Financial institutions are an obvious target for cybercrime.
Unless they double down on strong internal security against a broad range of threat vectors, they will continue to be targeted and victimized by fraud rings and nation-states. Unfortunately, their IT security is perceived to be deficient — especially within smaller banks and credit unions.
Making matters worse, cybercriminals are adopting new technologies, increasing their coordination, and becoming more sophisticated. They’re compromising employees’ and customers’ personally identifiable information (PII) for use in illicit schemes elsewhere. Thanks to large-scale data breaches, they’re leveraging the dark web to take over legitimate accounts.
In this post, we’ll explore five emerging cybersecurity threats that financial institutions need to take seriously by building the requisite safeguards to protect their assets, customer data, and reputation.
1. Identity Theft
Scary Stat: 16.7 million U.S. consumers were the victims of identity fraud last year, a record high that followed a previous record the year before, according to the 2018 Identity Fraud Study by Javelin Strategy & Research. Last year the amount stolen hit $16.8 billion and 30 percent of U.S. consumers were notified of a data breach, an increase of 12 percent from 2016.
Defined: Identity theft is the crime of using someone’s personal information, credit history or other identifying characteristics in order to make purchases or borrow money without that person’s permission.
Impact: When there’s a large-scale data breach, much of the personal information hijacked from the breach is soon be available on the dark web, where it can be bought and sold and appended to other data acquired from other breaches to perpetrate identity theft and account takeover on a grander scale. This means every time a new customer creates a new account online, the question is whether the new customer is actually who they claim to be. A natural reaction is to build in more identity checks, but this leads to increased friction and abandonment of legitimate customers.
2. Account Takeover
Scary Stat: Account takeovers tripled in 2017 from 2016, and losses totaled $5.1 billion, according to the 2018 Identity Fraud Study by Javelin Strategy & Research.
Defined: Using another person’s account information (e.g., a credit card number) to obtain products and services using that person’s existing accounts.
Impact: To execute an account takeover (ATO)-based email attack a cybercriminal first gains access to a trusted email account, then uses this account to launch subsequent email attacks for financial gain or to execute a data breach. ATO-based attacks are particularly dangerous and effective because they originate from email accounts of trusted senders via phishing attacks. This has two important ramifications: First, the attack is very likely to succeed because there is a pre-existing trust relationship with the customer. Second, these attacks often go undetected by traditional security controls because they originate from legitimate accounts.
3. Synthetic Fraud
Scary Stat: According to reports in The Wall Street Journal, a record $355 million in outstanding credit card debt is now owned by people who didn’t even exist as recently as 2017. By year’s end, losses from synthetic identity fraud alone could top $8 billion, and the real damage caused by fictitious people is casting doubt on the entire consumer-credit ecosystem.
Defined: Synthetic identity theft occurs when criminals create a fictitious identity using various pieces of real and fabricated information — such as a Social Security number, date of birth, address, phone number, and email. The immediate victim is the bank or lender, but long-term, whoever’s Social Security number is used (this can be a child or adult), will have to deal with the impact of any accounts or debts attached to them fraudulently.
“All of it is real data and all of it will potentially check out when scanned against systems, but the real person won’t really know it’s happening because they’re only a third of the identity that’s created,” said Ryan Rasske, CERP, CAFP, American Bankers Association’s SVP responsible for serving bankers in risk and compliance area.
Impact: By all appearances, these fictitious people can seem like ideal customers, with multiple “proof of life” indicators, including their own social media profiles. And when they take out credit, they tend to pay bills promptly and nurture accounts for months or even years — only to max them out and never repay them. It’s important to note that monetary losses are just part of the whole story — financial institutions also need to dedicate time, energy, and resources to chase down these non-existent identities.
What’s particularly worrisome about this new method of compromising the systems used to validate identities at account opening is that it’s working. In the short-term, lack of technology to connect an ever-growing set of data points can make a fraudster’s job easier, but in the future, AI-powered tech will likely be part of the solution.
Scary Stat: In 2017, financial services were the second most targeted industry of ransomware after healthcare. Ransomware attacks actually fell nearly 30 percent over the past 12 months, but financial services companies are still the second most popular industry victimized by ransomware.
Defined: A type of malicious software designed to block access to a computer system until a sum of money is paid. Ransomware is almost always triggered by an employee clicking on a link in a phishing email that they shouldn’t and clicking the link ignites the malware.
Impact: It is non-negotiable for financial services companies to maintain the privacy of their customers and the security of their confidential data. If a bank or credit union is hit with a ransomware attack, a significant backlash is undoubtedly going to ensue — especially if customer data is held ransom for a significant amount of time.
5. Social Engineering
Scary Stat: Today, only about 3 percent of malware tries to exploit an exclusively technical flaw. The other 97 percent target instead of users through social engineering, according to KnowBe4. Nearly 60 percent of security leaders say their organizations may have fallen victim to social engineering within just the past 12 months.
Defined: Social engineering is a method of deceiving people into giving you their information, or exploiting their weakness, or laziness, to find that information. It is believed to be the most frequently used method to get into a corporation’s network these days.
Impact: Social engineering attacks are designed to trick your employees into granting access to systems or divulging information that helps attackers gain that access through low-, or often no-tech means. Social engineering attacks can come in many forms — by phone, email, snail mail, in person or through social media. So, it’s important that you train your employees to be wary.
© De Angelis & Associates 2020. All Rights Reserved.