Five ways threat actors attack banks and financial institutions.
By Erich Kron
According to the International Monetary Fund, cyberattacks against the banking and financial services industry are increasing exponentially. The threat level is currently so severe the IMF is warning how it may potentially lead to a banking collapse.
Threat actors covet financial firms for their highly active stores of sensitive personal information — customer data, bank account information, payment and transaction records, etc. The sector is also a major draw for hacktivists and state-sponsored attackers seeking to disrupt economic activity and cause financial instability. Over the past 20 years, the financial sector racked up $12 billion in losses due to cybercrime.
Top attack vectors used by cybercriminals to attack financial organizations include:
Phishing / Social Engineering: Because of their simplicity, low-cost and high scalability, phishing and social engineering tactics are overwhelmingly the most common methods used to deceive, defraud, or scam banking customers. Customers often fall victim to receiving fake calls and messages, or unknowingly visit deceptive websites that appear legitimate. The false pretense of making attractive returns is another tactic. U.S. consumers lost $4.6 billion last year to investment scams. Hackers set up phony websites and send phishing emails to lure individuals into providing their login credentials. Once initial access is made, hackers enter the commercial banking system, exploit vulnerabilities and carry out fraudulent and unauthorized transfers and transactions.
Ransomware: A common theme in the financial sector, threat actors (such as LockBit) encrypt systems, steal sensitive information or halt banking operations which are then leveraged as an extortion tactic. 64% of financial organizations suffered a ransomware attack in 2023, up from 55% the year before. In 81% of the cases, organizations had their data encrypted while in 25% of cases, data was both encrypted and exfiltrated. Ransomware is obviously a symptom not a root cause; ransomware attacks primarily originate from exploited vulnerabilities (40%), compromised credentials (23%) and phishing (33%).
Distributed Denial Of Service (DDoS): As geopolitical tensions rise, state-sponsored attackers are increasingly using DDoS attacks to disrupt financial systems and spread fears of economic uncertainty. When banking systems become unavailable, it can lead to widespread chaos. According to a report by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Akamai, cybercriminals use DDoS attacks as part of a layered attack pattern (for example, combining ransomware and DDoS, a.k.a., RDDoS) or as a decoy to divert organizational resources while bad actors carry out another attack in parallel. From 2022 to 2023, the FS-ISAC reported a 154% increase in DDoS attacks.
Third-party Attacks: Like all businesses, financial firms rely on numerous third parties for software, support or services. However, this has critical implications for cybersecurity. For instance, a data breach at Infosys McCamish Systems exposed sensitive information (names, Social Security numbers, financial account information, addresses, and dates of birth) from Bank of America customers. Similarly, a critical vulnerability in a file transfer tool MOVEit led to breaches at the First National Bankers Bank and 1st Source. The finance sector currently holds the second-highest share for third-party breaches.
Vulnerability Exploitation: Weaknesses in software or hardware components can be exploited by threat actors to infiltrate organizations. For example, most banks that use Java-based applications are knowingly or unknowingly vulnerable to the Log4j vulnerability. Threat actors can weaponize this vulnerability to install backdoors, trojan horses and malware like the Dridex malware). According to IBM, 31% of cyberattacks in the finance and insurance industry can be attributed to vulnerability exploitation.
How Can Banking And Financial Services Organizations Mitigate These Threats?
- Policies / Procedures: Organizations should make a concerted effort to enforce cybersecurity protocols, procedures, and rules that employees must follow. This includes practices like safe browsing, using strong passwords, regularly patching systems, and avoiding shadow IT. Establish clear procedures for reporting phishing attempts and responding to security incidents.
- Employee Training: Phishing and social engineering are possibly the biggest threats to financial institutions and their customers. It’s extremely important that employees undergo regular training and are subjected to simulated phishing tests on a weekly or monthly basis to train employees and help develop mindfulness, security instinct and muscle memory.
- Multi-layered Security Controls: Most cyberattacks are multi-staged. Each stage of the attack therefore presents an opportunity for early detection. By deploying multi-layered controls such as firewall, intrusion prevention system, secure web gateway, multi-factor authentication, encryption, and data leakage prevention, organizations can improve their chances of detecting the threat and reducing damages.
- Prioritizing Data Collection and Reporting: Data collection and reporting of cybersecurity incidents helps analyze, judge and improve the success of cybersecurity initiatives. Post-incident data collection is also helpful for forensic processes. Additionally, sharing and reporting incident learnings amongst employees improves collective awareness, preparedness and resilience against incidents and fosters a stronger culture of cybersecurity.
- Third-party Risk Management: To reduce third-party risks, organizations must gain better control and visibility over their third-party ecosystem. This means reviewing and scoring vendors, suppliers, third-party software and service providers regularly, based on their risk exposure, and maintaining a software bill of materials (SBOM).
- Frequent Patching: Unpatched vulnerabilities or outdated software patches are some of the biggest root causes of ransomware incidents, plus they make the organization an easy target. It’s important that organizations prioritize software updates and patching so that these vulnerabilities are not exploited or abused by threat actors.
Most cyberattacks are financially motivated. Organizations must invest in a combination of people, processes, and technology to safeguard against the potential risks of financial damage, reputational loss, and non-compliance.
A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, Erich Kron is Security Awareness Advocate for KnowBe4. Author, and regular contributor to cybersecurity industry publications, he was a security manager for the U.S. Army’s 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in information security.