Cybercrime has become an enormous threat to the German economy. Phishing and Spear-Phishing attacks rank right at the top of the attack statistics. Fraudsters exploit the “human factor” as the supposed weakest link in the security chain, for example, to steal confidential data.
Spear-Phishing attacks can have particularly serious consequences for companies in the highly regulated environment of the financial industry. One of them is Star Finanz, which was founded in 1997 and has been a wholly owned subsidiary of Finanz Informatik, the IT service provider of the Sparkassen Finance Group, since 2010. As a leading provider of multi-bank-capable online and mobile banking solutions in Germany, the company frequently deals with financial and transaction data of end customers and companies.
Senior Security Architect – Star Finanz
To protect this sensitive customer data from Phishing and Spear-Phishing attacks, Star Finanz had already established an IT security strategy. In addition to technical security measures, such as spam, Phishing filters and firewalls, Security Awareness Training was provided to employees. These included monthly blog posts and meetings on acute awareness topics, in which all company departments participated. Each training session concluded with a knowledge exam.
“But it soon became clear that internal training was no longer sufficient to sustainably protect our company from increasingly sophisticated Spear-Phishing attacks,” reports André Haase, Senior Security Architect at Star Finanz. “So the security management decided to put the issue in professional hands.”
These Phishing-Simulations use real company and employee information to recreate authentic attacks.
If an employee falls for a simulated attack, they land directly on an interactive explanation page. There, he is shown what suspicious features the email contains: from letter misspellings in the address line to fake subdomains and dubious links.
“Spear-Phishing-Simulations are extremely effective because they use an employee’s ‘Most teachable Moment’ to make him aware of his misconduct,” emphasizes André Haase. “It is precisely then that this employee is particularly receptive and internalizes the new learned awareness in the long term.”
The Star Finanz security managers were also convinced by the patented Employee Security Index (ESI®) from IT-Seal. It provides a metric for measuring employee security awareness and is derived from how employees respond to Phishing-Simulations of varying levels of difficulty. The ESI® enables Star Finanz to determine the individual learning progress of its employees at any time and to derive the targeted use for further training measures.
Since IT-Seal processes customer data exclusively in Germany, all training measures are compatible with the EU-GDPR. This is of key importance for a provider in the financial sector environment. In addition, by using IT-Seal’s recognized awareness measures, Star Finanz has set an important course for possible future ISO 27001 certification.
In June 2021, the first Phishing-Simulations were launched. For this purpose, IT-Seal created and sent out hundreds of fully automated attacks in various levels of difficulty to the approximately 350 employees of Star Finanz. The staff had been prepared for the Phishing campaign in advance via blogposts and circular e-mails.
After the campaign was completed, IT-Seal released the first e-learning in the Security Hub to deepen the learning content. This is a learning platform to which all participants have their own access, in order to call up the training courses and view their learning progress. Star Finanz security officers have their own front end – the Awareness Manager – which they can use to access the anonymized campaign results. They are also provided with regular stakeholder and quarterly reports by IT-Seal. To date, several Spear-Phishing campaigns, e-learnings and face-to-face training sessions have been conducted. The respective thrust is determined by Star Finanz and IT-Seal at quarterly meeting dates. The basis is the ESI®, which is evaluated anonymously by IT-Seal for the entire workforce and for the individual areas.
“Together, we are constantly planning further optimizations in order to maintain and further improve the high level of security already achieved by our employees,” says security manager Haase, drawing up an initial interim balance. “Even today, we have decided to make the Awareness Training courses permanent training courses, as this is the only way to achieve a long-term effect, even with new employees.”
With the Security Awareness Trainings from IT-Seal, Star Finanz was able to significantly improve the Security Awareness of its employees for Spear-Phishing risks.
Innovative methods and tools are combined to a full-service offer, which is up to date with the latest attackers and relieves the internal security management.
“Without having to worry about managing and implementing the training, we were able to make significant learning progress,” emphasizes André Haase – and praises the familiar and friendly way of dealing with IT-Seal: “We have a great customer advisor and maintain a great, often daily, exchange on all the important issues of the campaign and on the planning and implementation of further measures.”
Test your Security Awareness and get to know the following modules of the IT-Seal Awareness Academy without obligation:
Step 1: Sign up with your business email address.
Step 2: You will receive a confirmation e-mail confirming your registration.
Step 3: After confirming your registration, you will immediately receive your test access.
At the same time, the phishing simulation starts and you will receive a total of 4 simulated phishing emails within two weeks.
At the end, you will receive your personal evaluation: Which phishing emails did you recognize, and which ones did you fall for?