Cyberattacks on financial institutions in the US occur at the staggering rate of approximately 30 times per second. The reality is while major news outlets report on wide-scale breaches such as the 143 million US resident records accessed in the Equifax breach, countless other successful breaches happen daily that don’t earn national headlines. Information security teams are being hammered with attacks from every angle. Even with the latest in technology and software, many attacks go undetected for months. During that time, precious data is being siphoned away and sold off via various outlets on the Dark Web.
Employee and vendor education and security enforcement continues to play an important role in cybersecurity at all firms. The overwhelming majority of successful cyberattacks are carried out as the result of human error and/or behavior—some estimate nearly 90%! We know the number of cyberattacks is going to continue to grow, especially as the technological footprint and implementation of firms continues to widen. What kinds of attacks are financial teams facing and what can be done about it?
How are Financial Companies at Risk from Phishing
It is estimated that more than half of all companies receive phishing emails on a regular basis. Of those phishing emails that have been logged and reported, it is estimated that more than a third target individuals in financial institutions.
These attacks occur in a number of ways. Some phishing emails are sent to the consumer. Others are sent to internal employees.
The emails will often include a link requesting account verification or approval and that link will lead to a legitimate looking site, mirroring the real organization’s website in terms of look and feel. Once someone has entered their information into that false site, it is captured by the hackers and used in a variety of ways.
These kinds of cybercrimes targeting financial firms and their customers can be used to siphon money away from a bank; intercept, cancel, and reroute payments; gain access to sensitive financial documents that include personal identifiable information (PII) or trade secrets.
Another popular form of the phishing email is where an attachment is included—it might claim to be an important form or record of a transaction. Curious users will click on the file to open it, believing their anti-virus is protecting them. AV programs don’t catch everything, however, and the PDF the user just opened might include malicious code that will grant cyber criminals full access to their system. New forms of phishing leverage software include automation to steal cryptocurrency. We talk a bit more about phishing and spear phishing in an earlier post; you might want to check it out.
The Scary Cost of Phishing
- Successful phishing attacks can cost a company between $1.5 and $3 million.
- The average cost of a cyberattack to a financial firm versus other firms is somewhere between 50% and 100% more than the average firm—ranging between $2.25M and $6M per an attack.
- The number, size and cost of attacks are growing with each year.
Further consider the impact of a breach on your customer base. Studies show:
- One of three customers will leave a company that has been breached.
- 60% of potential new customers are less likely to do business with a company if they have been breached in the past.
Those are some very real and very depressing numbers. This is why many firms—especially newer/smaller firms—will go out of business or lose a substantial amount of value after a breach.
Keep Your Employees from Being Netted by the Phishers
With 1.5 million new phishing sites being created each month, new phishing scams being logged with increasing regularity, and increasing ways people can manage their finances digitally, the cyber risk to financial firms is only going to continue to grow. What can FinSec specialists do to help stave off the attacks and better protect their companies?
Be sure your teams are educated on the ongoing and recent trends in phishing. Threat Watch is an excellent resource for keeping abreast of recent trends in cybercrime.
LinkedIn is Great for Networking but Also for Hackers
Spear phishing attacks are part technology and part social engineering. Hackers who carry out successful spear phishing attempts are targeting specific individuals or specific groups of individuals. These threat actors will scour the internet, including LinkedIn, to gather key pieces of information about an organization in order to help their chances of a successful attack.
With the information the hacker can gain from the company’s LinkedIn page and the pages of employees attached to that profile, it is easier for them to masquerade as a co-worker, supervisor, or even vendor. A spear phishing email will often contain some basic information, perhaps a spoofed email address, and request that someone review a document, change a password, or verify sensitive information. Some hackers are exceedingly charismatic—not the hooded dark figure made popular in various magazines and movies—and will use the same information over the phone, or even in person, to gain access.
Who are Ideal Candidates?
The reality is, depending on the organization, virtually anyone can make for an ideal target for a phishing or spear-phishing campaign. The non-tech savvy branch manager or teller can click on an attachment that creates a backdoor on their system which allows the hacker or software to perform lateral movement, privilege escalation, and other events. The end user doesn’t even realize this is happening.
The receptionist could grant building access to a hacker masquerading as a seemingly legitimate vendor dropping off donuts—long enough for them connect a physical hack to the network before slipping away undetected.
The recently hired employee may be eager to please and prove themselves in their new role, providing information where they believe they are helping before realizing it is too late.
Hackers could impersonate an employee who recently left the company and could send an email from an off-network account to ‘refresh their memory’ or ‘finish work’ they meant to do before they left. Anyone and everyone is a good target for a hacker if the hacker can accomplish his/her goal.
Some Cyber Attacks Seem Harmless, but Aren’t
Spear-phishing attacks are part of any good hacker’s toolkit. Often, they are used to test the level of security—and thus the difficulty of breaching—a target. Attackers will send emails masquerading as CEOs and VPs, for example. Those emails will appear rather innocuous. They will have simple subject lines and messages, like “Big plans for the weekend?” or “Where should we hold the next company picnic?” There is no link and no file in these emails. Some might ask for a phone call or an email reply. Based on the number of replies the hacker gets, they can a) determine how easily their emails got through and b) how easy it was to engage potential targets. A lot of replies to a bogus email means an easier target.
Advance Cybersecurity Initiatives Against Advanced Cybersecurity Threats
There is no end to the onslaught of spear phishing, phishing, and other cyberattacks against employees at financial firms and other organizations. The creativity and brazenness of hackers continues to grow. Even splitting up large threat actor groups only seems to cause a surge in various splinter groups that can prove even more difficult to catch and defeat.
Rule-based filters from traditional anti-spam, anti-virus, and endpoint protection platforms (EPP) will get you only so far in trying to secure your organization. It is also important to remember to update those filters frequently as new attacks are discovered almost daily. Make sure every employee at your organization knows the critical role cybersecurity plays in keeping your data secure and how each of them are the gatekeepers of that data. Provide up-to-date training for all employees in the basics of cybersecurity. For those specialized roles, such as the receptionist, provide one-on-one training to make sure he/she knows what to look for.
Financial firms face some of the most frequent and advanced attacks in the world today, and this is only going to continue to grow. The right security solutions that can detect threats based on signal, behavior, activity, etc. is going to play a major role in enhancing your security posture. Having the right team at the helm of those systems is another important aspect. In short, to improve cybersecurity for financial firms, you need to have the right technology, the right team, implemented in the right way—and the ability to constantly, consistently iterate.