Today’s phishing attacks are increasingly sophisticated and pose significant threats to all sectors. However, for those in the banking industry, the stakes are even higher. Banks handle vast amounts of sensitive financial information and large-scale transactions daily, making them prime targets for cybercriminals. And they can pay.
While general knowledge about phishing is essential, bankers must be particularly vigilant about the unique tactics and risks tailored to their field. This article explores four critical aspects of phishing that every banker needs to know to safeguard their operations, protect client data, and maintain the integrity of financial systems.
1. What is Phishing?
Phishing is a type of cyberattack where an attacker impersonates a legitimate person or an organization to trick individuals into revealing sensitive information, such as usernames, passwords, credit card numbers, or other personal data. This is often done through deceptive emails, messages, or websites that appear to be from trusted sources but are actually fake. The technique is similar to, and could even be considered a type of social engineering.
A phishing email can also trick its victim into performing actions that will benefit the attacker, such as opening an attachment or clicking on a link that will subsequently download malware that will allow attackers to collect valuable information for their criminal operations.
There are different phishing variants:
- Spear phishing: Unlike generic phishing attempts, spear phishing is highly targeted. Attackers research specific individuals within a bank, mainly from social networking sites, and craft personalized emails that appear legitimate.
- Whaling: Criminals more specifically target a senior executive within an organization with the objective of stealing large sums of sensitive data. Also, whaling targets senior executives who have the right to authorize payments – the goal is to trick them into validating a payment to a vendor, when the payment would in fact be made to the attackers.
- Smishing: Phishing attacks conducted via SMS instead of email.
- Vishing: Phishing attacks conducted via voice (phone calls) instead of email.
2. What is the purpose of phishing?
Criminals can steal credit card details and use them for personal benefit by purchasing goods or services online, or harvest and sell them in a package of several hundred other credit card numbers on the dark web’s black market.
Through fake websites that look exactly like that of a banking institution, criminals can trick customers of this bank to steal their credentials. Subsequently, they will use these credentials and make unauthorized withdrawals from these accounts.
Attackers may target banks to access regulatory and compliance-related data, such as Anti-Money Laundering (AML) protocols or Know Your Customer (KYC) information. Access to this data can help attackers bypass security controls or launder money through the financial system. Bankers need to be aware of the sensitivity of compliance data and the importance of safeguarding it from phishing attacks.
Phishing can also be used by criminals for long-term intelligence operations to perpetrate business email compromise (BEC). The adversary will spy on an individual, their colleagues, their customers, and the financial institution during a certain amount of time to craft sophisticated criminal operations. Bankers are prime targets for BEC because they handle large transactions and communicate with high net-worth individuals or corporate clients. Attackers may impersonate a client or senior executive to trick bankers into making unauthorized transactions.
Because of consumer protection laws, banks are generally required to compensate customers for unauthorized electronic transactions, including those resulting from phishing. The exception to this is if a bank can prove that the customer acted fraudulently or with gross negligence, such as by sharing their credentials, or did not report the fraud within a certain timeframe.
3. How to recognize phishing
Phishing emails, SMS, or phone calls usually tell a manipulative story to trick the target into clicking on a link or opening an attachment. The message looks like it originates from a company the target knows or trusts, such as a bank, a credit card, a payment website, a utility company, or a governmental institution to pay an open invoice, a fine, or collect “due” money. It can use the company’s logo in the header.
The content might have following characteristics:
- Requests username and/or password.
- Has time sensitive threats to create a sense of urgency (e.g., “Your account will be closed if you do not respond immediately”).
- Contains spelling and grammar mistakes.
- Has vague or missing information in the “from” field or email signature.
- The “To” field contains multiple random email addresses or is alphabetized.
- Has impersonal or awkward greetings, such as “Dear Mr. Account Holder” or “Dear [email protected]”.
- Contains unexpected files or downloads.
- Has links that do not refer to the sender or sender’s organization.
- Emails about accounts that a user does not have, such as eBay or PayPal, or banks that a person does not have accounts with.
- Emails “from” celebrities.
- Asks you to reply in order to “opt out” of a service.
- Plays on human emotions to evoke sympathy, kindness, fear, worry, anxiety, or excitement.
The message might contain any of these catchphrases:
- Suspicious activity or log-in attempts.
- Problem with an account or payment information.
- Confirm some personal or financial information.
- Pay an invoice.
- Click on a link to make a payment.
- Register for a government refund.
- A coupon for free stuff.
4. How can bankers protect against phishing attacks?
There is no way an organization can thwart 100% of phishing attacks. The reason is simple: the reader of a phishing email is still a human, and there is always a possibility to deceive the human brain in one way or another. Phishing statistics remain consistent over the years: according to Verizon’s 2023 Data Breach Investigations report, between 75% and 91% of targeted cyberattacks start with an email. However, cyber criminals are also humans, and they can make mistakes too.
Regardless, protection against phishing requires a layered “PPT” approach – people, processes, and technology.
People:
Generative AI has given adversaries a new tool at their disposal to misuse and craft phishing emails that are absent of all the usual indicators, such as misspellings, poor grammar and so on. Therefore, banking employees should be trained to recognize phishing emails that have managed to pass spam filters. Anything that originates from the organization’s customers or executives and is urgent, puts the recipient under pressure, is out of the routine, generic, unexpected, unusual, or too good to be true, should be treated with suspicion.
Banking employees should take extra precautions by reviewing URLs on any web pages that ask for log-in details or financial information. Regular cybersecurity awareness training also helps employees and customers recognize the tricks and methods cybercriminals use.
Processes:
Bankers should know the importance of reporting suspected phishing attempts immediately to the appropriate IT or security team and the steps to do so. This allows the organization to act quickly to contain any potential breach, and encourages a culture of security within the organization, where employees feel responsible for safeguarding information and are not afraid to report suspicious activity.
The bank or firm should set up mechanisms that require bankers, advisors and representatives to verify with a customer or an executive before executing a payment that appears suspicious or above a certain threshold. This should be performed using a pre-agreed phone number or through a parallel channel of communication.
Implementing multi-factor authentication (MFA) wherever possible on internal systems and enforcing strict identity and access management controls are key. MFA for customer logins should be mandatory. If properly configured with a sound second authentication factor, this makes account takeover extremely unlikely.
Technology
In addition to reactive, regulator-mandated controls such as SOC (security operations center)-managed capabilities and an incident response plan to detect and respond to threats inside the network, banks have the opportunity to leverage other security tools. For example, services using artificial intelligence are on the rise.
Autonomous AI security solutions offer ways to monitor, predict, disrupt and take down malicious phishing infrastructures being used for brand impersonation outside the network that could be targeting banking employees or customers. The main benefit of these solutions is their ability to perform these functions very quickly and at scale, reducing the pressure on SOC teams to try to respond to every alert.
Wrapping Up
Phishing attacks remain a major concern for the banking industry, where troves of financial information and large transactions are commonplace. These attacks can come in various forms, including emails, texts, and phone calls, often impersonating legitimate institutions, with the aim of stealing credentials, accessing sensitive data, or initiating fraudulent transactions.
While complete prevention is impossible, banks can take a layered approach to mitigate risks. This includes training employees to recognize phishing attempts, having clear processes for reporting suspicious activity and verifying transactions, and utilizing technology like multi-factor authentication and AI-augmented security solutions. By implementing these measures, banks can protect themselves, their customers, and the integrity of the financial system.