Skip to main content
close search
site logo
Q&A

Wells Fargo exec: Cyber is ‘an everybody problem’

“Long gone are the days of the prince from a faraway land with a really bad grammatical email,” the bank’s head of cyber human defense said.

Published Nov. 17, 2025
Caitlin Mullen's headshot
Senior Reporter
A Wells Fargo branch on Madison Ave in New York City on Aug. 22, 2022.
A Wells Fargo branch on Madison Ave in New York City on Aug. 22, 2022. Getty Images

As artificial intelligence rapidly evolves and democratizes cyber crime, it’s also elevated the human element of cybersecurity.

That’s according to Sarah Gosler, Wells Fargo’s head of cyber human defense. Prior to joining Wells in May, Gosler spent eight years at BNY, including as global head of cyber human defense and readiness products.  

“In the ‘90s, cyber was a government problem, and it was all focused on espionage,” she said in a recent interview. “In the 2000s, it was an IT problem, and only IT nerds knew about it. In the 2010s, it was a business problem. Now, it's an everybody problem.”

This year, cyber crime is expected to have a $10.5 trillion economic impact, Gosler said. AI has lowered the barrier to entry and helps fraudsters target victims at scale. “Long gone are the days of the prince from a faraway land with a really bad grammatical email,” Gosler said. 

About 95% of successful breaches happen because of a human element, she said. That’s ratcheted up the spotlight on cyber human defense, she said. 

Technical defense is important, but “humans really represent the largest attack surface of any organization, and they effectively are at the perimeter of any bank or company,” she said. “That's where psychological manipulation and the approach becomes quite interesting.” 

Editor’s note: This interview has been edited for clarity and brevity.

BANKING DIVE: What’s your role at the bank focused on?

SARAH GOSLER: I focus across a few different areas. One is awareness and training: How do we make our workforce aware of cyber threats, but do it in a way that’s interesting and memorable? 

For a long time, most technical people didn't know how to speak in ways that weren’t tech. Cyber is impacting everybody, so you have to be able to talk about cyber threats and risks and what could happen in a way that people understand it, and so they know how to protect themselves.

Sarah Gosler, Wells Fargo head of cyber human defense
Sarah Gosler
Permission granted by Wells Fargo
 

Another part is social engineering, and how we are training and testing our organization to spot phishing, voice phishing and deepfakes, which can be both visual and audio. 

Also, simulations and testing, with cyber war gaming. You may have heard of it as tabletops – we call it war gaming because we have taken military-type concepts in terms of how they do their war gaming, where it’s immersive. We create pressure in the room and put pressure on executives to make decisions in real time. 

We call it a safe-to-fail environment. We want to make sure executives are getting around the table, talking about what they're going to do, looking at our operational processes and how we would handle it. You want to know what you're doing when you're in a safe-to-fail environment, as opposed to if the real thing is happening. 

We also have a cyber client advisory program, that offers what we do within the bank as a value-add for clients. And I partnered recently on a social media campaign teaching the general public about tips and tricks for spotting banking scams. 

What AI-powered threats are you seeing target financial institutions?

Generally, any financial institution is aware of nation-state actors and what's going on there. North Korea is constantly trying to get workers within companies that are posing as real employees but feeding things back to North Korea. That’s been going on for a long time.

Third-party incidents – this wasn’t a cyberattack, but the CrowdStrike incident, for example – it’s really important for institutions to be aware of their third-party footprint, do an incredible amount of due diligence and make sure that their vendors have safe and secure policies, and have robust cybersecurity departments.

Take it a step further, it’s called fourth party or nth party risk – so think vendors of vendors. You have to be thinking about the entire ecosystem. The biggest one is social engineering, which underpins the things I just mentioned. That's why we've built an entire program that's focused on, how do we protect people?

How is Wells Fargo leveraging AI defensively to counter these evolving threats?

Generally, there’s AI for good, too. It does things like automated perimeter scanning – in the event of an incident, being able to detect it much quicker. 

Also, how I go about training. We rolled out an all-employee training during Cyber Awareness Month in October, and as we were creating the training, I used AI. I came up with this concept that I wanted to create a cyber agency within Wells Fargo – again, making it interesting and immersive – and I said, write me a field operatives guide to educate my workforce and make it feel like they're in a spy novel. It's such a cool training. The humans on my team, we had to build it and make it fit for purpose. I'm a pretty creative person, but to try to sit there and think about, how do I make cyber training like a spy novel? AI can do that really quickly.

How do you avoid “security fatigue” among employees? 

You have to make it interesting and engaging. From a cyber perspective, if we know that our largest attack surface is our people, them clicking through and not paying attention to the training is a huge disservice. I'm a big proponent of you have to meet people where they are.

Cyber shouldn’t be about a “gotcha” moment. It needs to be about empowerment. Cyber is about everybody, and that means people at work and also at home. Things that we can do to keep you safe at work are also relevant in your personal life and to your partner, your kids, your parents, whoever it might be.

In the past, people made cyber this fire-and-brimstone thing, and it was like, “thou shalt not do 50 million things,” but that didn't tell you how you protect yourself. When you approach it that way, it kind of turns people off. And we can't afford to do that anymore.

Do you think we need to see more banking industry collaboration when it comes to cybersecurity?

Cyber is very mission-oriented. From our perspective, all of the large financial institutions’ cybersecurity teams are supportive, and we talk to each other – same thing with government. What's important is that we continue to evolve together, and constantly are looking around the corner for what's next.

Filed Under: Technology

Editors' picks

Company Announcements

View all | Post a press release
YouGov’s best banks rankings 2025: Digital challengers rise as legacy brands fight back
From YouGov
November 06, 2025
YouGov logo
QNB partners with TransferMate to expand global B2B multicurrency collections capabilities for…
From TransferMate
November 03, 2025
TransferMate logo
Machias Savings Bank Welcomes Tara Perruzzi as Senior Commercial Banking Officer
From Machias Savings Bank
November 14, 2025
Machias Savings Bank logo
Caird Investments Launches as Investment Adviser Focused on Regulated Financial Institutions a…
From Caird Investment Partners, LLC
November 06, 2025
Editors' picks
Latest in Technology
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.