For years I have been warning you about the dangers of skimmers, which are small devices installed at ATMs, gas pumps and other card readers that are used to steal the information from your credit card or debit card to gain access to your credit or your bank account respectively. However, recently a new threat is emerging around the world that poses a greater threat to ATM security. Cybercriminals including the Russian cybergang known as Buhtrap are using newly developed malware to target not just individual accounts, but the internal networks of banks and ATMs in order to program the ATMs to spit out huge amounts of cash at a specific time. This technique has been used in Taiwan and Thailand earlier this year to deliver cash to the criminals who go to the infected ATMs at a specific time when the ATM’s programming has been altered programmed to spit out cash to the awaiting criminals. The threat to banks around the world is quite real and has been the subject of multiple FBI warnings to financial institutions in the United States since the summer.
In the recent attacks against banks in Taiwan and Thailand, the malware infecting the banks’ internal networks and ATM systems was installed when bank employees clicked on links in phishing emails that appeared to come from other banks or ATM vendors and unwittingly downloaded the malware enabling the cybercriminals to take over the banks’ internal systems and ATM systems. The danger of phishing cannot be overestimated. According to Jeh Johnson, the Secretary of the Department of Homeland Security, “the most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.”
This is a lesson to us all. Whether at work or at home, the danger of phishing emails is tremendous, but it is easy to avoid. Install anti-phishing security software on all of your electronic devices, however, you cannot depend on this software to keep you totally safe so the best rule to follow is to never click on any link or download any attachment in an email or text message unless you have absolutely confirmed that it is legitimate.