No one will be shocked if we tell you that cyber-attacks on banking and investment institutions are on the rise.
Finance is the cyber rogue’s favourite. Its where the money is. Simple as that.
What’s less obvious is how rapidly the range of threats is evolving, even while the number of attacks spikes upward.
Despite some sharply negative market reaction to high-profile hacks, and big investments in the latest cyber kit, the financial services industry still accounts for 35% of all data breaches.
That earns it the dubious honour of ‘most-breached sector’.
You can be sure that the negative publicity around data theft and the dodgy IT systems big banks are saddled with have kept minds focused, but the sector’s security problems are getting worse.
Banking breaches are a growth industry
According to UK law firm RPC, the number of successful attacks on UK financial services firms rose by 480 per cent last year, up to 145 from just 25 in 2017.
Retail banking saw the biggest increase, rising to 25 last year from only one in 2017.
Cyber criminals have clearly seen an opportunity and they’re targeting bank accounts in ever greater numbers. With a growing number of alternative challenger banks like Monzo and Starling nipping at their heels, breaches could cost high street banking institutions lost customers.
Consumers already rate banks and others on how well or poorly they protect personal data. They will quickly abandon a brand following a major security incident.
Seven UK banks were forced to shut down their systems last year after attacks that cost hundreds of thousands of pounds to fix. Some of the biggest names were affected including RBS, Santander and Barclays
The number of successful attacks on UK financial services firms rose by 480 per cent last year
For a highly regulated industry like financial services, the penalties can be immediate. Tesco Bank, for example, was fined £16.4m last year by the FCA after a cyber attack led to £2.26m being taken from personal current accounts.
The risks however go beyond hacked current accounts. RPC’s research also shows that cybercriminals are targeting investment firms, believing their cybersecurity readiness is even weaker than retail banks.
The financial stakes are potentially much higher. The data they hold on M&A deals for example could be used for insider trading. The American Securities Exchange Commission is already investigating insider dealing cases that relate to cyber breaches.
A changing threat landscape
Cybercrime groups are perfecting new infiltration techniques to get at the customer and proprietary data held by financial institutions. The arsenal of tools is expanding, and they’re looking for new targets.
According Kaspersky, cybercriminals are still very focused on banks, but are also identifying vulnerabilities in the systems of fintech companies, cryptocurrency exchanges, point-of-sale terminals, and ATMs.
Fintechs and crypto exchanges are thought to be vulnerable because their systems are new and ‘immature’ in cybersecurity terms. For everyone else, some familiar attack vectors continue to be effective:
Whenever there’s a large-scale data breach, much of the hijacked personal information finds its way onto the dark web. Its then traded and appended to other data acquired from other breaches. Once all the dots have been connected, cybercriminals can clone the identity of individuals and take over their financial accounts. It’s now a reality that whenever a customer creates a new bank account online, banks need to question whether they are who claim to be. A report by Javelin Research found that social media users had a 30 percent higher risk of fraud because of data exposure.
Synthetic identity theft occurs when criminals create a fictitious identity using various pieces of real and fabricated information — such as a National Insurance Number, date of birth, address, phone number and email. The immediate victim is the bank or lender, but the person who’s credentials have been mis-used will have to deal with the impact of the fraud. According to reports in The Wall Street Journal, a record $355 million USD in outstanding credit card debt is now owned by people who don’t actually exist.
Authorised Push Payment Scams (APP)
An APP scam is where a customer is tricked into making a financial transaction with a fraudster posing as someone else. The attack uses social engineering tactics as well as email. The victim will typically receive an invoice for a service they use which they unwittingly pay, the money however ends up in the criminals account. UK banks’ ‘Faster Payments’ system has actually facilitated this kind of scam – as the fraudster receives the cash quickly, then moves it and disappears.
Kaspersky says more than a third of phishing campaigns target the financial sector. Banks and other financial institutions hold our money and provide us with credit. This trusted relationship is used by cybercriminals to trick customers into revealing login credentials, payment card details, and other personal data.
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
How the industry should fight back
Human error – like clicking the link in a well-crafted phishing email – enables more breaches than it should. But even the best scams have telltale signs that are detectable when people have been taught to spot them.
As the financial world continues to get to grips with cyber risk, firms can build more resilience into their defence posture with effective security training, and creating a culture of security awareness.
Banks and cyber-thieves are locked in a long-term struggle where the weapons and tactics change monthly. Unless someone invents a box that finally makes devices and networks impenetrable, treating cyber risk as a daily management challenge – and enlisting your own people to help – is the safest route to secure systems.
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.