Starkly outlining the fact that anyone, even cyber-experts, can fall for a phishing attack, the Financial Services Information Sharing and Analysis Center (FS-ISAC) has acknowledged an incident that started with a successful lure to one of its employees.

FS-ISAC is an industry forum for collaboration on critical security threats facing the global financial services sector. Independent security researcher Brian Krebs gained a copy of a memo that the organization sent to its members, saying that on Feb. 28 an FS-ISAC employee “clicked on a phishing email, compromising that employee’s login credentials. Using the credentials, a threat actor created an email with a PDF that had a link to a credential harvesting site and was then sent from the employee’s email account to select members, affiliates and employees.”

FS-ISAC chief information risk officer Greg Temm told Krebs in an interview that the attack was neither targeted nor especially advanced.

“I would classify this as a typical, routine, non-targeted account harvesting and phishing,” Temm said. “It did not affect our member portal, or where our data is. That’s 100 percent multifactor. In this case, it happened to be an asset that did not have multifactor.”

It goes to show that anyone can fall for social engineering, even with the training and background to recognize red flags. Hardening systems, not people, is widely seen as one way to combat these kinds of attacks, and to that end, the group said in the memo that it will now be implementing multifactor authentication on all of its email systems and has upgraded Office 365 for “additional visibility and security.”

According to president and CEO Bill Nelson, the fallout from the situation was limited, thanks to those targeted in the second wave of attacks being able to recognize the phish. Also, even with credentials, the criminals couldn’t get very far on the network.

“The data our members share with us is fully protected,” he told Krebs. “We have a plan working with our board of directors to make sure we have added security going forward. But clearly, recognizing where some of these softer targets are is something every company needs to take a look at.”