In 2023, cybercrime keeps generating news headlines, with villains inflicting trillions of dollars in damages globally every year. An ever-present threat to individuals and organisations, malicious cyber-attacks are increasing in number and sophistication.
What kind of organisation makes an attractive target? Any that holds valuable data, and is undergoing rapid digitisation, making their data more vulnerable through cloud adoption, and having users accessing from anywhere/anytime.
Banks and other financial institutions are right in the middle of that space. They offer criminals high impact and serious profit potential through their vast stores of sensitive data.
Recent data shows the financial sector experienced the second highest number of data breaches in 2022, globally, surpassed only by government.
According to the EY/IIF survey released early 2023, 72% of global Chief Risk Officers view cybersecurity in banking as the top year-ahead risk, based on survey data from 88 banks across 30 countries.
Bank customers need to believe they won’t have their funds plundered by hackers or their identities stolen and on-sold to other criminals.
When an organisation is compromised, the risk of irreparable reputational damage is huge, on top of the risk to resources and the bottom line: mitigation is costly and time-consuming.
Cyber incidents can also lead to regulatory penalties or other legal action by customers.
In March 2021, 1.5 million customers of US-based Flagstar Bank were affected by a ransomware attack, with customer names, phone numbers, social security numbers and tax records stolen and published. The bank paid $5.9 million in out-of-court settlements after the incident. In June 2022, Flagstar disclosed a second data breach that had leaked the personal information of 1.5 million customers the previous December.
As institutions navigate the risks and challenges, it’s imperative they stay abreast of existing and emerging trends in online banking security. These five are most likely to cause the most harm to financial institutions in 2023.
Emails are traditionally the most common form of phishing but today attacks have spilled over into text, voicemail and messaging platforms. Phisers use various channels of contact to attack but the common denominator is the manipulation techniques used to deceive individuals into providing sensitive financial information.
They may persuade the recipient to click links to a malicious site or open infected attachments. Interacting with the links or attachments triggers the installation of malware on the user’s computer system or loads a counterfeit web page set up to harvest login credentials.
Global consortium and fraud prevention group the Anti-Phishing Working Group recorded a total of 3,394,662 phishing attacks in the first three quarters of 2022. When criminals target a high-profile individual or organisation, it’s often called ‘whaling’.
Bank employees and customers are both at risk of phishing. Malicious agents may send customers emails that look like legitimate bank correspondence, hoping to steal financial information or login credentials; or they may target bank employees, again, to get customer credentials and gain access to an institution’s internal network. In all these instances, email addresses and domains are artfully disguised and the messaging can be very convincing.
Phishing, like all cybercrime, is evolving year on year. Often emerging financial technologies will have gaps in their armour that criminals are quick to leverage. One of the newest iterations exploits Buy Now Pay Later (BNPL) services as an example.
It’s a scenario that strikes fear into the hearts of the most experienced IT personnel. Suddenly, an organisation’s sensitive files are encrypted with malware, users are locked out, and the system is crippled for an extended period as criminals demand money to restore it. Often they threaten to publish subsets of the data on criminal forums until it’s paid.
In 2022, ransomware attacks surged dramatically, involved in 25% of all cyber breaches, according to Verizon’s Data Breach Investigations Report.
Australia’s federal government named ransomware “the most serious cybercrime threat to Australia, creating significant risks for both governments, businesses and individuals.” In January 2022 alone, over 487 reports of malware and ransomware attacks were made to the Australian Competition and Consumer Commission.
Ransomware has been used to infiltrate organisations around the world for years, from financial services to healthcare. And attacks are only getting smarter and more malicious, hitting bigger targets and extorting bigger sums.
Again, because banks deal with a lot of sensitive information, they’re a key attraction for ransomware groups. Paying the ransom isn’t guaranteed to get the desired result either – the data may be lost for good. This could result in the exposure of a bank’s customers’ sensitive financial data on the dark web. Also, because financial institutions are heavily regulated, there could be regulatory penalties: banks are expected to show exemplary cyber breach resilience.
Such advanced threats demand the most modern cybersecurity defensive tactics. Behavioural analysis, AI and machine learning are being used more and more as online banking security needs evolve.
The escalation in remote work and hybrid workforces has grown out of necessity through the pandemic, but many employees of financial institutions have continued to stay home because they prefer it.
In the US, Gallup research found that as of June 2022, of those people whose jobs can be done working remotely:
five in 10 are working hybrid (part of their week at home and part on-site)
three in 10 are exclusively working remotely
two in 10 are entirely on-site
In the UK, the proportion of hybrid workers rose from 13% in early February 2022 to 24% in May 2022. In that same period, the proportion of homeworkers planning to work mostly from home rose by 12%.
Which means millions of employees are using their own equipment, their home Wi-Fi and IT networks. Or in some cases, they’re accessing Wi-Fi in a café or shared workspace. Any of these options may be poorly configured.
When systems and networks are no longer controlled by the organisation, it makes it harder for IT teams to keep internal software safe, and so much easier for a bad agent to infiltrate a bank’s system. For the financial sector, this has created more potential cybersecurity vulnerabilities than ever before.
Extra vigilance is necessary. Employees need to be aware of what to look out for and how to stay safe in their remote work environment.
Following logically from threat number three – when you have a global workforce increasingly working remotely at least part of the time, it makes complete sense that banks would continue to move their software systems, assets and data into the cloud. It’s a huge business benefit to have cloud servers giving access to a company’s applications, files and resources from anywhere in the world.
But this mass migration to public cloud is also a huge vulnerability, opening up single points of failure, with cloud adoption often outpacing security, compounded by the fact that cloud computing software is supplied by just a handful of companies.
Bank of England referenced a prior warning from the Bank and Financial Conduct Authority when it described the market for cloud services as “highly concentrated among a few cloud service providers (CSPs), which could pose risks to financial stability”.
Cybercriminals have, unsurprisingly, ramped up cloud-based attacks in response to this global trend. Even if an attacker only gains access to a small portion of a financial institution’s customer data, they can do real damage with it.
Banks need to ensure that their cloud infrastructure is configured securely to protect from harmful breaches. They also need to regularly review and improve their security procedures.
Even if a financial institution does have cloud storage programs with strong security measures embedded, human error can still lead to dangerous malware and online scams, which can result in a cloud-storage breach.
That could be as simple as staff being lax with their passwords, creating weak credentials etc. Staff education is essential to prevent this.
One of the biggest threats to banking and finance, and one of most established, is social engineering. It overlaps with phishing and whaling attacks outlined above, employing emails and other communication channels to trick people into giving away their sensitive information or login credentials. Social engineering manipulates the recipient psychologically rather than through technology itself.
Some actors prey on fears and insecurities, causing recipients to lower their guard and let a hacker into their system. Others make them feel they need to act urgently to help someone in need or take advantage of a too-good-to-be-true opportunity.
Customers aren’t the only targets – employees can be weak links in the security chain. As examples, bank staff may be sent spoofed invoices that purport to be from a trusted vendor; or a bogus email apparently sent from a staff member to payroll might ask them to change direct deposit details.
Some emails are obviously fake with spelling mistakes and clumsy URLs; others look legitimate. It’s important to keep employees informed about social engineering tactics and how these threats continue to evolve.
Of course, those five are not the only potential threats when considering a cyber security posture. And more are being invented all the time. Cybercriminals are constantly looking for new ways to break in.
And sadly, we’ve arrived at a world where Crime as a service is thriving. If you’re a low-level cybercriminal, you can go online and buy sets of stolen credentials, credit card numbers, phone numbers, phishing kits, malware and other tools to carry out attacks.
On the bright side, the financial sector is one of the most highly-regulated industries worldwide, which has substantial benefits for cyber security. Those regulations were written to protect sensitive customer data through specific security controls and processes.
But developing and implementing minimum security standards through a regulatory compliance strategy is just the first step.
Securing a bank’s systems against cyber threats is a long-haul program of preventative planning, addressing processes, engineering and technology. It involves analysing the emerging threat landscape and how it will evolve, in many cases partnering with other organisations and security partners who offer managed services. As referenced above, there must also be continuous security awareness training for employees.
At Sandstone Technology we take cyber security very seriously, and maintain a strong security posture in our own processes and protocols in line with our Information Security Management framework, staying up to date and following the advice of national cyber security bodies.
We advise our customers to seek independent advice as they review their online banking security processes and policies. The following national cybersecurity bodies may offer further assistance and advice.
Australian Cyber Security Centre
National Cyber Security Centre UK
National Cyber Security Centre New Zealand