PREVENTIVE VIGILANCE IN BANKS
VIGILANCE FUNCTION IN BANKS
The dictionary defines Vigilance as being watchful and cautious to detect danger, being ever awake and alert. While being vigilant is important in all walks of life, the observance of vigilance becomes more critical in the financial sector and particularly for institutions like banks, which deal with public money.
Banks, which act as an intermediary between depositors and lenders, are duty bound to observe the highest standards of safeguards to ensure that money accepted from depositors are not mis-utilized and are put to gainful use or are available with them to be paid on demand. To ensure this, banks are not only required to do due diligence on the borrowers but are also expected to put in place appropriate safeguards to ensure that the transactions being undertaken by the staff are as per laid down guidelines. The watchfulness enforced by the vigilance function is required to ensure that public money, which banks hold in fiduciary capacity is not allowed to be misused by the delinquent elements in any manner.
Types of Vigilance in banks: There are mainly three types of vigilance in banks;
- Preventive Vigilance: It plays an important role in strengthening the vigilance set up of any organisation. Preventive Vigilance sets up procedure and systems to restrain the acts of wrong doing and misconduct in the various areas of the functioning of department.
- Detective Vigilance: Effective use and scan of Complaints, Inspection Reports, Audit Reports etc. Detection of Corrupt Practices, Malpractices, Negligence, Misconduct and better surveillance of public contact points. Close watch on officers at sensitive posts of doubtful integrity and detect fraud and scrutiny of decision taken by officials having discretionary powers.
- Punitive Vigilance: It includes investigation and collection of evidence and speedy departmental inquiries. Swift and deterrent action against the real culprit.
Aim of Vigilance in Banks: Preventive vigilance is aimed at reducing the occurrence of a lapse (violation of a law, a norm, or, broadly speaking, a governance requirement). Detective vigilance is aimed at identifying and verifying the occurrence of a lapse. Punitive vigilance is aimed at deterring the occurrence of a lapse. Detective and punitive vigilance are strategic complements. The greater the punishment, the more useful it is to detect. Conversely, having a high penalty is ineffective when the quality of detection is poor.
Preventive vigilance takes a central role in vigilance organized at the Reserve Bank of India (RBI). The overall responsibility for vigilance work at the RBI vests with the Central Vigilance Cell (C.V.Cell or Cell), which exercises its jurisdiction over all employees of the Bank and co-ordinates the activities of the various vigilance units. The Cell maintains liaison with the Central Vigilance Commission (CVC) and the Central Bureau of Investigation (CBI). Vigilance guidelines issued by the CVC are aimed at greater transparency, promoting a culture of honesty and probity in public life, and improving the overall vigilance administration in the organizations within its purview. RBI has taken several preventive measures to maintain high standards of integrity.
Preventive Vigilance is adoption of various measures to improve systems and procedures to eliminate or reduce corruption. Organisations keep a watch over their staff & customers to avoid any untoward happening, incident or accident. Vigilance refers to the process of paying close and continuous attention.
Objective of Preventive Vigilance: The objective of Preventive Vigilance in banks are as under;
- Exercising watchfulness and diligence by all employees so as to prevent happening of any untoward incidents that may adversely affect financial or reputational implications for the organization.
- To ensure strict adherence to integrity by all employees and bank’s laid down policies, systems and procedures so that bank’s interest is protected.
- Preventive vigilance sets up procedures and systems to restrain the acts of wrongdoing.
- Restrain the misconduct in the various areas of the functioning of any organization.
Phishing Attack: Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.
Phishing Attack Examples: The following illustrates a common phishing scam attempt:
- A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible.
- The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.
Several things can occur by clicking the link. For example:
- The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
- The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator privileged access to the university network.
Phishing Techniques: Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. As seen above, there are some techniques attackers use to increase their success rates.
For one, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organization. Using the same phrasing, typefaces, logos, and signatures makes the messages appear legitimate.
In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten account expiration and place the recipient on a timer. Applying such pressure causes the user to be less diligent and more prone to error.
Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains. In the above example, the myuniversity.edu/renewal URL was changed to myuniversity.edurenewal.com. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.
Spear Phishing: Spear phishing targets a specific person or enterprise, as opposed to random application users. It's a more in depth version of phishing that requires special knowledge about an organization, including its power structure.
An attack might play out as follows:
- A perpetrator researches names of employees within an organization’s marketing department and gains access to the latest project invoices.
- Posing as the marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads, Updated invoice for Q3 campaigns. The text, style, and included logo duplicate the organization’s standard email template.
- A link in the email redirects to a password-protected internal document, which is in actuality a spoofed version of a stolen invoice.
- The PM is requested to log in to view the document. The attacker steals his credentials, gaining full access to sensitive areas within the organization’s network.
By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT.
Phishing Protection: Phishing attack protection requires steps be taken by both users and enterprises. For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.
For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:
- Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
- In addition to using 2FA, organizations should enforce strict password management policies. For example, employees should be required to frequently change their passwords and to not be allowed to reuse password for multiple applications.
- Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links.
Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.
An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.