Financial services firms are 300 times more likely than other companies to be targeted by cybercriminals. Plus, attacks are increasingly sophisticated, regulators are cracking down, and supply chain attacks are up. In short: it's all sunshine and rainbows.
In this post we’re taking a look at what the financial services sector is facing now based on data from our own Threat Intel findings, as well as unpacking attack methods and regulatory actions.
The threat landscape for financial services companies
The financial sector experienced some relief as ransomware hit a lull in 2022. Government intervention hindered some big-name ransomware gangs, and others prioritized staying out of the spotlight (momentarily). As the US government declared the need for bold changes to address the threat environment, cybercriminals began plotting their next steps.
After a subdued year, threat actors were back full-force and ready to line their pockets in 2023. Given the nature of the financial services sector — highly regulated and dependent on consumer trust — it was a good place to make up for lost time with lucrative ransom payouts.
Corvus’s Threat Intel team found that the number of victims in the financial sector increased 230.76% from Q4 2022 to Q2 2023. Q2 2023 saw more ransomware victims in finance than any other quarter over the past two years.
Avg. Ransom Demand
CL0P’s zero-day exploit of MOVEit, a popular file-transfer software, made a notable impact on the financial services industry. More than a dozen banks and credit unions reported related data breaches where personal information, such as names, Social Security numbers, and addresses were accessed by CL0P.
Meanwhile, Russian-backed ransomware-as-a-service group, Lockbit, regularly targets noteworthy victims in the financial services sector. They aren’t dissuaded by organizations with hefty security budgets, as this summer they successfully breached ICBC, the world’s largest bank. The Financial Services Information Sharing and Analysis Center recently released a whitepaper on Lockbit due to their repeated attacks against the industry.
Phishing for the weakest link
Nearly one in five business email compromise attacks investigated by Unit 42 involved the financial services industry. At its simplest, business email compromise (BEC) is an attack that involves using the medium of email to trick an individual into giving up something of value. These attacks leverage either social engineering tactics, like impersonating an executive, or stolen credentials — or both — to increase the chance of success.
Once a threat actor has their hands on a legitimate (or seemingly legitimate) business email account, they can play on their victim’s trust for financial gain.
This summer, Microsoft’s threat analysts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack that targeted the financial services industry. The attack began with an email from a compromised vendor, sent to a target organization. Then, the victim clicks on a faux OneDrive document preview, enters their credentials on a phishing page mirroring a Microsoft sign-in page, and is prompted by a forged MFA page. Threat actors used that session cookie to impersonate the user and circumvent further MFA prompts.
After setting an Inbox rule that sent all incoming emails to the Archive folder (as to not alert the victim), the attacker sent 16,000 phishing emails to the victim’s contacts. While most phishing attempts have simple origins (a fake login screen, for example), the attacks can quickly become incredibly convoluted, especially as threat actors face the challenge of bypassing MFA.
Regulators notice the spikes in attacks, too
One reason threat actors target the financial services sector is due to the importance of consumer trust in the industry. They are handling sensitive information and money, things most of us hold in high regard. Cybercriminals know the precarious position they put these organizations in when they suffer a breach. They are counting on it, actually.
Regulators also know the devastating effects of private data falling into the hands of cybercriminals — and they want to avoid it. Cybersecurity compliance is now a priority at both the state and federal level. As of this October, The Federal Trade Commission requires nonbank financial institutions, like mortgage brokers, to report any breach that involves the data of more than 500 customers.
In November, New York State’s Department of Financial Services amended its cybersecurity regulations to include new controls, more regular risk assessments, and mandated reporting of ransom payments for regulated industries. And last year, the U.S. Securities and Exchange Commission (SEC) fined more than a dozen financial institutions almost $2 billion for mishandling data.
TL;DR: The entire financial services sector needs to continue to prioritize cybersecurity in order to safeguard their customers’ data and meet strict regulatory requirements.
On the bright side ☀️
Organizations in the financial services industry know how important it is to maintain their clients’ faith. At Corvus, we regularly look to work with the organizations in this industry because we know how seriously they take cybersecurity.
Finance organizations are typically faster than other sectors to detect and contain data breaches. On average, companies across industries take 204 days to identify and 73 days to contain a breach. But in the financial industry, breaches are identified in 177 days and contained in 56 days, according to IBM’s Cost of a Data Breach Report 2023.
With increased scrutiny from the public — and a target on their backs from threat actors — financial institutions are spending more on cybersecurity to combat malicious attacks. In 2022, the majority of financial institutions planned to increase their budget by 20–30 percent, reports VMWare.
At Corvus, we are happy to work with the financial sector to help manage the risks they face in the current tumultuous threat landscape.