But the biggest threats may come from within. Banks fear a growing number of employees are unwittingly exposing valuable information to hackers or in some cases leaving digital clues that make a breach possible. To boost their defenses, firms are banning workers from using portable devices such as USB drives, warning employees to be careful what they post on social media and even discouraging workers from posting “out-of-office” replies on their emails. Several banks are also increasingly testing whether their employees unintentionally leave them susceptible to hackers by falling prey to “spear-phishing” attempts, in which criminals lure recipients to click on links. Those links often contain malware that allows hackers to access passwords or other sensitive information.
Weeks after J.P. Morgan Chase & Co. was hit with a massive data breach that exposed information from 76 million households, the country’s biggest bank by assets sent a fake phishing email as a test to its more than 250,000 employees. Roughly 20% of them clicked on it, according to people familiar with the email. A J.P. Morgan representative declined to comment on the bank’s efforts since then to prevent employees from clicking on emails that could expose data. The company prohibits employees from using their work email addresses for personal use, such as registering for shopping sites or social-media accounts like LinkedIn, according to a company memo issued after the hack. The bank has said it expects to spend about $500 million on cybersecurity in 2016, roughly double the amount it spent in 2014.
The bank is among those discouraging employees from using out-of office features on voice mail and email because they could alert criminals to unattended computers, said a person familiar with the company. Wells Fargo & Co., the world’s biggest bank by market capitalization, is also ramping up spending. “We spend an ocean of money” on cybersecurity, said Wells Fargo CEO John Stumpf in a recent interview. “It is the only expense where I ask if it’s enough.” Banks are having a more difficult time determining how far to go in tracking the behavior of their employees on social-media websites where someone might post details about their job responsibilities that hackers could use to determine who is an organization’s best target. The situation can get more delicate when it involves postings of a personal nature, such as vacation pictures that could provide an opening for a criminal to break into their home and steal their work laptop, cyber experts said. Overall, some 30% of data breaches this year resulted from employee error, according to a survey released this month by the Association of Corporate Counsel.
“They don’t know that what they’re doing is increasing the risk for their organization,” said Theodore J. Kobus III, a lawyer specializing in data security at Baker Hostetler in New York. In addition to the J.P. Morgan hack from 2014, Morgan Stanley was the victim of a recent high-profile breach as well. In that incident, a financial adviser illegally accessed client data and took the information home with him. The adviser, Galen Marsh, pleaded guilty to a felony in September and is awaiting sentencing. Prosecutors initially suspected Mr. Marsh was also involved in some of the client data being posted online, which he denied. It was disclosed in court papers this month that Morgan Stanley officials believe Russian hackers gained access to Mr. Marsh’s home computer, swiped the client data and posted it online.
For hackers, spear phishing—increasingly in emails that appear to be from a high-ranking bank executive to an employee—remains a core tactic. The Federal Bureau of Investigation’s cyber office in New York is receiving complaints about such phishing attacks “on almost a daily basis,” said Richard Jacobs, an assistant special agent in charge who handles cybercrimes. TD Bank, the Canadian-owned financial-services company that has roughly 1,300 branches in the eastern U.S., this year began sending simulated phishing attacks to employees that involved scenarios such as telling employees to click on a link to receive a package or to download a form from the human-resources department. Anyone who clicks on the phony link sees a video pop up that alerts them to the test and tells them how they should have handled the situation. “Our purpose isn’t to scare people,” said Glenn Foster, head of TD’s cybersecurity. Employees who fall for the phishing attempt are likely to receive another fake email soon, he added.
Even small banks are targeting their own employees’ behavior. Pinnacle Financial Partners Inc., which has roughly $6 billion in assets, sends fake phishing emails to its 1,100 employees every three months or so. “They all joke about it,” said Clayton Weber, director of information security at the Tennessee bank. Even though the employees know the bank regularly tests them, he said, roughly 2% click on the fake phishing email. While companies across all industries increasingly focus on cybersecurity, banks are in a unique position because they safeguard too much sensitive customer information as well as huge sums of money. Bank of America Corp. Chief Executive Brian Moynihan has said his firm’s cybersecurity budget is effectively unlimited and that the bank is increasingly focusing on its workers. “We spend a lot of money, we’re difficult with our employees in terms of what their behavior is to make sure they help keep us clean,” Mr. Moynihan said at an industry conference last month.