Cyber Threats to the Financial Services Sector

By Ashley Allocca, Senior Cyber Security Intelligence Analyst at risk intelligence firm Flashpoint

Analysis of organisations targeted by threat actors last year indicates every type of business in the financial services industry (FSI) is at risk of a cyber-attack. From retail, commercial and internet-native banks and credit unions to credit card companies, investment brokerages, insurance firms and mortgage lenders – security teams around the world will continue having their work cut out for them during 2022.

FSI businesses, and their partners and customers, are in a constant battle against an increasingly sophisticated and ever-evolving threat landscape. By identifying the primary threats the sector will face, organisations can look to mitigate and prevent attacks.

Ransomware

Ransomware attacks not only pose a serious threat with the potential to cost companies millions of dollars, but also put the assets of their customers, employees, and partners at risk. In March 2021, insurance company CNA Corporation, paid a US $40 million ransom after threat actors gained access to the records of 75,000 people.

Some of the world’s most powerful governments are taking deliberate action against ransomware attacks. In Australia, the Federal Government released a Ransomware Action Plan, which identifies ransomware as “one of the most damaging types of cyberattacks… which can have severe and long-lasting impacts on Australians and their businesses.”

Third-party risks

Financial institutions must be aware of supply chain risks that stem from third-party vendors and partners, such as cloud service providers and managed service providers. Breaches or cyber-attacks launched against vendors, along the software supply chain, could significantly affect business operations, compromise sensitive customer data, and erode customer trust and brand reputation.

As financial institutions continue to digitize, they adopt more cloud-based technology, like open banking, virtual workspaces, and data-sharing applications. The cloud threat landscape is plagued with well-known misconfigurations, which threat actors can exploit to gain a foothold in the network environments, exfiltrate data, and sell it within illicit communities.

Malware, e-skimmers, and formjacking

A digital form of skimmers – small, physical devices threat actors attach to ATMs to swipe payment card data and PIN codes – is a major cybersecurity concern for financial institutions and their vendors. The practice is referred to as e-skimming and involves a threat actor injecting lines of malicious code into a website to steal information from HTML fields, including credit card data and other credentials. E-skimmers drive customers to domains controlled by a fraudster that look, feel, and function like a legitimate checkout page.

Threat actors frequently use e-skimming to steal data during a purchase, making them a threat not only to financial institutions, but also to their retail partners or any other entity that processes payment information on their behalf.

Compromised banking credentials

Within illicit marketplaces, threat actors advertise credential offerings that have often been harvested using stealer malware. In addition to selling these bank logs, threat actors can use the logs for themselves by transferring funds electronically to other bank accounts, purchasing gift cards, or other fraudulent purchases. If the transactions are disputed by the victim, the financial onus often falls on the card issuer.

Synthetic identities

Synthetic identity fraud (SIF) is a method whereby threat actors create accounts or profiles by pairing legitimate information with false information. This is a major threat for financial institutions as bank accounts and lines of credit can then be built and maintained based on these profiles.

De-centralisation and cryptocurrency

Threat actors use the anonymity provided by de-centralised finance (DeFi) and cryptocurrencies to conduct illegal activity. Bitcoin, Ethereum, and Monero are three of the most popular, and all use blockchain technology, which is public, open source, and distributes the trust of the financial network across all participants.

Although anonymity is a perceived benefit of these cryptos, both Bitcoin and Ethereum transactions can be easily traced through their blockchain ledger when other operational security practices are used. Monero, the preferred crypto for privacy-minded threat actors, is a privacy coin, which uses anti-forensic methodologies to obfuscate all transactions on its blockchain, making it difficult to follow.

There are many types of scams that affect crypto holders, but the most common are related to romance, investments, initial coin offerings, fake exchanges, mobile apps, giveaways, extortion, and QR codes. Crypto scams fall into two categories, both of which are most commonly executed via social engineering; either compromising a victim’s wallet, or tricking the victim into transferring funds.

Data breaches

Research from Risk Based Security (RBS) shows, in terms of data breaches, FSI businesses represent one of the most targeted sectors, second only to healthcare. Many of these breaches originate from unauthorised access to systems or services, or “hacking”.

Whether or not these incidents stem from outside or inside the organisation, the type of data most often being targeted remains consistent. Threat actors, including insiders, typically target names, government assistance information, as well as other financial data, including bank account numbers and transaction details.

Organisations must stay one step ahead of the evolving threat landscape. While identifying the potential threats is a necessary first step, vigilant monitoring for vulnerabilities and a well-developed incident response plan is paramount. By understanding both the potential risks, as well as careful analysis of past exposures, organisations can gain insight that could potentially save them millions.