Connect with us
Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


Dark web data points to a digital blitzkrieg against banks

Dark web data points to a digital blitzkrieg against banks

John Wilson, Field CTO at Agari

Financial institutions (FIs) are among the biggest spenders when it comes to cyber security -the financial sector has the second highest investment in security in the UK.

  However, there is a key area of continued weakness for FIs, and that is advanced email attacks that bypass traditional cyber security technologies and target employees and customers.

Earlier this year reports uncovered an 80% increase in cyber-attacks against FIs, and now intelligence gathered from fifty top banks and FIs in the States and Europe shows a massive increase in Dark Web activity linked to targeted attacks on these institutions. While such attacks take different forms, they almost always start with an email – in fact 93% of successful breaches begin this way.

The most dangerous  form of email attack, Business Email Compromise (BEC), occurs when criminals impersonate a trusted contact in order to persuade an employee, customer, or partner to transfer funds or divulge sensitive information. According to the FBI,BEC has led to more than $12.5 billion in lossesfor US businesses since October 2013. Beyond the direct financial losses, BEC has resulted in the dark web being flooded with stolen data including account details, logins, credit card numbers and other vital PII.

This increase in dark web activity suggests that banks and FIs are in for a digital blitzkrieg over the next year. Despite the mounting evidence of the coming storm, 80% of FIs lack the proper technologies to detect and block sophisticated BEC attacks.

Most financial organisations still rely on traditional anti-spam/anti-malware/anti-virus systems, which were never intended to stop modern email-based social engineering attacks. Meanwhile, the attackers have learned to evade these traditional defences by utilizing low-volume highly targeted attacks rather than the spray-and-pray techniques the defenses were designed to prevent. It’s as though financial institutions are still relying on barbed wire, while the attackers have traded their horses for tanks.

Social engineering isn’t new. The famous hacker and social engineer Kevin Mitnick used to go diving in the rubbish bin to prepare for his exploits. Armed with just enough credible information, Mitnick could walk into just about any company and get access to their computers and phone systems. Today it’s much easier and far less risky, due to the wealth of information available on our corporate websites and social networks just as LinkedIn and Facebook. Add to that the enormous volume of PII aggregated from hundreds of high-profile data breaches, and suddenly attackers from every corner of the globe can target an individual, department, or corporation.

Using tactics such as display-name fraud, domain spoofing, lookalike domains and, when possible, previously hijacked email accounts,a typical BEC campaign has a success rate of 3.7%. The most successful attackers will spend weeks or even months to gain the trust of an unsuspecting mark before going in for the kill. Patience is clearly a virtue for attackers, as a successfulBEC attack can score $130,000 or more, according to CNBC.

Million-dollar heists

In 2016 hackers pulled off an $81 million heist against the Central Bank of Bangladesh. It is believed that hackers infiltrated the systems needed to transfer funds through BEC attacks against low- and mid-level officials.Crime syndicates such as the Carbanak crime network, armed with  $1.2 billion in loot from malware and phishing attacks, continue to hone their techniques to increase their success rate.

When it comes to customer targeting by the fraudsters, fake fraud alerts, account confirmations and suspension emails are among the top 10 most effective lures scammers use to hook their prey.

Like the Carbanak operation, many cybercriminals use “work from home” scams to recruit money mules to help them launder money. Others use the victims of online romance scams to help them move money. Despite some recent headlines touting multinational law enforcement actions against organized cyber criminal gangs, cyber crime continues to be a  $2 trillion scourge on the global economy, amounting to a whopping 2%-5% of global GDP.

Disrupting deception

Traditional approaches to fighting BEC and other email threats haven’t proven effective at countering schemes that use identity impersonation and social engineering.

Machine learning is nothing new in the anti-spam space. Traditional solutions are trained to find a needle in a haystack by understanding what a needle looks like. It’s pretty easy to design a needle that doesn’t match the machine’s definition. Some financial institutions are finding success using modern machine learning technologies that assess people, relationships and behaviours in order to prevent malicious messages from reaching their targets. To continue the analogy, these modern machine learning algorithms learn what hay looks like so they can ignore it to find the needles.

Every company that receives mail also sends mail to their customers, partners, and employees. Protecting external parties presents its own set of challenges, as you have zero control over the protections in place outside your own organisation. Fortunately, there’s a standard known as Domain-based Message Authentication Reporting and Conformance (DMARC) that can prevent exact-domain spoofing. While it’s heartening that most financial services organisations have deployed a DMARC policy, only 20% of financial institutions have published a strong policy that goes beyond monitoring to actually prevent spoofing.

Will any of this help? There are certainly signs of progress. In fact, organisations seeking solutions to advanced email threats can take a cue from companies that are blazing trails against these and other emerging challenges.

With Dark Web activities pointing to increased attacks on major banking system transfer platforms such as SWIFT, as well as stepped-up assaults on consumers, FIs need to heed the warnings and deploy effective solutions against email-borne social engineering attacks.

With 30% of UK companies reporting that they have sacked an employee for negligence around data breach, it is not just money and reputation on the line. It is careers too.

Global Banking & Finance Review


Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!

By submitting this form, you are consenting to receive marketing emails from: Global Banking and Finance Review, Alpha House, Greater London, SE1 1LB, You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post