Phishing attacks are the most common method used by cybercriminals to attack the Financial Services industry. With attacks becoming more prevalent and more sophisticated, it is important to educate your organisation, customers and employees of the potential risks these scams can pose.
HMRC reported that there was a 73% increase in phishing attacks between March and September 2020. With the number of phishing attacks likely to continue to rise over the next few years, it is important for all Financial Service organisations to take steps to protect themselves and their customers.
What is Phishing?
Phishing is a method used by cybercriminals to obtain sensitive or personal information from individuals and organisations through unauthorised means. Most commonly, phishing attacks occur through targeted emails, however, attacks are getting more sophisticated and there are now multiple avenues criminals are using to obtain information.
Other common types of Phishing include;
Spear Phishing: This method attacks a specific group of people, organisation or individual to extract sensitive information.
Whaling: Whaling is an even more targeted method of Phishing than Spear Phishing. This method often sees criminals targeting CEOs, CFOs or other senior members of an industry or even a specific organisation.
Vishing: This type of Phishing refers to attacks made using voice messages or phone calls.
Smishing: Similar to Vishing, this type of cyber attack uses the same standard approach as Phishing but instead targets individuals through text messages or SMS.
Search Engine Phishing: This method is also known as SEO Trojans or SEO poisoning. Attackers will work to get their website to the top ranking position on search engine results pages. This can make many people believe that they are visiting or using a reputable website, making them more likely to hand over banking information to attempt to make a purchase or provide sensitive personal information to sign up to a service.
Phishing scams are constantly evolving and cybercriminals are becoming more and more sophisticated. Scams are no longer limited to email and attackers now often use tax deadlines to their advantage or fake lawsuits to create more convincing scams. Because of this, it is increasingly important to be aware of the different types of Phishing scams and methods that attackers are using to target organisations and individuals.
Why are Financial Services Targeted by Scams?
Financial services organisations are the target of around 41% of all Phishing attacks according to the APWG.
Financial services are an obvious target for criminals, as they deal with large sums of capital and often the movement of large amounts of capital, on a daily basis. As such, they are a prime target for cybercriminals who can either make fraudulent transactions or withdrawals from the sensitive information they obtain or sell the information on the black market.
A survey by Tessian revealed that nearly half of all employees working within Financial Services, that were surveyed, felt that their workload was too heavy or overwhelming. Feeling tired and stressed, Financial Service employees are more vulnerable in the face of a Phishing attack as they become less likely to spot suspicious activity or unusual communications. Combined with cybercriminals working to make attacks more believable, these attacks pose an even greater risk to the Financial Services industry.
What Risks Do Phishing Scams Pose?
Phishing scams pose a host of risks to all organisations and individuals, but particularly those in the Financial Services. If your organisation or someone within your organisation falls victim to a Phishing scam they can access and exploit your client’s bank or personal information and use it to access their funds. This can cause reputation damage for your organisation, and can be especially detrimental to organisations with larger client accounts such as Hedge Funds.
Your customers and clients may therefore seek to move their money elsewhere as they may feel it is unsafe to use your services.
Reputational damage is also becoming more concerning as scammers are increasingly using methods to gain access to organisations social media or email accounts, and using these to pose as a member of your organisation. Clients are more likely to trust an email that they believe was sent from your organisation and are therefore more likely to provide sensitive information to the email sender.
How To Prevent Phishing Scams
Although Phishing scams are becoming more convincing, there are ways that you can protect your organisation and your customers against them.
Validate links before clicking on them: A good tip for ensuring a link is what you think it is before you click on it, is to hover over the link and look in the bottom left corner of your screen. This will show the link’s destination. If it is not a website you recognise, avoid clicking on the link or entering in any personal information.
Implement email security solutions: Investing in email security software such as Mimecast or Symantec.Cloud will help to prevent Phishing emails from reaching your inbox.
End-user training and awareness: With Phishing scams and cybersecurity attacks becoming more common and sophisticated every day, your software may not always be able to detect potential threats. By educating your employees on how to spot phishing attacks and explaining the main threats that these types of attacks pose, they will be able to more easily identify any suspicious emails or activity within the organisation that could compromise your client’s data.
Testing: As part of the education mentioned above, firms should implement Phishing testing exercises to ensure that the threat is at the forefront of everyone’s thinking. Testing shouldn’t be designed solely around finding those end users who fail and re-educating them, it should be used as a tool to promote the reporting of incidents to the IT/Security teams. Any Phishing test should have a KPI designed around what percentage of the user base reports the email to the IT/Security team.
URL protection: URL protection is a sophisticated piece of email security technology that is designed to protect users against targeted Phishing attacks such as Spear Phishing or Whaling. This technology checks the validity of links contained within inbound or outbound emails, to prevent internal users from following malicious links designed to capture sensitive information.
Go Beyond usernames and Passwords: Many Phishing attacks are designed around credential compromise – the attack is just a way of obtaining credentials that can then be used to compromise other business systems or in some cases personal accounts. A way to mitigate this risk is to use Multi-Factor Authentication (MFA) wherever possible. Meaning that even if you are a victim of such an attack – usernames and passwords alone won’t grant access to the corporate network/resources.
Taking measures to protect your business and clients against Phishing attacks is vitally important for organisations within the Financial Services sector. Investing in software or security to protect your organisation can save your business money in the long term and maintain your client’s trust in your services.
One of the easiest ways to protect your organisation is to educate all of your employees on how to spot a potential threat. This will not only provide your organisation with a cost-effective way to manage the threat of a Phishing attack, but it will also allow you to improve any existing Cyber Security to adapt to any new methods of attack.
Tribeca is an IT Managed Service Provider specialising in the Alternative Investment industry. Providing effective security solutions to Financial Service organisations, including Hedge Fund and Private Equity firms since 2006. We offer services including Cyber Security, Cloud Computing and Disaster Recovery, tailored to meet the demands of your Financial Services business and help protect your business and your clients from Phishing attacks.
For more information about how our services can help to protect your business against Phishing attacks, contact our team today.