Phishing has become a serious concern for banks and financial institutions as attacks against the industry have increased in recent years. Finance is the most spoofed industry in phishing campaigns. According to the American Bankers Association, approximately 35% of fake websites and emails claim to be from financial institutions.
This should come as no surprise, given the industry’s role in the global economy. Since financial organizations facilitate the flow of money, it makes sense that their networks, employees, and customers are prime targets for digital fraud and theft. In response, central banks and regulators have asked financial institutions to improve their security.
Fortunately, the industry is rising to the challenge. Today, banks are ahead of other industries when it comes to cybersecurity investments. This trend includes the integration of senior executives dedicated to security, with 95% of banks now employing C-level security managers in their organizations. The idea is to thwart all types of cyberattacks by prioritizing holistic security strategies as a central operational aspect of financial institutions.
When it comes to phishing specifically, effective defense requires a multifaceted approach. Financial organizations are aware of this need and many are now focusing on improving their people, policies and technologies to mitigate the risks posed by “social engineering” attack methods. “.
Promote cybersecurity awareness
Phishing attacks use fake emails, messages, and websites to trick users into divulging sensitive information. Spam filters and third-party technologies can handle the lion’s share of fake messages, but they’re not perfect. Some fake messages get through and end up in people’s inboxes. For this reason, it is the user’s responsibility to distinguish between legitimate and fake messages and to avoid being tricked and clicked.
The industry is actively working to improve these skills within its workforce. A recent Hoxhunt study found that banking workers are among the most successful at spotting and reporting simulated phishing attacks, with a success rate of 68.4%, among the highest of any industry. included in the study.
A well-trained workforce can mitigate the risk of later consequences of successful phishing attacks, including compromised business emails, data breaches, and ransomware.
Banks are also actively educating their customers about phishing scams and teaching them how to avoid falling for these attacks. They have made it a regular and standard practice to post notices and notifications to customers whenever an active phishing campaign is known to impersonate their organizations. These one-time alerts even tell users ways to identify and reject phishing messages.
Secure customer experiences
With the emergence of mobile banking, defenses for financial institutions must now consider the mobile attack surface. On the positive side, this has allowed banks to have more control over the customer experience. Financial institutions now have their own official mobile apps deployed and verified through Google and Apple’s app stores.
They are also leveraging mobile capabilities to enhance the security of their applications by enabling end-to-end encryption, multi-factor authentication (MFA), and biometric security. For example, instead of relying on text messages to communicate with customers, banks can use push notifications. While not completely foolproof, push notifications are generally more secure than text messages and have a greater degree of authenticity, especially since they are sent through legitimate services like Google or Apple.
Additionally, enabling features such as multi-factor authentication also creates additional layers of protection, although these layers can also be bypassed. Even if a customer’s username and password are compromised by phishing, a one-time password (OTP) is still required to authorize transactions.
However, banks must now also balance their pursuit of security with the increased friction these methods can bring to the experience. The need to enter OTPs for each banking transaction can become cumbersome and tedious for the uninitiated. But this can be mitigated through the use of OTP autofill, where the banking app detects the OTP sent via SMS and automatically enters the code into the field, speeding up the process.
Biometrics can also be a promising option, but since facial and voice recognition and fingerprint scanning are not available on all mobile devices, their adoption remains limited.
Ever since digital finance became the norm over the past few decades, banks have faced the dilemma of legacy technologies. It is still common for core banking systems to use mainframes running on older programming languages like COBOL. These technologies are quite robust, but they have their limits. To overcome them, banks are actively modernizing their systems. Not only will this speed up their infrastructure, but it will also make their systems more compatible with today’s technologies.
From a cybersecurity perspective, modernization efforts are also an opportunity for these projects to integrate security measures into new systems. Apart from improving security on the client side, banks can now also improve their policies and processes on the backend.
Measures such as pervasive encryption, where data is encrypted at all levels, whether in transit or at rest, can be implemented so that all information can be kept safe, even in the event of leaks. and data breaches. Banks can also integrate identity and access management to ensure that users can only access the information and actions for which they are authorized.
This allows security teams to manage accounts and credentials where they can easily revoke access to any potential malicious or compromised account. Implementing MFA for internal logins can also ensure that even if an employee’s credentials are breached, hackers could not further compromise the system. .
A tough battle ahead
Given the stakes, it is reassuring to see that the financial industry is taking cybersecurity seriously. Ordinary customers would certainly not want to lose some of their hard-earned money due to cyberattacks.
However, phishing campaigns are growing in scale and complexity. The hackers are improving their spear phishing methods where the messages are now highly personalized, thus improving the deception. Mobile-focused phishing or “smishing” campaigns have also gained momentum. Just a few weeks ago, the United States Federal Communications Commission (FCC) warned Americans of increased smishing activities.
Thus, it is imperative for banks and financial institutions to stay one step ahead. Using better technologies and improving everyone’s ability to discern fake messages is key to minimizing the threat of phishing. Banks can also work hand-in-hand with telecom companies to ensure that banks cannot be spoofed through calls and spam.
The war on phishing will be permanent and everyone involved in the industry must do their part,
Photo credit: wk1003mike / Shutterstock
Peter Davidson works as a senior partner to help brands and start-ups make effective business decisions and plan appropriate business strategies. He is a huge fan of gadgets who likes to share his views on the latest technologies and applications.