Many customers found their accounts to be inaccessible Thursday night and into Friday. The bank reported that it was the victim of a distributed denial-of-service (DDoS) attack. "Due to a surge in internet traffic deliberately directed at the NatWest website, customers experienced difficulties accessing some of our customer websites today,” it told the Guardian. "We have taken the appropriate action to restore the affected websites."
The issue follows an incident last Monday, when RBS, Ulster Bank and NatWest customers saw an outage of several hours that evening, when they were unable to use their cards to draw cash or pay for goods or services. It affected about 150,000 people.
RBS chief executive, Ross McEwan, told the Guardian that an ongoing lack of IT funding – for decades – is largely to blame for the incidents. The problems are not isolated, either – last year RBS paid out $285.7 million to compensate customers for a similar outage lasting several days.
The outages are one thing, but last Monday, the bank took to Twitter to push out a re-direct link to affected customers. That decision turned out to be a field day for phisherman, who saw an opportunity to pose as the bank themselves, only with links to bogus pages meant to siphon banking credentials. The Daily Mail reported that they were successful too, with customers reporting money vanishing from their accounts.
And, in the wake of the second breakdown, it’s likely that the phenomenon will happen again.
“In the wake of a second reported computer crash in five days, customers should remain wary of cybercriminals looking to take advantage of the ensuing confusion,” said Ashish Patel, regional director at Stonesoft, in an emailed comment.
The fact that the banks, following the first issue, were directing customers to use an alternative link simply aids hackers in masking their activities, added George Anderson, director of product marketing at Webroot, in a comment to Infosecurity. “All of us need to keep front of mind that hackers will always aim to be one step ahead and using real-life events or communications coming from friends as phishing emails is a very successful social engineering strategy,” said Anderson. “Phishing remains the most prevalent web-borne attack, accounting for up to 55% of the breaches companies experience”, according to the company's recent web security study.
And yet, many people still don’t realize the how sophisticated phishing attacks can be. Some phishing sites are only live for a few hours, and when they reference real-life security incidents, they are often indistinguishable from genuine requests.
“The problem is that most anti-phishing security technology relies too heavily on trying to find phishing sites and build blacklists, which simply is not a fast enough – as this RBS incident highlights. The best thing is for us all to remain vigilant and access bank’s websites directly, rather than clicking on an email link,” Anderson added.
In general, consumers need to be more vigilant than ever when it comes to email safety. “With Christmas just around the corner, and many customers wanting access to their money, basic security precautions, such as not clicking on links in suspicious emails, should be front of mind for all,” Patel said.
The outages also point out the banking vertical’s unique challenges. “As well as heavy investment in sufficient IT infrastructure and defenses, financial organizations need to clearly communicate the potential threats their customers face during such hiatuses in service to ensure heightened awareness and damage control,” Patel said. “These types of attacks highlight our dependence for the need of a secure cyber-environment that consumers can trust and depend on.”
It is expected that there will be investigations into the outages, asking questions of RBS concerning both security and governance.