Online Banking

A Cybersecurity Guide

for Financial Institution Customers.

A message from the Federal Deposit Insurance Corporation (FDIC-018-2016)
Computer-related crimes affecting businesses and consumers are frequently in the news. While federally insured financial institutions are required to have vigorous information security programs to safeguard financial data, financial institution customers also need to know how to steer clear of fraudsters.

This guide, developed by the Federal Deposit Insurance Corporation, provides cybersecurity information for financial institutions’ customers on how to protect and maintain their own computer systems.

  • Protect your computer.
    Install software that protects against malware, or malicious software, which can access a computer system without your consent to steal passwords or account numbers. Also, use a firewall program to prevent unauthorized access to your PC. While protection options vary, make sure the settings allow for automatic updates.
  • Use the strongest method available to log into financial accounts.
    Use the strongest authentication offered, especially for highrisk transactions. Use passwords that are difficult to guess and keep them secret. Create “strong” user IDs and passwords for your computers, mobile devices, and online accounts by using combinations of upper- and lower-case letters, numbers, and symbols that are hard to guess and then change them regularly. Although using the same password or PIN for several accounts can be tempting, doing so means a criminal who obtains one password or PIN can log in to other accounts.
  • Understand Internet safety features.
    You can have greater confidence that a Web site is authentic and that it encrypts (scrambles) your information during transmission if the Web address starts with “https://.” Also, ensure that you are logged out of financial accounts when you complete your transactions or walk away from the computer. To learn about additional safety steps, review your Web browser’s user instructions.
  • Be suspicious of unsolicited e-mails asking you to click on a link, download an attachment, or provide account information.
    It’s easy for cyber criminals to copy the logo of a reputable company or organization into a phishing email. When responding to a simple request, you may be installing malware. Your safest strategy is to ignore unsolicitedrequests, no matter how legitimate or enticing they appear.
  • Be careful where and how you connect to the Internet.
    Only access the Internet for banking or for other activities that involve personal information using your own laptop or mobile device through a known, trusted, and secure connection. A public computer, such as at a hotel business center or public library, and free Wi-Fi networks are not necessarily secure. It can be relatively easy for cyber criminals to intercept the Internet traffic in these locations.
  • Be careful when using social networking sites.
    Cyber criminals use social networking sites to gather details about individuals, such as their place or date of birth, a pet’s name, their mother’s maiden name, and other information that can help them figure out passwords — or how to reset them. Don’t share your ‘page’ or access to your information with anyone you don’t know and trust. Cyber criminals may pretend to be your ‘friend’ to convince you to send money or divulge personal information.
  • Take precautions with your tablet or smartphone.
    Consider opting for automatic updates for your device’s operating system and “apps” (applications) when they become available to help reduce your vulnerability to software problems. Never leave your mobile device unattended and use a password or other security feature to restrict access in case your device is lost or stolen. Make sure you enable the “time-out” or “autolock” feature that secures your mobile device when it is left unused for a certain period of time. Research any app before downloading it. Consult your financial institution’s website to confirm where to download its official mobile application.

A message from the Federal Deposit Insurance Corporation (FDIC-018-2016)


Threat Advisory: Online Banking Advanced Social Engineering

This new twist on an old attack is an advanced social engineering attack, targeting customers that are connected to their financial institution via social media. Attackers leverage social media and open-source intelligence (OSINT) to gather reconnaissance information on a customer, then contact the customer while posing as the financial institution.

The attacker’s objective is to convince the customer that their online banking account has been compromised and the customer needs to change their online banking password to a “temporary” password and provide the MFA code. Once successful, this attack will give the attacker full access to the customer’s online banking account, which has and will lead to a significant loss of customer funds.

The attacker starts by:

  1. Using recon from a financial institution’s Facebook page. Individuals who “like” the financial institution’s posts appear to be the attackers’ primary targets, giving the attacker a probable customer target list.
  2. The attacker then performs OSINT on these customers, gathering details about the potential customer and creating their own social profile. OSINT allows anyone to be profiled for their public information, such as their street address, phone number(s), email addresses, other social media accounts, date of birth, etc.
  3. The attacker utilizes the dark web and internet search resources for potentially compromised personally identifiable information (PII) for the customer, including Social Security Number (SSN) and any other account numbers from previous compromises.

Once the attacker has a complete OSINT profile of the potential customer:

  1. The attacker may make some innocuous calls to the financial institution to verify that the person is indeed a customer at the financial institution.
  2. Once verified, the attacker plans an advanced social engineering attack on the customer.
  3. The attacker pulls up the financial institution’s online banking webpage and calls the customer.
  4. The attacker spoofs the financial institution’s phone number to appear official.
  5. The attacker convinces the customer that their online banking account has been compromised, asking the customer to then browse to the financial institution’s online banking portal.
  6. The attacker may use the customer’s previously obtained information to convince them that they are official.
  7. The customer is directed to the financial institution’s website and asked by the attacker to reset their password to something simple, like “password1234”. The customer might tell them that they do not want their password set to that. The attacker states they understand that, and this password reset is only temporary. Victims stated that the social engineers are very convincing and have even been able to convince the victims to provide the attackers with the resulting MFA authorization code, where needed.
  8. Once the password is reset, the attacker has access to the customer’s account and can drain customer funds in various ways.


To learn more about cybersecurity and common scams visit the Banks Never Ask That! website from the American Bankers Association