When I was first asked to join John Iannarelli (aka “FBI John”), a former FBI agent, for a discussion at the Indiana Bankers Association Annual Convention, I felt a mixture of excitement and nervousness. Talking about the threats community banks face alongside someone who spent decades fighting cybercrime was a bit intimidating. But as soon as we began exchanging stories and insights on threats like deep fakes, business email compromise (BEC), and ransomware, the conversation flowed naturally. In the end, we got a ton of great feedback from folks in the audience.
Reflecting on our talk, I realized it would be a great opportunity to share some of the key points with other community banking leaders who couldn’t attend that day. So, here are five key areas we discussed that offer actionable takeaways for protecting your institution.
Ransomware with a Side of Exfiltration
Ransomware on its own is a serious threat for any bank. But unfortunately, it can get worse. While traditional ransomware can often be mitigated with a solid backup and recovery strategy, newer variants, like LockBit ransomware, have raised the stakes with data exfiltration. This means attackers don’t just encrypt your data—they also steal it, threatening to release sensitive customer information to the dark web if their demands aren’t met.
John and I discussed a recent case where the LockBit gang claimed to have stolen 33TB of data from the Federal Reserve. While it turned out they actually targeted a much smaller community bank, the point still stands: attackers are going after banks of all sizes.
In this case, the community bank had less than 48 hours to respond—something that’s difficult to navigate without a pre-planned strategy. This is why tabletop exercises are so important. Running through a scenario where customer data is exfiltrated can help a bank determine how to respond effectively and quickly, minimizing damage and protecting the institution’s reputation.
ID Theft isn’t Going Away
John shared some horror stories of ID Theft and other scams directly affecting consumers. While they can be entertaining, it’s unfortunate that this stuff isn’t going away anytime soon. Banks can get caught in the middle of some of these situations, especially when funds are being transferred. For that reason, John encouraged awareness training for both bank customers and employees to help prevent and identify these types of attacks.
This conversation led to some debate on credit monitoring vs a credit freeze. John is for credit monitoring versus a credit freeze, as he feels a freeze can be burdensome to manage. He even mentioned that some banks are buying credit monitoring in bulk and offering it to customers as a benefit—interesting idea!
Check Fraud: A New Peak in an Old Problem
John and I were shocked to hear check fraud being brought up again as a major concern. In fact, one attendee said, “Check fraud is the highest it’s EVER been for our bank!” This isn’t an isolated comment. Check fraud has been skyrocketing in 2024 and even multiple USPS workers have been charged with either stealing or helping to steal checks from the mail, contributing to this surge.
It’s a sobering reminder that even as we move further into a digital world, some of the oldest forms of fraud are still very much alive.
John’s Tips for Consumers:
Avoid mailing checks – Mailboxes are easy targets for thieves, so encourage customers to avoid putting checks in their mailbox, but instead use the USPS collection boxes whenever possible.
Use ACH, Card, or other electronic payments – Electronic payment methods like ACH and cards are more secure and less susceptible to theft or fraud.
An Expensive Email Compromise
John pointed out that Business Email Compromise (BEC) is one of the worst types of cybercrime we’re facing today, with over $50 billion in losses to date. At Bedel Security, we’ve seen a standard pattern emerge in these attacks. It usually starts with a fake “secure” email that tricks the recipient into logging in, allowing criminals to steal their credentials. Once they have access, they set up hidden rules to monitor and stay undetected, while searching for financial transactions to exploit.
In most cases, they go as far as downloading the entire inbox and stealing sensitive data like Personally Identifiable Information (PII). Worse yet, they’ll then send out more fake secure messages to others, perpetuating the cycle.
The best defense? It’s a combination of training, verification, and preparedness:
- Train and Test Users: Employees need to know how to spot phishing emails. Regular training and phishing tests can help them identify and prevent email compromise. We’ve found that early reporting by the employee if they do click, helps reduce the losses in these incidents.
- Out-of-Band Verifications: For any transactions initiated via email, set up out-of-band verifications, such as phone calls, to ensure the request is legitimate.
- Incident Response Plan: Make sure your incident response plan is equipped to handle a breach if sensitive data is stolen from email accounts.
The Next Wave of Threats: AI, Deepfakes, and Fintech Risks
John and I briefly discussed some of the emerging threats that community banks should be preparing for. While these risks are still evolving, the key takeaway for all of them is simple: be aware, and have a plan.
- AI & Generative Models: We all know that artificial intelligence, particularly generative AI like large language models, are becoming more widespread. But if not used correctly, these tools can carry a lot of risk. Your employees will want to use generative AI—they can be highly productive—so avoidance is not a strategy. Instead, banks should focus on learning about these technologies, testing them in controlled environments, and creating policies that set clear boundaries for use. Look into solutions like Microsoft Copilot, which can help keep sensitive data within a secure environment.
- Deepfakes & Voice Impersonations: With the rise of deepfake technology, fraudulent transactions using voice or video impersonation will become a growing threat. Banks are prime targets for this kind of fraud. It’s crucial to train staff on how to recognize deepfakes and implement strong out-of-band verifications or passcodes for transactions that exceed certain thresholds.
- Fintech Partnerships & BaaS: With fintech making headlines, many community banks are considering Banking as a Service (BaaS) relationships. However, these partnerships come with their own risks. Banks need to bring robust risk management practices to the table, conducting comprehensive third-party assessments. It’s also essential to recognize that these partnerships require significant resources—banks should be prepared for assessments of their own environment as well.
Closing
I’d like to thank John Iannarelli and the Indiana Bankers Association for the opportunity to discuss these critical topics. It was a lot of fun and I learned a lot. Conversations like these remind me that collaboration and sharing are what strengthen the community banking industry.