How a breadcrumb trail leads straight to financial infrastructure
By Ben Bulpett, EMEA Identity Platform Director at SailPoint
Cybersecurity breaches of any kind remain a serious threat both in terms of financial costs and reputational damage. However, with lucrative assets at stake, it is no surprise that the finance and insurance sectors have been the most attacked targets in recent years.
The financial sector is generally known to have a high level of cybersecurity maturity, to protect against criminals who have always sought financial gain. However, threats continue to evolve at a rapid pace and the widespread disruption resulting from the forced transition to remote working has created security and compliance gaps that many industries, including financial services, are struggling with. still struggling. In January of this year, the National Cyber Security Center received over 10 million reported phishing scams. Globally, financial services account for almost 40% of all phishing URLs.
The workforce will always present some level of risk, but employees unknowingly create visibility gaps, leaving a trail of crumbs for attacks to creep into corporate infrastructure. As the number of attacks continues to rise, it’s critical that financial services organizations and their employees take steps to protect themselves and their customers. Doing so requires understanding the tactics used by threat actors and knowing how to avoid playing into their hands.
Searching for information online
A cunning bad actor will stalk workers online to gather as much information as possible. Any information shared publicly on LinkedIn, Facebook, Twitter or Instagram pages allows a cybercriminal to reconstruct a profile of the target. With almost half of UK workers (47%) including their job title and employer’s name on their social media profile – some even sharing company emails (10%) for all to see – it is more likely that malicious actors will be able to reconstruct a profile of their victims and develop a strategy on who to target next.
While it’s common in many parts of the world to include professional details on social profiles for networking and recruiting, it’s a stark reminder that unsavory characters could use this information in their next attack. Therefore, it is imperative to be extremely careful about what is shared online; for example, include company and job title, but omit email addresses.
Use compromised emails and passwords
Cybercriminals use phishing scams to trick unsuspecting victims into divulging their organization’s private information. But we also give them a head start to do so. With a quarter of UK workers (25%) using corporate email to conduct non-commercial activities according to our research, for example social media logins and online shopping, there is a clear window for cybercriminals to find an “in” to an organism.
All it takes is one breach for this information to end up on dark web forums, where it is bought and sold. To ensure that a corporate email does not end up in the wrong hands, employees should be encouraged to create a disposable account to conduct non-corporate activities.
Impersonate CEOs and colleagues
Workers around the world are experiencing an influx of suspicious messages from senior executives. This was seen most recently with the FBI’s warning of a disturbing increase in the number of criminals exploiting virtual meetings to defraud organizations. In some cases, this went as far as hijacking video meeting accounts belonging to corporate executives in order to impersonate them and trick unsuspecting employees.
Malicious actors try to trick unsuspecting individuals into paying them by spoofing financial services, as this industry is one of the most targeted for phishing. Therefore, it is imperative to be vigilant when determining whether a financial details request is honest.
Mitigating attacks through training and technology
Criminals rely on a culture of blame. Therefore, it is important for organizations to ensure an ongoing positive conversation with employees, which results in a deeper understanding of the exact impact of these incidents on individuals and the organization. Our research found that currently almost half (46%) of UK workers say they have had no formal training or education on phishing. Cyber education should be high on the list for employee training – with this in place, employees can feel well supported and equipped to deal with phishing threats when they arise.
The use of new technologies is also crucial, which can help mitigate these types of attacks on the security perimeter in the first place. Cybercriminals often rely on the use of identities to try to trick organizations into believing they are who they say they are. An identity security system can help organizations manage who has access to what, meaning access is strictly authorized on a need-to-know basis only, reducing the risk of sensitive information falling between the wrong hands. In addition to that, it can also alert organizations to any unusual and suspicious user behavior.
Long term protection
All roads lead to phishing, and the revenue generated by the financial services industry makes it a ripe target. With awareness, education and a willingness to remain hyper-vigilant, along with the right technology in place, the financial services industry can ensure that it is well protected against cyber threats.