How Financial Institutions Can Protect Against Phishing Attacks
As entry barriers to cybercriminality have lowered, the severity of phishing attacks has increased. The financial sector remains among the leading targets for bad actors, indicating that information technology (IT) teams will soon face a surge of threats. How can they protect themselves?
The Prevalence of Phishing in the Financial Sector
While IT teams in the financial sector are well acquainted with phishing, recent technological advancements like artificial intelligence have rendered many best practices outdated. Concurrently, attack severity, sophistication and frequency have increased drastically. All indicators suggest this trend will continue as entry barriers for cybercriminality continue to lower.
Cybercrime-as-a-service and AI have emboldened attackers. Consequently, banks, credit unions, insurers and lenders aren’t alone in experiencing a surge in phishing attempts, as attack frequency increased by 1,265% from the fourth quarter of 2022 to the third quarter of 2023. On average, this figure amounts to 31,000 daily threats.
That said, the financial sector has been targeted disproportionately recently. In 2022, attackers directed 36.3% of all phishing attempts at it. Although the industry’s proximity to money — the driving incentive behind most cyberattacks — is undeniably the leading factor, many bad actors are exploiting the newness of modern financial technology (fintech).
As attack intensity grows, so does regulatory scrutiny. Companies have witnessed a surge of new regulations in recent years. Considering the U.S. Securities and Exchange Commission (SEC) now requires financial entities to disclose security incidents within four business days, accelerating detection and recovery is more crucial than ever.
Protecting Against Phishing Is a Combined Effort
If companies don’t educate employees and customers, they remain vulnerable to phishing attacks regardless of their IT team’s expertise. Securing sensitive financial data and systems requires a combined, ongoing effort.
The Employee’s Role
According to a Cybersecurity and Infrastructure Security Agency (CISA) assessment, eight in 10 employees clicked on a malicious link or disclosed sensitive information within 10 minutes of receiving a phishing email. Only a fraction of those who weren’t duped reported the suspicious activity to management.
Training employees to recognize and react to phishing accordingly is critical. Employers and IT leaders should keep best practices in mind, considering approaches like gamification and personalization to hold attention and improve retention. Considering staff forgets at least 50% of the material within a few days of the first session, ongoing education is essential.
The Customer’s Role
Customers play a key role in strengthening defenses because attackers can use their compromised accounts or stolen personally identifiable information (PII) to craft convincing phishing content. Leveraging an education campaign to keep them informed helps companies create a comprehensive defense.
Financial entities should send periodic reminders about common phishing tactics, including email spoofing, unsolicited messages and social engineering. In-depth newsletters and free information packets can further increase awareness. Decision-makers should consider inviting customers to in-person education sessions, using refreshments or rewards as incentives.
Cybersecurity Strategies to Defend Against Phishing
According to one survey, over 50% of respondents rank phishing as the number one threat facing the financial sector. An equivalent defense for something so significant should leverage proven techniques and the latest technologies.
Access Controls
Considering phishing is the source of 95% of cybersecurity incidents, companies likely won’t eliminate this threat. In other words, they should prepare for the worst-case scenario. Access controls and strategies like the principle of least privilege prevent attackers from viewing or exfiltrating sensitive data even if their attacks are successful.
Multi-Factor Authentication
Banks, credit unions and fintech companies should leverage multi-factor authentication internally and for their applications’ end users. It prevents account takeover, rendering brute force attacks pointless and safeguarding customers’ accounts. If the IT team implements it correctly — ensuring no workarounds exist — it’s theoretically 100% effective.
In practice, multi-factor authentication is nearly just as effective. One study found it reduced the risk of compromise by 99.22% and kept over 99.99% of accounts secure during the researchers’ investigative period. Although many people find it slightly annoying or slow, customer education campaigns can help them realize security is worth the inconvenience.
Predictive Forecasting
IT teams can leverage predictive forecasting to anticipate when phishing attempts will occur and who they’ll target. Training algorithms on real-world examples and historical logs of past incidents enables accurate forecasts. Notably, this can help companies adapt alongside threat groups using AI, ensuring they remain safe regardless of the threat’s evolution.
Email Filtering Technology
Email filters proactively identify phishing by screening inbound and outbound communications. Since 68% of email attacks are text-based — 22% are link-based and 10% are file-based — this technology is essential. It’s the first line of defense, preventing bad actors from reaching employees in most cases.
Safeguarding Financial Institutions from Phishing
Phishing is a long-standing pain point in the financial sector. However, it’s undergoing a rapid evolution thanks to AI and cybercrime-as-a-service. If IT teams aim to keep up, they must train employees to react accordingly, launch customer education campaigns and leverage the latest cybersecurity strategies.