Manager’s lack of phishing awareness nearly costs bank $5.3 million

This blog is part of a weekly review of scenarios from Verizon’s Data breach digest.


According to Verizon’s Data breach digest, a US regional banking organisation nearly lost US$5.3 million to fraudulent wire transfers when a manager fell for a phishing scam.

More alarmingly, the bank only discovered the attempted theft when the Fed notified it that its reserves were about to drop below $500,000. Thanks to this alert, none of the transfers were successful.

Finance manager phished and pwned

The transfer requests were apparently initiated by a finance manager via the FedWire app, but she was unaware of them. When questioned, she admitted that her system had been “acting funny” for the last few weeks and sometimes did things on its own. To Verizon, this meant one thing: her system had been “completely pwned.”

It transpired that the manager had received a phishing email earlier that month, ostensibly from the bank’s CIO and commending her for her recent work collaborating with his team on a project. Despite never having worked with the CIO or his team, the manager felt flattered – and clicked on the apparently innocuous hyperlink in the email, unwittingly infecting her machine with the Zeus trojan, which is often used to steal banking information.

If it wasn’t for the Fed’s volumetric alert picking up the value of the transfers, her simple mistake would have cost the bank $5.3 million.

Your employees are the biggest security threat to your business

As Verizon points out, cyber criminals “know that the human element is the weakest link in any information security strategy”, which is why “employees need to be constantly sensitized and trained through security awareness programs in order to be extra vigilant regarding their actions.”

Banks aren’t the only institutions that are susceptible to phishing attacks. Whatever your line of business, phishing is a threat you need to take seriously: if one of your employees mistakenly opens a phishing email, your entire corporate network could be put at risk.

This is why it is so important to ensure that your staff understand the threat that phishing poses and can recognise phishing emails.

IT Governance’s Phishing Staff Awareness Course educates staff on the risks of spoof emails, enabling you to help your team understand how phishing works, what tactics cyber criminals employ, and how to spot and avoid phishing campaigns.

Combine this with our Simulated Phishing Attack, which enables you to identify potential vulnerabilities among your employees and provides recommendations to improve your security.phishing