By Richard Cahill, Regional Leader, CSC Digital Brand Services

Banking and financial services industries are known for being at the forefront of cyber protection and innovation. Yet they are also among the most targeted by phishing attacks, social engineering, CEO fraud and business email compromise (BEC) due to the sheer number of clients and financial data they own. According to the Carnegie Endowment International Peace, cyber risks to banking and financial industries have grown in recent years and is becoming more frequent, sophisticated, and destructive. As cyber risks continue to increase, these institutions face greater challenges in quantifying them and addressing their capacity for harm.

One area of cybersecurity that banking and financial industries continue to struggle with is domain security. Web domains are a crucial part of any businesses’ operations, supporting client facing websites, organizations email, client or supplier portals, and much more. But like anything else that’s critical to an organization, they are also a key piece of the external attack surface that companies need to protect. Whether it be typosquatting, lookalike domain attacks, or phishing/malware campaigns, bad actors will find ways to conduct cyberattacks and take advantage of these assets.

Over the last three years, we have been reporting on the domain security posture of the Forbes Global 2000 companies annually. One of the key findings from this year’s 2022 Domain Security Report, captured in the chart below, was that Banking was the top industry being targeted with fake domain registrations, followed closely by Diversified Financial companies tied for the 5^th spot.

One of the key findings in this report is that out of all of the Global 2000 companies, over 75% of homoglyph domains are owned by third parties. And of those domains owned by third parties (not owned by the brand owner) that are online for malicious purposes, 14.6% of these domains are targeting the Banking and Diversified Financial companies alone – a high percentage given the number of industry classifications within the Global 2000.

Additionally, the report provided domain security scores to showcase top companies or industries with domain security best practices and protocols deployed. Further analyses of the report’s data showed in the chart below that Banking and Financial Services industries ranked in the middle of all industries for deploying security measures that can prevent domain or DNS attacks from happening.

Overall, from the report, we’re seeing some organizations becoming more secure, but there is still a portion of companies with considerable domain security risk. This year’s report reveals that 75 percent of the Global 2000 companies and their brands are being e maliciously registered as fake domains by third parties, as they fail to implement key domain security measures.

Many governing bodies have begun to focus on domain security, including the UK National Cybersecurity Center, and the Central Digital and Data Office, which offers a list of best practices. Below are four key steps a bank or financial institution can take to safeguard their domains and brands from online abuse and fraud:

• Adopt a defense-in-depth approach for domain management and security

Eliminate third-party risk by assessing your domain registrar’s security, technology, and processes along with your company’s domain name system (DNS) management provider. Be sure to also identify and secure vital domain names, DNS, and digital certificates.

• Continuously monitor the domain space and key digital channels

Register domains that could be high-value targets related to your brands and make sure you identify domain and DNS spoofing tactics as well. It is also important to identify trademarks and copyright abuse on web content, online marketplaces, social media and apps.

• Use global enforcement, including takedowns and internet blocking

To reduce the risk to your organization, it is vital to use phishing monitoring and a fraud-blocking network of browsers, partners, ISPs, and security information and event management systems. We also recommend using a range of technical and legal approaches for enforcement including takedowns and worldwide fraud blocking networks to mitigate these online scam sites by having an enforcement provider ‘on standby.’

• Confirm vendor business practices aren’t contributing to fraud and brand abuse

The following issues are often common with consumer-grade domain registrars:

• Operating domain marketplaces that drop catch, auction, and sell domain names containing trademarks to the highest bidder
• Domain name spinning and advocating the registration of domain names containing trademarks
• Monetizing domain names containing trademarks with pay-per-click sites

The risk of a bank or financial institution not addressing their domain security can be catastrophic. Domains that are not protected pose a significant threat to cybersecurity posture, data protection, consumer safety, intellectual property, supply chains, revenue, and reputation. We can expect awareness of these issues to grow, and for cyber insurance providers to start holding clients accountable for the quality and rigor of their domain defense strategies and approaches.

In today’s world, artificial intelligence (AI) will significantly increase cybercriminals’ skillsets when launching attacks so defense tools need to be as smart as the technologies used by bad actors. With innovations such as ChatGPT, the best course of action to protect banks and financial institutions is to continue to elevate the awareness of these threats and share best practices, so that organizations can improve their domain security posture and safeguard their domains and brands from online abuse and fraud.