All organizations providing financial services such as banking, investment, and insurance constitute financial institutions. Financial frauds and identity thefts in such institutions have increased significantly with the digitalization of the sector. Today, financial institutions are among the top targets of phishing and other cyber threats.
The graph illustrates that the financial industry is among the worst hit by phishing scams of all sectors. Regardless of the security shields established by such institutions, phishing attacks keep targeting banking organizations, including their employees and customers.
Some Major Phishing Attacks On Financial Institutions
Phishing and Business Email Compromise (BEC) techniques have successfully lured financial institutions’ employees and customers into giving out confidential information in the past and continue to do so even today. Following are some recent phishing incidents that have successfully robbed financial institutions by the millions:
- The BetterSure Attack (October 2020): This attack on the South African home insurance company affected over 4000 clients. The malicious actors had used a phishing email to compromise an internal BetterSure email.
- The Norfund Attack (May 2020): This attack on Norway’s state investment fund used BEC to access and monitor the email system of Norfund and steal over $10 million.
What Makes Financial Institutions An Easy Phishing Target?
Here are the main reasons why financial institutions are a favorite phishing target of malicious actors.
- Digital Banking: The financial institutions embrace digitization, but cybersecurity awareness isn’t maintained at the same pace. Digitally storing and transferring funds is convenient and time-efficient, but it has also increased cyber risks.
- The COVID-19 Pandemic: Besides affecting lives, the Coronavirus Pandemic has also exposed organizations in every field to increased cyberattacks. The financial industry is not an exception. The Fidelity National Information Services (FIS) in April reported a 32% rise in credit and debit card fraud as compared to the same period in the last year.
- Phishing Kits: Phishing kits are readily available to launch attacks with a reduced risk of being detected. They are available as a service and come ingrained with tutorials and community chat rooms for malicious actors to exchange notes, user support, etc. It has led to phishing replacing malware as the most rampant form of attack in the financial industry.
- Fake Banking Apps: A study by the cybersecurity firm ZeroFOX reveals that over 1500 fake mobile banking apps were discovered in 2019. These fraudulent applications impersonate legitimate apps’ interface to steal account details from the unsuspecting users’ devices.
How Can Financial Institutions Thwart Phishing And Other Cyberattacks?
The following are the methods and practices that can help in phishing protection and other cyberattack mitigation.
Some of the most harmful spoofing and BEC attacks use compromised email addresses of internal staff members to make other employees give out confidential data. However, an email authentication system can ensure the blocking and reporting of such emails from unsolicited senders. Sender Policy Framework (SPF) is one such email authentication system that restricts all emails from senders or IP addresses not authorized by the financial institution’s DNS record.
Employees must be trained to look for errors in an email body, such as typos and grammatical mistakes or unusual language and salutations. They must also prudently assess the pertinence of an email before blindly following its instructions. Even customers must know that not all email addresses and logos embedded in emails are the dedicated representatives of their bank or insurance provider.
Efficient IT Management
While large-scale financial establishments claim to spend millions every year on cybersecurity, other financial institutions don’t even have an IT department! Efficient cybersecurity management is a must for the financial industry to ensure regular updates, patch management, protective software, and the right damage-control steps when a cyberattack targets a financial institution.
Multi-factor authentication is a useful yet oft-neglected security measure that financial institutions and their customers must adopt. It ensures that at least two password-protection layers secure their bank accounts, confidential data, and financial assets.
It’s ironic to advise financial institutions to invest in insurance, but cyber insurance is an indispensable cost that all banking and other financial institutions must bear to avoid losing the trust of their customers and long-term financial losses. Cyber insurance enables a banking organization to cope with the expenses of restoration and risk management costs.
Employee Awareness And Training
Despite doing all the above, a lack of cyber awareness will probably make employees fall for the phishing emails that make it to their inbox. It is imperative to train employees in cybersecurity because malicious actors use sophisticated phishing techniques. They would possibly go undetected through security shields such as SPF and anti-spam protection; hence employees must be proactive and vigilant to spot a scam the moment they come across it.
The financial institutions make extensive use of MS Office applications. However, there are security loopholes in them, such as the ‘mail merge’ feature of MS Word that enables malicious actors to introduce their code in a system and take full control of it. They can create a fake Word document or spreadsheet and attach it to phishing emails. Software customization techniques can instruct such programs to accept only signed files or those from trusted sources.
The financial industry is the backbone of an economy, and hence a cyberattack on it can have unimaginable implications. Malicious intrusions like phishing can be detrimental to all stakeholders. Therefore, adequate safeguards and mitigation measures such as those mentioned above must be practiced to ensure better protection from phishing and other cyber risks targeting the financial sector.