Threat Management, Security Strategy, Plan, Budget

Why cyber criminals want to capitalize on the SVB collapse

SVB crisis

Cyber criminals never let a good crisis go to waste.

Take the recent Silicon Valley Bank (SVB) incident. The dust has barely settled on the emergency action that the federal government took to bail out SVB. The startup-friendly commercial bank saw rising interest rates crater its investments, creating an old-fashioned bank run and eventually the second-largest bank failure in U.S. history.

The collapse kicked off a run of bank collapses around the world — Signature Bank and Credit Suisse, notably — that could have potentially devastating long-term effects for financially-stretched start-ups and their founders. But scammers, as always, will exploit these stressed-out — and likely confused — employees for short-term gain. For these affected organizations, staying vigilant against attackers could be the difference between succumbing to pressure and weathering the storm.

Which companies are at risk?

In the immediate future, there are some obvious scams that organizational security leaders can look out for and warn their colleagues to look out for. The startups that fit the SVB profile — mostly pre-series B organizations in the U.S. and U.K. — likely run a high risk of being targeted by savvy attackers because of their immaturity as an organization. With a small payroll and tight staffing constraints, smaller businesses are unlikely to have a mature security posture that could otherwise deflect social engineering scams. One of the most predictable potential attacks will involve C-suite fraud, with attackers posing as a CEO, CFO or other company executive with urgent email instructions that relate to the SVB, Signature Bank, or Credit Suisse fallout, like requests for credentials to access financial accounts or passwords to internal systems.

Realistically, a threat actor could pull this off by just cheaply scraping LinkedIn and targeting accounting employees at any organization with a short tenure, including some play on the line “‘hey it’s the boss, we have to move this money fast” and mentioning SVB.

A panicked employee looking out for their company and their paycheck might fall for it. So what can companies do to protect employees from giving away the goods?

Ground rules

Establish and follow ground rules for crisis communications ASAP, preferably before a crisis like SVB. For example, establishing a rule that no one (especially CEO or CFO and exec admins) should click any link in an email, text message, Slack or calendar item that talks about SVB (or any crisis that lends itself to social engineering scams). A smart organization should appoint one executive as the authoritative voice for internal communications around a crisis, so that employees know exactly which emails, texts or calls to trust. The earlier that employees know exactly what to expect from their company in the midst of a crisis, the less time attackers have to prey on their confusion.

Better safe than sorry

Of course, great internal communication doesn’t preclude individuals at an organization doing their own research on a crisis, or falling victim to a malicious link on their own time. Attackers have already registered domains that look and sound like official bank sites and are promising assistance following the string of collapses. On work-issued devices, these websites are often just as damaging as clicking a phishing link in an email. To mitigate this, an IT department could add temporary monitoring rules and restrictions for web traffic and email, potentially prohibiting employees from even finding these scam-sites in the first place. Blocking domains with the combination SVB or the words silicon valley and bank, for example, might (will) cause false positives that could frustrate users trying to search for information, but it’s worth it to reduce risk, and it's only temporary.

The fallout from the SVB collapse and the other banking failures has hardly begun. Companies looking to stay vigilant against attackers online should consider deploying some new security tactics on top of their standard posture, but it’s the basics that will likely prevent the worst outcomes. That means not clicking suspicious links, double-checking the accuracy of URLs, deploying multi-factor authentication and talking to their colleagues about SVB-related items directly, not through one-off requests for access to their bank account.

Ian McShane, vice president of strategy, Arctic Wolf

Ian McShane

With almost twenty years in information security including practitioner, product manager, and a shift as the lead Gartner analyst for endpoint security and EDR, CrowdStrike’s VP of Product Marketing Ian McShane has seen a lot of crazy things in his time.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.