BNY SECURITY CENTER

Helping Clients Protect their Information Online

In the age of an ever-evolving cyber threat landscape, BNY’s security-first mindset drives our cybersecurity program across the enterprise and helps clients build resilience against cyber, technology and information risks.

With cyberattacks an ever-present and growing challenge for organizations and individuals, the BNY Security Center serves as a resource to help you identify the many types of cyber threats that can introduce risk and to provide practical, actionable steps to safeguard against cyber-attacks and identity theft.

From recognizing potential threats to implementing more secure online practices, the information is intended to help minimize risk in the ever-changing digital landscape.

Common Threats & Scams

Recognizing common cyber scams and threats is the first method of defense in avoiding potential risks.

Business Email Compromise (BEC)

AI & Deepfake

Phishing is a fraudulent practice of sending emails or other messages purportedly from reputable companies to induce individuals to reveal personal information.

Tricks of the Trade

Threat actors masquerade as a trusted individual or source and by sending messages with a sense of urgency, trick individuals into opening emails or text messages that contain malicious attachments or links to enable them to steal information.

How to Detect

Stop and verify the source before opening an attachment, clicking on a link or providing any information requested by email. When in doubt, call the sender.
Carefully evaluate the message and its content. Use your cursor to hover over a hyperlink to preview the URL and confirm if it leads to a legitimate company domain or website.

Tips

Do not respond and be sure to report and delete the message.
Monitor your accounts and immediately change the password if you believe your account has been compromised.
Notify your bank, credit card issuer or financial institution if financial information has been unwittingly shared.

Smishing is a type of social engineering attack that uses fake mobile text or SMS messages to trick people into downloading malware, sharing sensitive and personal information.

Tricks of the Trade

Crafting convincing text messages to instill a sense of urgency to manipulate individuals and make them take swift action. For example, financial institutions are often used as cover since notifications about interruption of funds or unpaid bills are a stressful, urgent matter.
Spoofing local numbers to make dangerous text messages appear legitimate, and/or sending fraudulent links to convince recipients to divulge personal information or install malware.

How to Detect

Beware of text messages that convey a sense of urgency or promise a free offer or prize if you click on a link.
Watch out for unfamiliar or suspicious sender numbers and requests for personal information. Legitimate companies won’t ask for sensitive information through SMS.

Tips

Ask whether it makes sense that the person would contact you. If not, do not click on links in the message or engage.
Do not reply or call the number. Block and report it as spam.

Vishing refers to a fraudulent phone call scam that aims to trick individuals into providing or revealing sensitive information.

Tricks of the Trade

Spoofing techniques are used to display a fake caller ID, making the call appear to originate from a trusted entity such as a bank or utility or individual claiming an urgent issue with a customer’s account
May use AI software to mimic a person’s voice, fooling individuals or employees into believing they are speaking to a known person or manager.

How to Detect

Pay attention to where the call originates and listen for poor audio quality, which may signal it is an automated malicious robocall.
Watch out for the use of urgency or fear such as stating that there's an issue with your account and asking for your credentials or personal information.

Tips

Do not trust Caller IDs, which can be manipulated.
Ask for the caller’s name, organization, and contact information. Independently reach out to the organization to confirm the legitimacy.

Quishing refers to the use of a QR code by scammers to trick individuals into visiting a fraudulent website or to download and install malicious software.

Tricks of the Trade

Embedding QR codes in emails, social media, printed flyers or physical objects by enticing individuals with free products/services, or giveaways.
Replacing official QR codes on parking meters, menus, magazines, product labels or displays with fake versions.

How to Detect

Verify the source by checking an official website to confirm whether communication with a QR code is legitimate.
Check the URL to ensure it has not been shortened or altered and be aware of slight misspellings in the web address or on the website.

Tips

Verify requests with the person or company directly.
Bookmark important websites.

Malware is intrusive software developed by cybercriminals to steal information, disrupt system services or damage IT networks.

Tricks of the Trade

Methods of attack include viruses, worms, botnets or ransomware to infect the individual's computer.
Infection is achieved through phishing, downloading malicious files from a website, unsafe social media links, or by an attacker remotely logging in to install the software.

How to Detect

Watch for unusual computer performance such as slow processing, freezing, crashing, unusual pop-ups or ads even when you are not browsing.
Be aware of unfamiliar programs or tools on your device, or fake antivirus warnings or alerts.

Tips

Verify the source before clicking on links in an email or on a webpage.
Use strong passwords and authentication methods such as multi-factor authentication (MFA) to help protect from malware infection.
Ensure your software is updated with the latest version.

BEC is a type of cybercrime in which attackers use email to trick individuals into sending/transferring money, approving unauthorized purchases or disclosing confidential company information.

Tricks of the Trade

Threat actors research and study their targets to fake their identities.
Uses compromised, or spoofed email accounts with fake sender addresses to target individuals or organizations and initiate fraudulent bank account changes, or fund transfers.

How to Detect

Inspect the URL by hovering over the link and the sender address for anomalies.
Look for signs of misspelling of a legitimate website.

Tips

Verify requests with the person or company directly.
Bookmark important websites.
Monitor account activity.

A deepfake involves media that has been manipulated with AI to replace a person’s likeness or voice to trick individuals.

Tricks of the Trade

Uses AI to create realistic voices, images and videos to trick unsuspecting individuals and organizations.
Employs a variety of distribution methods, including email, phone and video calls, mobile messaging and QR codes.

How to Detect

Pay attention to facial features:
- Cheeks and forehead: Does the skin appear too smooth or too wrinkly?
- Eyes and eyebrows: Are the eyes blinking or moving naturally? (Deepfakes have difficulty mimicking realistic eye movements.)
- Glasses: Is there any glare or too much glare?
- Speech and sound: Notice if there is slurring of words, natural sentiment or background noise.
Reverse image search to learn if the image or video has been used elsewhere.

Tips

Set social media settings to private, reducing threat actors’ opportunity to misuse your content.
Verify with the person or company directly.
Never share information, money or any other assets with unverified contacts.

Ways to Protect Yourself

No technology provides absolute protection against threat actors. However, by adding additional layers of security, you can reduce your susceptibility to others gaining unauthorized access to your accounts. It is important to implement strong security practices; some best practices include:

Enhance Password Practices

Monitor Accounts

Practice Safe Browsing

Secure Devices

Social Media

Weak passwords are one of the most common entry points for cyber criminals. The more complex the password, the more protected your information will be.

Create complex passwords with a mix of letters, numbers and symbols. Change them regularly and consider using a passphrase. A good passphrase can be a description of a memory, event or experience using descriptive words.

Passphrase Example:

Amazing Pizza in New York

Passphrase Example with Special Characters:

Am@zingpizza1nNewYork

Tips for Creating and Maintaining Strong Passwords/Passphrases:

Do:

✓ Length – the longer the better

✓ Mix of letters – upper and lowercase, number and symbols

✓ Leverage password managers included with most browsers to generate a strong password

Don't:

✘ No ties to your personal information

✘ Never share or write passwords/passphrases down

✘ Avoid using the same credentials across multiple accounts and applications

Add an extra layer of security by using two of these three factors:

Something You Know: A password or PIN

Something You Have: A security key, or one-time code (use an authenticator application, email, phone, or SMS text)

Something You Are: Biometric data (fingerprint or facial recognition)

Key Takeaway: Enable MFA everywhere, including all important online accounts such as banking, email and social media.

Early detection of unusual activity helps stop fraud before it results in financial harm or information exposure.

Review your bank and credit card statements regularly.
Set up account alerts for unusual activity (e.g., login alerts and new device sign-in).
Review account recovery settings periodically (backup email and phone number).
Consider credit monitoring services.

Malicious sites and links can compromise your credentials or install malware, so cautious browsing reduces your risk.

Verify URLs before clicking (hover to preview; watch for subtle misspellings).
Avoid clicking on suspicious links or pop-ups.
Only download attachments from trusted sources.
Use bookmarks for frequently visited sites.
Keep your browser and plugins up to date.
Be cautious on public Wi Fi; avoid entering sensitive information unless using a trusted VPN.

Poorly secured devices give attackers easy access to your accounts and sensitive information.

Install reputable antivirus/anti-malware software and keep it up to date.
Apply operating system updates regularly; enable automatic updates when possible.
Use full disk encryption on all devices; enable “Find My Device” and remote wipe where available.
Remove unused apps and review app permissions regularly.
Back up data regularly.

Oversharing and weak privacy settings expose personal details that criminals use for impersonation and targeting.

Lock down privacy settings; restrict who can see posts and personal details.
Avoid oversharing location, travel plans, or sensitive work information.
Be cautious with links that request profile access.

RESOURCES FOR ADDITIONAL INFORMATION

FIve Steps To Take if Your Information has Been Compromised

Global

"SANS OUCH!" Newsletters - a publicly accessible security awareness newsletter available in multiple languages

Center for Internet Security (CIS) Controls - best practices you can apply to reduce risk

United States

National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 - guidance to build or improve a security program

Cybersecurity and Infrastructure Security Agency (CISA) services and tools - free assessments and resources

United Kingdom & Europe

National Cyber Security Centre (NCSC) quick start guides

If you have any questions about Information Security at BNY, please reach out to your relationship manager.

BNY is the corporate brand of The Bank of New York Mellon Corporation and may be used to reference the corporation as a whole and/or its various subsidiaries generally. This material and any products and services mentioned may be issued or provided in various countries by duly authorized and regulated subsidiaries, affiliates, and joint ventures of BNY. This material does not constitute a recommendation by BNY of any kind. The information herein is not intended to provide tax, legal, investment, accounting, financial or other professional advice on any matter, and should not be used or relied upon as such. The views expressed within this material are those of the contributors and not necessarily those of BNY. BNY has not independently verified the information contained in this material and makes no representation as to the accuracy, completeness, timeliness, merchantability or fitness for a specific purpose of the information provided in this material. BNY assumes no direct or consequential liability for any errors in or reliance upon this material.

This material may not be reproduced or disseminated in any form without the express prior written permission of BNY. BNY will not be responsible for updating any information contained within this material and opinions and information contained herein are subject to change without notice. Trademarks, service marks, logos and other intellectual property marks belong to their respective owners.