Phishing attacks are not always obvious, and human error can be exploited to great detriment in banking and financial services

The financial services sector remains one of the top targets for cybercriminals. Scammers extract morsels of personal information and use this to trick financial services employees using phishing tactics, and this remains the top way financial services businesses are initially breached.

Thanks to long-term investment in IT and strict regulation, financial services firms are among the most cyber-mature organizations. Despite this, the financial services sector’s threat level remains high. Cyber skills gaps and human error, particularly in larger and emerging organizations, are the highest reported causes of data breaches.

Despite all of the training and investment in cybersecurity protection in banks and financial services, employees are still a risk due to human error and they are still one of the weakest links that attackers exploit because of this.

Once a breach has happened, attackers can often take advantage of other major data breaches containing digital identity such as the recent Medibank hack, which included details of almost ten million Australians to build profiles to try and trick customers of other financial services firms.

In May, Indonesia’s biggest Islamic lender Bank Syariah Indonesia (BSI) suffered a data breach, which one cybersecurity expert said was the country’s worst at a financial institution, which allegedly resulted in the account details of 15 million customers being published online. The BSI attack was the latest in a series of leaks at Indonesian companies and government agencies in the past few years.

Cybercriminals that use methods including extortion, scams and crypto theft are the biggest threats to financial services companies, ahead of nation-state actors, insiders or hacktivism, in terms of the frequency and impact of incidents.

Geoff Schomburgk, Asia Pacific Vice President at Yubico

Most people are now aware of the existence of phishing attacks and the significant impact they can have, and a lot of financial services companies are now providing advice to teach their customers and employees how to spot malicious emails and messages.

That said, scammers are evolving ever more sophisticated techniques and will still succeed if nothing is done to keep users and businesses secure from these attacks. Relying on the vigilance of the employee alone is simply no longer good enough. With the sheer volume of scam activity, even a one percent success rate in fending off attackers can result in a significant financial gain.

Industry regulators are doing their best to stay on top of the new cyber risks. For example, the central bank for Malaysia, Bank Negara Malaysia (BNM), has made updates to its Risk Management in Technology Policy, to reflect the new cyber resilience requirements, including financial institutes continuing to strengthening the management of third parties. Last year BNM also issued further guidance on cloud technology risk management, of which section eight recommends the use of incorporating modern MFA tools like security keys that use strong cryptography at scale to add another layer of protection.

Identifying a phishing attack

Phishing attacks are not always obvious. In fact, most people have no idea that they have been phished or that credentials have been successfully intercepted. This is because there are convincing emails or messages sent to them, such as those that request users to log in or reset login details on sites that look legitimate – but are not. What is surprising is that financial services businesses take an average of 233 days to detect and contain a data breach, according to the 2021 Data Risk Report by Varonis.

Receiving a PIN or passcode via text message, or a username and password are behaviors that are highly susceptible to phishing attacks, man-in-the-middle (MiTM) attacks and account takeovers. They do not offer the best user experience and they also do not offer phishing-resistant MFA like security keys. Modern phishing attacks can also compromise widely used mobile authentication methods.

The Aberebot Android banking trojan returned in 2022 under the name ‘Escobar’ with new features, including stealing Google Authenticator multi-factor authentication codes. The new features also include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft. The main goal of the trojan is to steal enough information to allow the threat actors to take over victims’ bank accounts, siphon available balances and perform unauthorized transactions.

Despite the ever-increasing volume of cyberattacks, many financial services organizations are still using legacy authentication methods, such as passwords or mobile-based authenticators, to secure access to sensitive applications and data. As we have learned over the past two years and as the phishing methods used by cybercriminals become more sophisticated, these methods are leaving businesses and banking customers vulnerable.

A phishing-resistant MFA strategy aligned with Zero Trust in financial services

Now is the time for all organizations to create a phishing-resistant MFA strategy that recognizes the Zero Trust approach to security as well as cost and user experience – including implementing modern MFA tools like security keys. Whether a company is already using mobile authentication or is actively considering authentication solutions to align with its Zero Trust strategy, it’s essential to understand that MFA is a spectrum and that not all MFA is created equal.