For all the digital transformation that banks have done over the past few years, when Gov. Phil Murphy gave the order for the state’s residents to stay at home to control a whirlwind of COVID-19 cases, they still had much more transformation to do.
Joseph Lebel, executive vice president and chief operating officer at OceanFirst Bank, said the stay-at-home order required standing up remote-working capabilities for hundreds of employees.
“I don’t think we’re much different from most banks our size in that we had the ability to work remotely before this, but, in the normal course of things, it just wasn’t the norm,” he said.
Not only has the financial sector had to undergo more of a transition to remote working than most industries, it’s also already more likely — up to 300 times more likely than other industries — to be targeted by a cyberattack, according to a 2019 report by Boston Consulting Group. Given the nature of data a bank might have for its customers, including Social Security numbers, data breaches are also more costly in this industry than others.
In spite of that, the banking contingent of the financial sector doesn’t seem overly worried. Being accustomed to stringent regulatory oversight in all areas of their business, they for the most part feel they’re taking necessary precautions to fend off cybercriminals.
“I do have some level of concern, because we’re dealing with same thing as everyone else,” Lebel said. “But we’ve had a lot of conversations with employees around phishing attacks. We’ve done training, gotten people set up with the right VPN access and increased our threat intelligence monitoring, such as social media monitoring and ‘dark web’ monitoring.”
While some cybercriminals have reportedly been using the federal government’s stimulus checks and the Paycheck Protection Program as a front to scam individuals and businesses, Lebel said his bank hasn’t seen a high volume of fraud incidents related to these programs yet.
Bob Bardusch. executive vice president and chief operating officer at Wayne-based Valley Bank, warned that the worst might be yet to come.
“Where the rubber meets the road is the forgiveness phase of the Paycheck Protection Program, which we’ve yet to reach,” he said. “That’s where sensitive documentation is necessary to show what you did with the money. And we think it’s there that fraud would happen if there were to be some.”
Valley Bank, like the state’s other community banking institutions, had to quickly equip a majority of its workforce to continue conducting bank business at home. Around 20% of the operational side of the bank was working remotely only on a semiregular basis in the past.
Now, maybe 90% are only working from home for the company, Bardusch said, which has had around 55 of its employees contract COVID-19 — people who were already working remotely.
As for why fraudsters haven’t had more success in taking advantage of this overnight change of scenery for employees, Bardusch guesses it might have something to do with how smaller banks know customers on a first-name basis.
“The opportunities for fraud might be less for a community bank, because we know who our customers are and they know who we are,” he said. “We’re not just throwing up an application screen to do everything electronically. We’ve coupled a digital interface with the usual relationships and high-touch outreach.”
That doesn’t mean all the risk of cyberattacks is going be mitigated, Bardusch said. Hackers can spoof employee emails and hijack email identities in clever ways if they’re allowed to.
That’s why Bardusch said Valley Bank has been trying to devise increasingly creative internal phishing schemes so the bank can “hack itself,” as he calls it. It’s trying to keep employees as aware as possible of the risk of a cyberattack, even in these uneasy times for everyone.
“In the end, you have to rely on having robust training to understand what’s a threat and what’s not,” he said. “Because we know the bad guys are getting more creative.”