According to VMware, the first half of 2020 saw a 238% increase in cyberattacks targeting financial institutions. And according to IBM and the Ponemon Institute, the average cost of a data breach in the financial sector in 2021 is $5.72 million.
Based on these statistics, if you're in the financial services sector, there's a very high chance that you'll eventually fall victim to a very costly cyberattack.
Prevailing against such overwhelming odds requires a cybersecurity strategy that addresses the specific cyber threats in the financial industry.
This post outlines the top 6 cyber threats to financial services and suggested security controls for mitigating each of them.
Learn how UpGuard protects the finance sector from data breaches >
1. Phishing
Phishing, a variant of social engineering, is a method of tricking users into divulging login credentials to gain access to an internal network.
The most common form of phishing is email phishing, where an email posing as legitimate communication is sent to victims.
Interacting with any of the infected links or attachments in phishing emails could initiate the installation of malware on the target computer system, or load a counterfeit web page that harvests login credentials.
To the unsuspecting recipient, these scam emails seem very convincing, especially when they're presented with a sense of urgency.
Here's an example of a phishing email posing as an urgent Coronavirus pandemic resource from the World Health Organization.
Track supply chain risks with this free pandemic questionnaire template >
Some phishing attacks are reply messages to an existing email thread - a tactic known as email conversation thread hijacking.
The following example demonstrates how such a cyber attack works. Joe Schmoe represents a victim whose email account gets hacked. After logging into Joe's email, hackers composed a contextual reply to an existing conversation, offering an infected attachment in response to Alice's request for an internal document.
Because phishing emails are getting harder to recognize, they're one of the most popular attack vectors for cybercrime.
It's estimated that over 90% of all successful cyberattacks start with a phishing attack and this unfortunate conversion rate is tearing up the financial industry.
Phishing Attack Statistics in the Financial Industry
Phishing Attacks increased by 22% in the first half of 2021
In just the first six months of 2021, phishing attacks in the financial sector increased by 22% since the same period in 2020. Attacks targeting financial apps increased by 38% for the same comparative period.
Finance was the most targeted sector for phishing attacks in Q1 of 2021
The Anti-Phishing Working Group (APWG) found that phishing attacks were most prevalent among financial institutions in Q1 of 2021.
Almost half of all phishing attacks in 2019 occurred in the finance sector
According to Akamai's 2019 State of the Internet report, almost 50% of observed phishing attacks were linked to the financial services sector.
Phishing campaigns now harmonize with notable news alerts.
Phishing tactics are evolving to harmonize with breaking new stories to target modern societal anxieties.
The Coronavirus pandemic has revealed a new level of phishing sophistication where phishing themes are aligned with global catastrophes to target modern societal anxieties.
The following chart indicates the relationship between phishing frequency and notable news stories in the first quarter of 2020.
These concerning trends categorize phishing as one of the greatest cybersecurity threats in the financial industry.
2. Ransomware
Ransomware and Ransomware-as-a-Servce is another critical cyber risk to financial services. During a ransomware attack, cybercriminals lock victims out of their computers by encrypting them with malware. The damage is only reversed if a ransom is paid.
Ransomware attackers use multiple extortions to pressure victims into paying a ransom. The most popular being publishing greater portions of seized sensitive data on criminal forums until a ransom is paid.
Such extortion tactics are, unfortunately, very effective against financial institutions because their heavy regulations expect exemplary cyberattack and data breach resilience.
With ransomware attacks now evolving into data breach territory, a successful attack could have wider implications on regulatory compliance standards.
Ransomware Statistics in the Financial Industry
Paying a ransom could double remediation costs
The financial services industry is a very attractive target to ransomware gangs because of the valuable customer information they possess. The threat of leaking this data on the dark web, and the resulting reputational damage, compels many financial services organizations to comply with ransom demands.
Despite increasing pressure to do so among the stress of a ransomware attack, the FBI strongly advises businesses to never pay ransoms.
Following the FBI's advice could result in lower damage costs, even if threat actors compromise the seized data. According to the State of Ransomware 2020 report by Sophos, remediation costs double when a ransom is paid.
Ransomware attacks increased 9x between February and April 2020.
Last year, in the space of only 3 months - from the beginning of February to the end of April 2020 - ransomware attacks against the financial sector increased by ninefold.
Learn how to reduce the impact of Ransomware attacks.
Ransomware attacks increased by 520% between March and June of 2020
Between March and June 2020, phishing and ransomware attacks targeting banks increased by 520% compared to the same period in 2019.
A significant spike in ransomware attacks was observed in 2020 and the trend continues to climb upwards in 2021.
Ransomware attacks increased by 151% in the first 6 months of 2021
Atlas VPN, a New York-based VPN service provider observed a 151% increase in ransomware attacks in the first half of 2021 compared to the same period in 2020.
This data reveals the expanding threat of ransomware across all sectors, not just financial services firms.
This global cybersecurity risk is prompting governments to implement mitigation policies to defend against nation-state ransomware attackers, like Australia's Ransomware Action Plan.
Certain ransomware strains are more prevalent in the financial sector
To effectively defend against ransomware, threat intelligence teams must be aware of the most popular ransomware variants targeting financial systems.
Below is a breakdown of the 11 most prevalent ransomware types and their percentage market share. It's critical for financial entities to update their Incident Response Plans to address each of these active threats.
To support this effort, each ransomware strain below is supported with resources detailing targeted defence strategies.
Sodinokibi Ransomware Resources
Conti V2 Ransomware Resources
Lockbit Ransomware Resources
Clop Ransomware Resources
Egregor Ransomware Resources
Avaddon Ransomware Resources
Ryuk Ransomware Resources
Darkside Ransomware Resources
SunCrypt Ransomware Resources
Netwalker Ransomware Resources
Phobos Ransomware Resources
3. SQL Injections, Local File Inclusion, Cross-Site Scripting, and OGNL Java Injections
According to the annual security report by Akamai, 94% of observed cyber attacks in the financial sector were facilitated by the following four attack vectors:
- SQL Injections (SQLi)
- Cross-Site Scripting (XSS)
- Local FIle Inclusion (LFI)
- OGNL Java Injection
Vulnerability Discoveries Impacting the Financial Industry
- In March 2021, a vulnerability was discovered in a WordPress plugin that facilitated Time-Based Blind SQL injections. 600,000 users could have potentially been impacted.
- In April 2021, Trend Micro discovered an XSS vulnerability impacting e-commerce websites.
- In August 2021, a Local File Inclusion (LFI) vulnerability was discovered for a version of BIQS - software used by driving schools for invoicing.
- In August 2021, an OGNL vulnerability was discovered that allowed threat actors to inject arbitrary code on Atlassian Confluence servers.
4. DDoS Attacks
In 2020, the financial sector experienced the highest number of Distributed Denial-of-Service (DDoS) attacks.
During a DDoS attack, a victim's server is overwhelmed with fake connection requests, forcing it offline.
DDoS attacks are a popular cyber threat against financial services because their attack surface is diverse, comprising of banking IT infrastructures, customer accounts, payment portals, etc.
This makes the impact of DDoS attacks penetrate deeper for financial entities. Cybercriminals could leverage the resulting chaos in two different ways:
- Additional cyberattack campaigns can be launched while security teams are distracted by a DDoS attack.
- Cybercriminals could offer to spot the DDoS attack if a ransom is paid, a strategy with a likelihood of success given the strict SLA agreements among financial institutions.
DDoS Attack Statistics in the Financial Industry
Finance Sector Experienced a 30% Increase in DDoS Attacks in 2020
Between 2019 and 2020, the financial services industry experienced a 30% increase in DDoS attacks, a spike that coincided with the start of the pandemic.
Payment processes aren't always categorized as financial institutions because they're usually private companies or third-party vendors hired by banks to process payments. But, in the eyes of cybercriminals, their association with private banking data groups them in the same category.
Password Login Attacks & DoS Attacks Were the Two Major Threats to Payment Processes in 2020
In 2020, the two major cyber threats to payment processes were password login attacks and DoS attacks (learn about the difference between Dos and DDoS attacks).
Finance is the Third Most Target Sector for DDoS Attacks
Finance is within the top three industries most targeted in DDoS attacks between 2020 and 2021.
Multi-Vector DDoS Attacks Have Risen by 80% in 2021
Multi-vector DDoS attacks have risen by 80% in 2021 compared to the same period in 2020. These are DDoS attacks comprised of multiple campaigns to overwhelm security teams.
5. Supply Chain Attacks
During a supply chain attack, a victim is breached through a compromised third-party vendor in their supply chain.
Supply chain attacks make it possible for cyber attackers to circumvent security controls by creating avenues to sensitive resources through a target's third-party vendor.
Because, statistically, vendors don't take cybersecurity as seriously as their clients, their compromise is usually much easier to achieve. And because third-party vendors store sensitive data for all of their clients, a single compromise could impact hundreds of companies.
To defend against supply chain attacks, it's recommended for financial services to implement a Zero Trust Architecture with secure Privileged Access Management policies.
The inclusion of these initiatives in Biden's cybersecurity executive order confirms their efficacy in mitigating supply chain attacks.
Supply Chain Attack Statistics in the Financial Industry
Most third-party vendors are not prepared for cyberattacks
From the supply chain attacks analyzed by the European Union Agency for Cybersecurity, 66% of compromised suppliers either did not know or failed to report that they were breached.
This statistic highlights the concerning deficiency of cyber resilience amongst vendors and the desperate need for a third-party risk management program to address this deficit.
Learn how the financial industry can better manage vendor risks.
Advanced Persistent Threats Account for 50% of Supply Chain Attacks
According to a report by The European Union Cybersecurity Agency (ENISA), 50% of observed supply chain attacks were linked to the following Advanced Persistent Threats (APTs):
- APT29
- APT41
- Thallium
- Lazarus
- TA413
- TA428
Supply chain Attacks Expected to Increase by four-fold between 2020 and 2021
The European Union Cybersecurity Agency (ENISA) predicts that 2021 will see a 4x increase in supply chain attacks compared to 2020.
6. Bank Drops
To obfuscate their location from authorities, cybercriminals often store stolen funds in fake bank accounts (bank drops) opened with stolen customer credentials.
Amongst cybercriminals, the collection of customer credentials required to create a bank drop is referred to as 'fullz.'
A victim's fullz data could include the following information:
- Full Name
- Address
- DOB
- Drivers License details
- Credit Score
- Social Security details
The schemes fueling conventional bank drops are likely to adapt to digital wallet requirements as more cybercriminals prefer the superior anonymity of cryptocurrency.
In response to this cyber threat, financial entities should implement security controls specifically for the credentials commonly required to open new accounts.
Bank Drop Stats in the Financial Sector
The Average Price Range for Fullz Data on the Dark Web is $15-$60 per record.
According to the Armor Dark Market Report, the average price ranges of fullz data being sold on the dark web are as follows:
- Generic Fullz Data: $15-$60
- Business Fullz Data: $35-$60
Generic fullz data could include:
- Name
- DOB
- Address
- Mother's maiden name
- SSN
- Driver’s license number
Business fullz data could include:
- Bank account numbers
- EIN
- DOB
- SSN
- Business certificates
- Corporate officers’ names
How to Defend Against Financial Services Cyber Threats
In many instances, cyberattacks recycle the same attack sequence because there are common security vulnerabilities across different financial entities.
The following security controls could address most of the exposures facilitating data breaches in the financial services sector:
- Third-Party Risk Management (TPRM) - A third-party risk management program will identify security vulnerabilities for all third-party cloud services to prevent supply chain attacks.
- Multi-Factor Authentication - Implementing an MFA policy on all endpoints, including mobile devices, will make it very difficult for threat actors to compromise privileged credentials - a critical step preceding sensitive information theft for financial firms.
- Firewall - A regularly updated firewall is capable of detecting and blocking malware injection attempts.
- Attack Surface Management - An attack surface management solution capable of detecting data leaks will significantly reduce the chances of a successful data breach, both internally and throughout the vendor network.
- Learn TTP (Tactics, Techniques, & Procedures) - Threat actors often use similar attack strategies due to similar vulnerabilities across the industry. Learning common suspicious activity patterns could help you intercept an attack attempt before any malicious codes are injected.
- Security ratings - This feature supports real-time monitoring for emerging security risks created by digital transformation. When combines with an attack surface management tool, security ratings help uncover the best security measures for many common types of attacks, including malware attacks and customer data compromise.
- Regular data backups - Having a clean system backup on hand will help you restore business continuity during a ransomware attack.
