By Ben Bulpett, EMEA Identity Platform Director at SailPoint 

Cyber security breaches of any kind remain a serious threat both in terms of financial costs and reputational damage. However, with lucrative assets at stake, it comes as no surprise that the finance and insurance industries have been the most attacked targets in recent years.

The financial sector is generally known for having a high cyber security maturity level, to protect against criminals who have always sought financial gains. However, threats are continuing to evolve at pace, and the widespread disruption from the forced transition to remote work opened security and compliance gaps that many industries, including financial services, are still grappling with. As of January this year, the National Cyber Security Centre received over 10 million reported phishing scams. Globally, financial services accounts for nearly 40% of all phishing URLs.

The workforce will always come with a certain risk level, but employees are unknowingly creating visibility gaps, leaving a trail of breadcrumbs for attacks to slip through corporate infrastructure. As the number of attacks continue to rise, it is critical that financial services organisations and their employees take steps to protect themselves, and their customers. Doing so requires an understanding of the tactics threat actors are using, and how to avoid playing into their hands.

Seeking information online 

A cunning bad actor will stalk workers online to gather as much information as possible. Any information shared publicly on LinkedIn, Facebook, Twitter, or Instagram pages allows a cyber criminal to piece together a profile of the target. With nearly half of UK workers (47%) including their position and name of employer on their social media profile – some even sharing corporate emails (10%) for all to see – it is more likely that malicious actors will be able piece together a profile of their victims and strategize on who to target next.

While it is a common practice in many parts of the world to include work details on social profiles for networking and recruiting, it’s a stark reminder that unsavoury characters could be using this information in their next attack. Therefore, it’s imperative to be extra cautious about what is shared online; for example, include company and job title but leave out email addresses.

Using compromised emails and passwords 

Cyber criminals are using phishing scams to lure unsuspecting victims into leaking their organisation’s private information. But they’re also being given a head start in doing so. With a quarter of UK workers (25%) using corporate emails to conduct non-business related activity according to our research, for example social media logins and online shopping, there is a clear window for cyber criminals to find an ‘in’ to an organisation.

All it takes is one breach for this information to end up on the dark web forums, where it is bought and sold. To ensure a corporate email doesn’t end up in the wrong hands, employees should be encouraged to create a throwaway account to conduct non-business-related activities.

Impersonating CEOs and fellow employees 

Across the globe, workers are experiencing an influx of suspicious messages from top-level executives. This has been seen most recently with the FBI warning about a disturbing uptick in criminals exploiting virtual meetings to swindle organisations out of finances. In some cases, this went as far as hijacking video meeting accounts belonging to company executives in order to impersonate them and trick unsuspecting employees.

Malicious actors try to get unsuspecting individuals to pay them through spoofing financial services—with this sector being one of the highest targeting by phishing. Therefore, it is imperative to be vigilant when sussing out if a financial request for details is honest.

Mitigating against attacks through training and technology 

Criminals rely on a culture of blame. Therefore, it is important that organisations ensure a positive, ongoing conversation with employees, that results in a deeper understanding of exactly how these incidents will impact both individuals and the organisation. Our research found that currently, almost half (46%) of UK workers say that they have not received any formal training or education about phishing. Cyber education must be moved to the top of the list for employee training – with this in place, employees can feel well supported and equipped to deal with phishing threats when they occur.

Also crucial is the use of new technology, which can help mitigate against these type of attacks on the security perimeter in the first place. Cyber criminals often rely on using identities to try and trick organisations into thinking they are who they say they are. An identity security system can help organisations manage who has access to what, meaning access is permitted strictly on a need-to-know only basis – reducing the risk of sensitive information getting into the wrong hands. As well as this, it can also alert organisations to any user behaviour which is out of the ordinary and suspicious.

Protection for the long term 

All roads lead back to phishing – and the revenues generated by the financial services industry make them a ripe target. With proper awareness, education, and the will to remain hyper-vigilant – together with the right technology in place – the financial services industry can ensure it’s well protected against cyber threats.