From data breaches at big-box retailers such as Target and Home Depot to bitcoin ransom scams, it seems like your typical chief information officer is playing whac-a-mole, trying to keep up with all the cybersecurity threats to today’s financial system.

But bankers are hitting back – with software, information-sharing and good old-fashioned cultural overhaul.

First, the good news: When it comes to cybersecurity, banks pretty much have their own house in order. Though financial institutions are by no means invulnerable to attack, the industry is already so heavily regulated and audited that banks and credit unions have shored up their own internal defenses pretty much to the hilt.

“I actually believe the banks need to be more concerned about attacks on their customers,” said Matt Putvinski, the director of IT assurance and security services at the Boston-based Wolf & Co. “Not just the retail customers, but all of their business customers. Hackers have figured out that it’s easier to trick banks’ customers to give them credentials.”

With this particular type of fraud, the cybercriminals target a business. The miscreants use various social engineering techniques – maybe, for instance, sending a fake LinkedIn invitation – to collect whatever valuable information they can about a business. Sometimes they bide their time for weeks before going in for the kill. Maybe they’ll send an email to the company’s CFO that legitimately looks like it originated with the CEO, or maybe they’ll be bold enough to call up the bank directly to initiate a fraudulent wire transfer.

“Hackers are actually getting to the point where they’re calling the bank and impersonating the customer to initiate these scams,” Putvinski said. “It’s no longer as much of a technical issue as much as a social or cultural issue.”

And once that money is out the door, it’s hard to get it back. Sometimes the window of time to reverse a fraudulent wire transfer is as short as a few hours.

With technology moving at an ever-faster pace, it’s almost ironic that some of the most successful fraudsters rely not on the latest and greatest algorithm, but on basic human folly. For bankers, that means baking security into every layer of their corporate culture.

In addition to regulatory risk assessments and leading-edge protections, Radius Bank in Boston also performs regular in-house training and testing to find out for itself, ahead of any hackers, where its vulnerabilities might be.

“If someone gets tripped up, you retrain,” said Chief Information Officer Rob Landstein. “Our people are the first line of defense, so we do annual information security training – and more than that, we do tests throughout the year, like social engineering testing to see if people are following what they’ve learned or if they need some extra training.”

EMV And More

Landstein said that Radius Bank also offers customers its own software, a product called Trusteer that he said can help alert customers if their account information has been compromised or if they’re about to put their payment information into an untrustworthy site.

That latter piece is especially relevant as banks’ customers begin to enter the full swing of the holiday shopping season – and as online retailers gobble up an ever-increasing share of consumers’ dollars.

“Card fraud is out there all the time and EMV chips don’t help with online transactions,” Landstein said.

Though 2015 was supposed to be The Year of the EMV-Enabled Card, as many as 60 percent of U.S. consumers still had magnetic stripe cards when the Oct. 1 liability shift blew by. Even less of the debit portfolio has converted over to EMV and the author of a report out of Mercator Advisory Group told Banker & Tradesman earlier this year that she anticipated just 25 percent of the debit portfolio would be converted to chip-and-pin by the year’s end.

Not that that makes much of a difference when the consumer is shopping online anyway.

“Card not present is still always going to be an issue. The chip won’t help that,” Putvinski said. “At the end of the day, it will mitigate a lot of the fraud at point-of-sale until everybody implements it and then [hackers will] figure out another way to get into point-of-sale devices.”

Meanwhile, regulators have taken a largely prescriptive approach to cybersecurity. The Federal Financial Institutions Examination Council (FFIEC) has its cybersecurity assessment tool, aimed at helping banks to better understand their own level of risk, and the Federal Reserve Bank of Boston hosts biweekly information-sharing sessions, which Landstein credits as especially important in the fight against cybercriminals.

“We go over the latest threats, we get education and guest speakers,” he said. “I think the biggest part is just having discussions with banks to see if anybody’s seeing an uptick in viruses or what might be the latest thing trending and how they’re dealing with it.”