The financial sector is in many ways synonymous with cybercrime; after all, it’s all about the money. Fraud, bank account theft, money-laundering, personal data breaches, and terrorist funding are some of the attack types affecting financial institutions. The financial sector is a critical infrastructure, and as such, is a prime target for cybercriminals. This is borne out by the fact that, according to the Financial Conduct Authority (FCA) in 2017, there was an 80 percent increase in cyber-attacks against financial institutions. The recent report “2017, Cost of Cybercrime Study by Accenture and the Ponemon Institute, found that financial services had higher costs associated with cybercrime than any other sector. Analysts, Javelin, showed that bank customers lost $16.8 billion in 2017 due to identity fraud and other fraudulent activities. In the UK, the figure for financial losses due to fraud, stands at £705.7 million for the first half of 2018, alone.
The many facets of financial cyber-attacks have revealed themselves over the years. Going back over the last five years, we have seen serious incidents hitting the financial sector. This includes the data breach in 2017 at payday lender Wonga, which affected 270,000 people. The exposed data included personal information and bank numbers. One of the biggest attacks of recent times was also in the financial sector. This was the data breach of credit reference agency, Equifax in 2017. The attack, which affected, over 146 million people, 15 million of them in the UK, resulted in a large share price drop for Equifax. It also saw Equifax fined £500,000 in the UK – the maximum amount before the GDPR was enacted in 2018.
The financial sector has many worrisome cyber-attack types to deal with. In our next section, we will look at some of these in more detail.
Cyber-attacks and the Financial Sector – A High Price to Pay
The following attack types are prevalent in the financial sector. However, this list is by no means exhaustive.
Phishing: Over one-third of phishing campaigns target financial sector customers, according to Kaspersky. Banks and other financial institutions are trusted brands. They hold our money and give us loans and mortgages. This means we have an ongoing relationship with them. This trusted relationship is used by phishers to trick customers into revealing login credentials, payment card details, and/or personal data.
Account takeover and identity theft: Social engineering is the mainstay of account takeover and identity theft. Bank accounts, loans, and other financial accounts can be opened by a fraudster using stolen personal data. As well as methods such as phishing, social media is being increasingly used to harvest the data needed to steal someone’s identity and use it for fraudulent means. In a report by Javelin Research, they found that social media users had a 30 percent higher risk of fraud because of data exposure.
Malware and account theft: Banking trojans were at an all-time high in 2018. TrickBot is one of the latest variants of this type of malware. This banking trojan targets small to medium size companies, including those in the UK. Once installed, the malware steals personal data and banking login credentials.
Endpoint and ATM security: Earlier this year, the FBI warned of a global attack centering on ATMs. The scam was known as the “ATM cashout scheme”. The scam involved making clones of cards – similar attacks have happened on other occasions. Banks took precautions, but in the end, banks in Canada, India, and Hong Kong lost around $13.5 million. ATM scams are common. In the UK, losses due to counterfeit cards reached £24.2 million in 2017, but the numbers of these types of attacks are decreasing, being replaced by socially engineered threats.
Authorised Push Payment Scams (APP): UK Finance recorded, for the first time, APP scam data in 2017. They found that 43,875 incidents of APP scams with gross losses of £236 million were reported that year. (11) An APP scam is where a customer is tricked into making a financial transaction to someone they think is legitimate, but is in fact, a scammer. The attack method is social engineering at its most sinister, sometimes, augmented with email hacking. The victim will typically receive an invoice for a service they use which they unwittingly pay, the money going into the scammer’s account. The use of ‘Faster Payments’ to speed up transactions, is allowing the crime to be successful – it is like a modern day hit and run.
Tips to Prevent Cybercrime Impacting the Finance Industry
Tip #1: Provide security awareness training: Security awareness training gives your employees, and your wider customer base, a good grounding in cybersecurity threats. As an internal measure, security awareness training should be mandatory for your entire employee-base, including consultants, etc. Training should be an on-going concern. With proper training, including phishing simulation exercises, employees will be able to more easily spot phishing emails and avoid accidentally exposing credentials and other data. IBM state that cybersecurity awareness training should be seen as a high priority. However, you should also make it a priority to educate your customers about current threats and scams too.
Tip #2: Brand protection: The trust formed around a bank’s brand is used in a nefarious manner by cybercriminals. In a phishing campaign, this brand is hijacked to take advantage of the trusted relationship between bank and customer. Protecting the bank’s brand from phishing not only protects your customers’ finances but it also helps to prevent reputation damage. Brand protection is part of a holistic and multi-layered approach to security and involves monitoring and detection of fraudulent websites, apps, and social media accounts.
Tip #3: Ensure robust security measures: Security measures can help to prevent certain aspects of cyber-crimes. For example, email hijacking is sometimes used in APP scams. Encourage your customers to use robust email authentication. In particular, second-factor authentication, wherever possible.
Tip #4: Multi-factor and risk-based authentication: The 2014 cyber-attack on JP Morgan bank in the U.S. affected 76 million customers. The hack was found to be caused by the malware infected machine of an employee. Passwords were stolen. And, because no multi-factor credential was in place, the password was enough for the hacker to gain access to customer data. Multi-factor and risk-based authentication should be mandatory, especially for users with privileged account access. In addition, Tip #1 – security awareness training – may have helped to prevent the malware infection in the first place.
Cybersecurity a Balancing Act?
Financial institutions are a natural target for cybercriminals. A bank or other financial organisation is like a honeypot to a wasp; cybercriminals will use every trick in the book to get at that honey. We must begin to fight back by recognising that modern cybersecurity threats often begin by tricking a human being. Phishing, identity theft, and APP scams can all be prevented through awareness. But, the security awareness programs that we implement must extend to all, including our customer base – education is a powerful tool in a cybersecurity threat surface based on manipulation.