According to VMware, the first half of 2020 saw a 238% increase in cyberattacks targeting financial institutions. And according to IBM and the Ponemon Institute, the average cost of a data breach in the financial sector in 2021 is $5.72 million.

Based on these statistics, if you're in the financial services sector, there's a very high chance that you'll eventually fall victim to a very costly cyberattack.

Prevailing against such overwhelming odds requires a cybersecurity strategy that addresses the specific cyber threats in the financial industry.

This post outlines the top 6 cyber threats to financial services and suggested security controls for mitigating each of them.

Learn how UpGuard protects the finance sector from data breaches >

1. Phishing

Phishing, a variant of social engineering, is a method of tricking users into divulging login credentials to gain access to an internal network.

The most common form of phishing is email phishing, where an email posing as legitimate communication is sent to victims.

Interacting with any of the infected links or attachments in phishing emails could initiate the installation of malware on the target computer system, or load a counterfeit web page that harvests login credentials.

To the unsuspecting recipient, these scam emails seem very convincing, especially when they're presented with a sense of urgency.

Here's an example of a phishing email posing as an urgent Coronavirus pandemic resource from the World Health Organization.

A phishing email posing as an urgent communication from the World Health Organization - Source: Malwarebytes
Figure 1 - A phishing email posing as an urgent communication from the World Health Organization - Source: Malwarebytes

Track supply chain risks with this free pandemic questionnaire template >

Some phishing attacks are reply messages to an existing email thread - a tactic known as email conversation thread hijacking.

The following example demonstrates how such a cyber attack works. Joe Schmoe represents a victim whose email account gets hacked. After logging into Joe's email, hackers composed a contextual reply to an existing conversation, offering an infected attachment in response to Alice's request for an internal document.

 Example of a conversation thread hijacking - Source:
Figure 2 - Example of a conversation thread hijacking - Source:

Because phishing emails are getting harder to recognize, they're one of the most popular attack vectors for cybercrime.

It's estimated that over 90% of all successful cyberattacks start with a phishing attack and this unfortunate conversion rate is tearing up the financial industry.

Phishing Attack Statistics in the Financial Industry

Phishing Attacks increased by 22% in the first half of 2021

In just the first six months of 2021, phishing attacks in the financial sector increased by 22% since the same period in 2020. Attacks targeting financial apps increased by 38% for the same comparative period.

Finance was the most targeted sector for phishing attacks in Q1 of 2021

The Anti-Phishing Working Group (APWG) found that phishing attacks were most prevalent among financial institutions in Q1 of 2021.

Most targeted industries in phishing attacks
Almost half of all phishing attacks in 2019 occurred in the finance sector

According to Akamai's 2019 State of the Internet report, almost 50% of observed phishing attacks were linked to the financial services sector.

Phishing campaigns now harmonize with notable news alerts.
Phishing tactics are evolving to harmonize with breaking new stories to target modern societal anxieties.

The Coronavirus pandemic has revealed a new level of phishing sophistication where phishing themes are aligned with global catastrophes to target modern societal anxieties.

The following chart indicates the relationship between phishing frequency and notable news stories in the first quarter of 2020.

Relative phishing attack event percentage changes for notable alerts - Data Source VMware Carbon Black Data
Figure 4 - Relative phishing attack event percentage changes for notable alerts - Data Source VMware Carbon Black Data

These concerning trends categorize phishing as one of the greatest cybersecurity threats in the financial industry.

Image with the following text - is your business at risk of a data breach? Find out.

2. Ransomware

Ransomware and Ransomware-as-a-Servce is another critical cyber risk to financial services. During a ransomware attack, cybercriminals lock victims out of their computers by encrypting them with malware. The damage is only reversed if a ransom is paid.

Ransomware attackers use multiple extortions to pressure victims into paying a ransom. The most popular being publishing greater portions of seized sensitive data on criminal forums until a ransom is paid.

Such extortion tactics are, unfortunately, very effective against financial institutions because their heavy regulations expect exemplary cyberattack and data breach resilience.

With ransomware attacks now evolving into data breach territory, a successful attack could have wider implications on regulatory compliance standards.

Ransomware Statistics in the Financial Industry

Paying a ransom could double remediation costs

The financial services industry is a very attractive target to ransomware gangs because of the valuable customer information they possess. The threat of leaking this data on the dark web, and the resulting reputational damage, compels many financial services organizations to comply with ransom demands.

Despite increasing pressure to do so among the stress of a ransomware attack, the FBI strongly advises businesses to never pay ransoms.

Following the FBI's advice could result in lower damage costs, even if threat actors compromise the seized data. According to the State of Ransomware 2020 report by Sophos, remediation costs double when a ransom is paid.

Ransomware remediation costs double when a ransom is paid
Figure 5 - Ransomware remediation costs double when a ransom is paid
Ransomware attacks increased 9x between February and April 2020.

Last year, in the space of only 3 months - from the beginning of February to the end of April 2020 - ransomware attacks against the financial sector increased by ninefold.

Learn how to reduce the impact of Ransomware attacks.

Ransomware attacks increased by 520% between March and June of 2020

Between March and June 2020, phishing and ransomware attacks targeting banks increased by 520% compared to the same period in 2019.

A significant spike in ransomware attacks was observed in 2020 and the trend continues to climb upwards in 2021.

Ransomware attacks increased by 151% in the first 6 months of 2021

Atlas VPN, a New York-based VPN service provider observed a 151% increase in ransomware attacks in the first half of 2021 compared to the same period in 2020.

ransomware attack growth by quarter across the world

This data reveals the expanding threat of ransomware across all sectors, not just financial services firms.

This global cybersecurity risk is prompting governments to implement mitigation policies to defend against nation-state ransomware attackers, like Australia's Ransomware Action Plan.

Certain ransomware strains are more prevalent in the financial sector

To effectively defend against ransomware, threat intelligence teams must be aware of the most popular ransomware variants targeting financial systems.

Below is a breakdown of the 11 most prevalent ransomware types and their percentage market share. It's critical for financial entities to update their Incident Response Plans to address each of these active threats.

To support this effort, each ransomware strain below is supported with resources detailing targeted defence strategies.

Sodinokibi Ransomware Resources

Conti V2 Ransomware Resources

Lockbit Ransomware Resources

Clop Ransomware Resources

Egregor Ransomware Resources

Avaddon Ransomware Resources

Ryuk Ransomware Resources

Darkside Ransomware Resources

SunCrypt Ransomware Resources

Netwalker Ransomware Resources

Phobos Ransomware Resources

3. SQL Injections, Local File Inclusion, Cross-Site Scripting, and OGNL Java Injections

According to the annual security report by Akamai, 94% of observed cyber attacks in the financial sector were facilitated by the following four attack vectors:

  • SQL Injections (SQLi)
  • Cross-Site Scripting (XSS)
  • Local FIle Inclusion (LFI)
  • OGNL Java Injection

Vulnerability Discoveries Impacting the Financial Industry

4. DDoS Attacks

In 2020, the financial sector experienced the highest number of Distributed Denial-of-Service (DDoS) attacks.

During a DDoS attack, a victim's server is overwhelmed with fake connection requests, forcing it offline.

DDoS attacks are a popular cyber threat against financial services because their attack surface is diverse, comprising of banking IT infrastructures, customer accounts, payment portals, etc.

This makes the impact of DDoS attacks penetrate deeper for financial entities. Cybercriminals could leverage the resulting chaos in two different ways:

  • Additional cyberattack campaigns can be launched while security teams are distracted by a DDoS attack.
  • Cybercriminals could offer to spot the DDoS attack if a ransom is paid, a strategy with a likelihood of success given the strict SLA agreements among financial institutions.

DDoS Attack Statistics in the Financial Industry

Finance Sector Experienced a 30% Increase in DDoS Attacks in 2020

Between 2019 and 2020, the financial services industry experienced a 30% increase in DDoS attacks, a spike that coincided with the start of the pandemic.

Payment processes aren't always categorized as financial institutions because they're usually private companies or third-party vendors hired by banks to process payments. But, in the eyes of cybercriminals, their association with private banking data groups them in the same category.

Password Login Attacks & DoS Attacks Were the Two Major Threats to Payment Processes in 2020

In 2020, the two major cyber threats to payment processes were password login attacks and DoS attacks (learn about the difference between Dos and DDoS attacks).

data breach reporting events for payment processors in 2020
Finance is the Third Most Target Sector for DDoS Attacks

Finance is within the top three industries most targeted in DDoS attacks between 2020 and 2021.

top industry targets for ddos attacks
Multi-Vector DDoS Attacks Have Risen by 80% in 2021

Multi-vector DDoS attacks have risen by 80% in 2021 compared to the same period in 2020. These are DDoS attacks comprised of multiple campaigns to overwhelm security teams.

Trends multi-factor ddos attacks 2020-2021

5. Supply Chain Attacks

During a supply chain attack, a victim is breached through a compromised third-party vendor in their supply chain.

Supply chain attacks make it possible for cyber attackers to circumvent security controls by creating avenues to sensitive resources through a target's third-party vendor.

Because, statistically, vendors don't take cybersecurity as seriously as their clients, their compromise is usually much easier to achieve. And because third-party vendors store sensitive data for all of their clients, a single compromise could impact hundreds of companies.

To defend against supply chain attacks, it's recommended for financial services to implement a Zero Trust Architecture with secure Privileged Access Management policies.

The inclusion of these initiatives in Biden's cybersecurity executive order confirms their efficacy in mitigating supply chain attacks.

Supply Chain Attack Statistics in the Financial Industry

Most third-party vendors are not prepared for cyberattacks

From the supply chain attacks analyzed by the European Union Agency for Cybersecurity, 66% of compromised suppliers either did not know or failed to report that they were breached. This statistic highlights the concerning deficiency of cyber resilience amongst vendors and the desperate need for a Vendor Risk Management program to address this deficit.

Learn how the financial industry can better manage vendor risks.

Advanced Persistent Threats Account for 50% of Supply Chain Attacks

According to a report by The European Union Cybersecurity Agency (ENISA), 50% of observed supply chain attacks were linked to the following Advanced Persistent Threats (APTs):

  • APT29
  • APT41
  • Thallium
  • Lazarus
  • TA413
  • TA428
Supply chain Attacks Expected to Increase by four-fold between 2020 and 2021

The European Union Cybersecurity Agency (ENISA) predicts that 2021 will see a 4x increase in supply chain attacks compared to 2020.

6. Bank Drops

To obfuscate their location from authorities, cybercriminals often store stolen funds in fake bank accounts (bank drops) opened with stolen customer credentials.

Amongst cybercriminals, the collection of customer credentials required to create a bank drop is referred to as 'fullz.'

A victim's fullz data could include the following information:

  • Full Name
  • Address
  • DOB
  • Drivers License details
  • Credit Score
  • Social Security details

The schemes fueling conventional bank drops are likely to adapt to digital wallet requirements as more cybercriminals prefer the superior anonymity of cryptocurrency.

In response to this cyber threat, financial entities should implement security controls specifically for the credentials commonly required to open new accounts.

Bank Drop Stats in the Financial Sector

The Average Price Range for Fullz Data on the Dark Web is $15-$60 per record.

According to the Armor Dark Market Report, the average price ranges of fullz data being sold on the dark web are as follows:

  • Generic Fullz Data: $15-$60
  • Business Fullz Data: $35-$60

Generic fullz data could include:

  • Name
  • DOB
  • Address
  • Mother's maiden name
  • SSN
  • Driver’s license number

Business fullz data could include:

  • Bank account numbers
  • EIN
  • DOB
  • SSN
  • Business certificates
  • Corporate officers’ names

How to Defend Against Financial Services Cyber Threats

In many instances, cyberattacks recycle the same attack sequence because there are common security vulnerabilities across different financial entities.

The following security controls could address most of the exposures facilitating data breaches in the financial services sector:

  • Third-Party Risk Management (TPRM) - A Third-Party Risk Management program will identify security vulnerabilities for all third-party cloud services to prevent supply chain attacks.
  • Multi-Factor Authentication - Implementing an MFA policy on all endpoints, including mobile devices, will make it very difficult for threat actors to compromise privileged credentials - a critical step preceding sensitive information theft for financial firms.
  • Firewall  - A regularly updated firewall is capable of detecting and blocking malware injection attempts.
  • Attack Surface Management - An attack surface management solution capable of detecting data leaks will significantly reduce the chances of a successful data breach, both internally and throughout the vendor network.
  • Learn TTP (Tactics, Techniques, & Procedures) - Threat actors often use similar attack strategies due to similar vulnerabilities across the industry. Learning common suspicious activity patterns could help you intercept an attack attempt before any malicious codes are injected.
  • Security ratings - This feature supports real-time monitoring for emerging security risks created by digital transformation. When combines with an attack surface management tool, security ratings help uncover the best security measures for many common types of attacks, including malware attacks and customer data compromise.
  • Regular data backups - Having a clean system backup on hand will help you restore business continuity during a ransomware attack.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?