.8 million. So, I’ll ask it again: Can you afford for someone on your team to fall for a phishing scheme?
Thanks for reading,
PS. If you want free training to help protect your company against something like this happening, you're in luck... Click the image down below and you will have access to training videos I have done regarding the same scam the bank fell for. You will even be able to schedule a time to have me train your whole team!