It seems that almost daily, there is a new story about another bank or financial services institution (FSI) falling victim to a phishing or other cyberattack.
Usually, the stories are about a bank or FSI’s customers being victimized by spam emails that include a link to a malicious phishing website, which usually mimics the bank or FSI’s official website to the letter. Those phishing websites are used by cyberattackers to steal customers’ electronic banking login credentials and/or to deliver a banking Trojan or keylogger. The recent Webroot Quarterly Threat Trends Report found that, on average, there are 46,000 phishing websites created every day, and that FSIs and tech companies “are the most likely to be impersonated.”
Just in the past couple of months, articles have been published about phishing attacks targeting customers of banks and FSIs, large and small, around the world. Many attacks are now extremely sophisticated and even more insidious, such as the recent phishing attack that launched the Trickbot banking Trojan on customers of Lloyds Bank in the UK, which showed customers the correct URL for the online bank and used a legitimate SSL certificate. Even the delivered malware is becoming stealthier and more deceptive, such as using means to obfuscate the malware from security scanners and sandboxing technologies.
Stories about bank and FSI customers falling victim to phishing campaigns are bad. But, what’s even worse is when the bank or FSI itself falls victim to a phishing or other email-driven cyberattack! The stakes are higher for the bank or FSI – as well as for its customers – because, not only is the bank where all the money is, but it’s where a great deal of customer information is also stored.
Many governments and regulatory bodies are so concerned about bank and FSI cyberattacks, that they have created new rules and legislation on how banks and FSIs should protect themselves, and their customers and their information, from such attacks. Also, should an attack occur anyway, they have created new rules on how quickly banks and FSIs must report an attack or breach to both regulators and customers. For instance, the State of New York’s Department of Financial Services (DFS) mandated new requirements for any bank or FSI under their purview, beginning on March 1, 2017. The new requirements include:
- A formal evaluation of cybersecurity risks and the effectiveness of related controls
- The naming of a CISO and appropriate staff cybersecurity training
- The inclusion of multi-factor authentication (MFA) or risk-based authentication, as well as encryption of personal information at rest and while being transmitted
- Effective and broad audit trails and the ability to destroy and prove destruction of personal information
- The assessment of and written cybersecurity policies and procedures for third-party entities that store or transmit any personal information of customers and others; and
- The notification of the DFS within 72 hours of proof of a “Cybersecurity Event” occurrence.
The Verizon 2017 Data Breach Investigations Report (DBIR) found that banking Trojans were often associated with financial data breaches, that phishing was found in 90 percent of incidents and breaches, and that 95 percent of phishing attacks that caused a breach were followed by some form of malware download. According the Anti-Phishing Working Group (APWG), nearly 20 percent of phishing attacks targeted banks and FSIs. Factoring that the APWG found an average of 92,564 phishing attacks were perpetrated per month in Q4 2016 – the research period for their latest report – means that, on average, banks and FSIs – and their customers – faced an average of 18,143 phishing attacks every month in Q4 2016. And, that number is increasing in 2017.
So, how can banks and FSIs protect themselves – and in return, their customers – from the plague of phishing campaigns and attacks?
A technology is available that ensures phishing attacks are disabled before they can even begin: Isolation.
For more information on how you can end malware, phishing and ransomware with isolation, please stop by Menlo Security’s booth at the FS-ISAC Fall Summit 2017 in Baltimore, MD, booth 66.
If you would like to learn more about how isolation can help eliminate the risk of malware, phishing and ransomware for financial services institutions (FSIs), please download the paper, “Financial Services Institution’s Best Practices Guide for Isolation.”