According to Forgerock, the financial services industry suffered $6.2 billion in damage from cyberattacks in Q1 2019, up from $8 million in Q1 2018 — a 77,400 percent increase. HSBC, JP Morgan and PayPal are just a few of the financial institutions that have experienced data breaches. Even less established digital natives such as Monzo, Nutmeg and Coinbase have fallen foul. No one is immune.
Cybercrime in the financial services industry is rife and there is no bigger threat than phishing, particularly on mobile devices, which have fast become the preferred device for employees, contractors and even IT professionals who install kiosks and other modernization enhancements in the workplace. Research revealed that 90 percent of data breaches start with a phishing attack.
Focusing on financial services in particular, a recent study by Wandera found that 57.33 percent of financial services companies have experienced a mobile phishing attack, compared to 42.2 percent of companies across industries. Neither figure is particularly reassuring, but the data emphasizes that the financial services industry is highly targeted, phishing is a systemic problem and mobile devices need adequate protection to prevent cyberattacks of this ilk.
Why Are Mobile Phishing Attacks Such a Problem?
To start, mobile devices are crowded. Relative to more traditional form factors such as desktops, mobiles have much smaller screens and a touch user interface (which means less accurate clicking), and information is visibly truncated (e.g., URLs in browsers).
Usage is also very different for mobiles. If an employee is on a desktop at their desk in the office, it’s (hopefully) a calm, work-oriented setting in which to concentrate. Working on a mobile device can be very different. We can be anywhere: on the train, in a coffee shop, at an airport, even on a beach. The reality is that mobile devices enable us to work in more distracting environments and are not necessarily conducive to good cyber hygiene.
We also need to look at the traditional technologies used to protect against phishing.
Traditional anti-phishing technologies typically focus on email, but email isn’t the only avenue attackers can use for phishing. Social media, messaging and other communication platforms facilitate a far more open communication model, vastly increasing the attack surface.
Why Is Mobile Phishing a Big Issue in Financial Services?
Insulating employees from cyberthreats is an important mandate for security teams. It’s particularly important for an industry like financial services, in which employees guard highly sensitive customer data. According to one survey, 29 percent of financial services employees admitted to clicking on a phishing link, compared to the average of 11 percent. Evidently, greater protections need to be put in place to stop cybercriminals from getting their paws on login credentials for sensitive company data.
Phishing awareness training will inevitably arm employees with basic knowledge of what to look out for. However, phishing has evolved far beyond the rudimentary Nigerian prince scam; they are not nearly as obvious and more akin to well-executed marketing campaigns.
Phishing kits are readily available online, if you know where to look. Companies wanting to preserve their brand often upload design files to their sites. These provide almost everything bad actors need to create legitimate-looking phishing pages, and a quick search delivers all the how-tos they need to create phishing materials. There are even services available on freelance sites like Fiverr. The cybercriminal economy is booming.
Additionally, attackers have generally transitioned away from broad-scale, spray-and-pray campaigns to more targeted spear phishing. Pomeroy Investment is a noteworthy example: A spear phishing attack cost the company $495,000.
Organized cybercriminal groups are increasingly using spear phishing to target the financial services industry. The hacking group London Blue, for example, acquired a list of roughly 35,000 CFOs, some of whom worked for top-tier financial services organizations, and launched a series of highly targeted business email compromise (BEC) attacks. Another cybercriminal group, Silence, was identified as a major threat to banks using spear phishing to target employees.
What Can Financial Services Firms Do to Prevent Mobile Phishing Attacks?
In some circles, phishing awareness training is touted as enough to keep phishers at bay, but phishing campaigns are increasingly inventive in how they poach personal and corporate data. Yes, phishing training has its place, but it’s by no means bulletproof.
People are inundated with notifications. It’s easy to think that everyone has the time to carefully vet every email, LinkedIn message and IM that comes their way — particularly on mobile, where we’re easily distracted. This perfect state of diligence seldom exists; companies have to accept that employees are imperfect when it comes to security and provide added protection to alleviate the security burden from employees.
Having an appropriate mobile security solution in place, such as mobile threat defense (MTD), can help reduce employee dependency. An agent that operates at both the endpoint and network levels can help protect unsuspecting employees from phishing attacks.
In this day and age, if an employee gets phished, it shouldn’t be the end of the world. Time and time again, password-based authentication in isolation has proven a weak solution to security. Robust identity and access management (IAM) controls need to be implemented to maintain digital trust and security in an increasingly cloud-centric world.
Multifactor authentication (MFA) can undoubtedly dampen an attacker’s efforts to access a system requiring two or more independent credentials. Even then, however, access shouldn’t be black and white. Conditional access needs to be applied to assess the context of a session and provision access accordingly. But security shouldn’t stop there: What if a hacker is skilled enough to bypass all of these lines of defense?
Financial services companies need to move away from an unnecessarily escalated privilege access model to one of least privilege — the minimal access needed for an employee to do their job productively. Ensuring that privilege is tied to an employee’s role can help mitigate an attacker’s ability to move laterally throughout a network or coerce an employee to do their bidding.
A multilayered approach to security is essential. There is no silver-bullet technology for security, nor is there a particular combination that companies need to use; it is very much company-dependent.