Financial institutions (FIs) are among the biggest spenders when it comes to cyber security
-the financial sector has the second highest investment in security in the UK.
However, there is a key area of continued weakness for FIs, and that is advanced email attacks that bypass traditional cyber security technologies and target employees and customers.
Earlier this year reports uncovered an 80% increase in cyber-attacks against FIs, and now intelligence gathered from fifty top banks and FIs in the States and Europe shows a massive increase in Dark Web activity linked to targeted attacks on these institutions. While such attacks take different forms, they almost always start with an email – in fact 93% of successful breaches begin this way.
The most dangerous form of email attack, Business Email Compromise (BEC), occurs when criminals impersonate a trusted contact in order to persuade an employee, customer, or partner to transfer funds or divulge sensitive information. According to the FBI,BEC has led to more than $12.5 billion in losses for US businesses since October 2013. Beyond the direct financial losses, BEC has resulted in the dark web being flooded with stolen data including account details, logins, credit card numbers and other vital PII.
This increase in dark web activity suggests that banks and FIs are in for a digital blitzkrieg over the next year. Despite the mounting evidence of the coming storm, 80% of FIs lack the proper technologies to detect and block sophisticated BEC attacks.
Most financial organisations still rely on traditional anti-spam/anti-malware/anti-virus systems, which were never intended to stop modern email-based social engineering attacks. Meanwhile, the attackers have learned to evade these traditional defences by utilizing low-volume highly targeted attacks rather than the spray-and-pray techniques the defenses were designed to prevent. It’s as though financial institutions are still relying on barbed wire, while the attackers have traded their horses for tanks.
Social engineering isn’t new. The famous hacker and social engineer Kevin Mitnick used to go diving in the rubbish bin to prepare for his exploits. Armed with just enough credible information, Mitnick could walk into just about any company and get access to their computers and phone systems. Today it’s much easier and far less risky, due to the wealth of information available on our corporate websites and social networks just as LinkedIn and Facebook. Add to that the enormous volume of PII aggregated from hundreds of high-profile data breaches, and suddenly attackers from every corner of the globe can target an individual, department, or corporation.
Using tactics such as display-name fraud, domain spoofing, lookalike domains and, when possible, previously hijacked email accounts, a typical BEC campaign has a success rate of 3.7%. The most successful attackers will spend weeks or even months to gain the trust of an unsuspecting mark before going in for the kill. Patience is clearly a virtue for attackers, as a successful BEC attack can score $130,000 or more, according to CNBC.
Million-dollar heists
In 2016 hackers pulled off an $81 million heist against the Central Bank of Bangladesh. It is believed that hackers infiltrated the systems needed to transfer funds through BEC attacks against low- and mid-level officials.Crime syndicates such as the Carbanak crime network, armed with $1.2 billion in loot from malware and phishing attacks, continue to hone their techniques to increase their success rate.
To view the rest of this interesting article and to access other current financial news please refer to the source.
