How the banking and financial industries are gearing up against phishing
Phishing has become a matter of grave concern for banks and financial institutions, as attacks on the industry have increased in recent years. Finance is the most impersonated industry in phishing campaigns. Some 35 percent of fake websites and emails claim to be from financial institutions, according to the American Bankers Association.
This should come as no surprise, considering the industry's role in the global economy. Given that financial organizations facilitate the flow of money it makes sense that their networks, employees, and customers are prime targets for digital fraud and theft. In response, central banks and regulators have been directing financial institutions to improve their security.
Fortunately, the industry is stepping up to the challenge. Nowadays, banks outpace other industries in cybersecurity investments. This trend includes onboarding executive leaders dedicated to security, with 95 percent of banks now employing C-level security officers in their organizations. The idea is to foil all types of cyberattacks by prioritizing comprehensive security strategies, as a core operational aspect of financial institutions.
As for phishing specifically, effective defense demands a multi-faceted approach. Financial organizations are aware of this need, and many are now focused on improving their people, policies, and technologies in order to mitigate the risk brought about by "social engineering" attack methods.
Promoting cybersecurity awareness
Phishing attacks rely on fake emails, messages, and websites to trick users into giving up sensitive information. Spam filters and third-party tech can deal with the lion’s share of fake messages, but these are hardly perfect. Some fake messages do get through and end up in people's inboxes. Because of this, it falls upon the user to discern between legitimate and fake messages and avoid getting tricked and clicking through.
The industry is actively working on improving such skills in their workforces. A recent study by Hoxhunt revealed that workers in the banking sector are among the most successful in spotting and reporting simulated phishing attacks, with a 68.4 percent success rate, among the highest of all industries included in the study.
A well-trained workforce can mitigate the risks of the subsequent consequences of successful phishing attacks, including business email compromise, data breaches, and ransomware.
Banks are also actively educating customers about phishing scams and teaching clients how to avoid falling for these attacks. They have made it a regular and standard practice to release advisories and notifications to customers whenever an active phishing campaign is known to be impersonating their organizations. These timely alerts even point out ways for users to identify and reject phishing messages.
Securing customer experiences
With the emergence to mobile banking, financial institutions' defenses must now consider the mobile attack surface. On the positive, this has allowed banks to have more control over the customer experience. Financial institutions now have their own official mobile apps deployed and verified through Google and Apple's app stores.
They also leverage mobile features to bolster the security of their apps by enabling end-to-end encryption, multi-factor authentication (MFA), and biometric security. For example, instead of relying on SMS for communication with customers, banks can use push notifications. While not entirely foolproof, push notifications are generally more secure than SMS and have a greater degree of authenticity especially since they are sent through legitimate services like Google or Apple.
In addition, enabling features such as multi-factor authentication also creates additional layers of protection, although these layers can also be circumvented. Even if a customer's username and password are compromised through phishing, a one-time password (OTP) is still needed to authorize transactions.
However, banks must now also balance their drive for security with the increased friction that these methods can bring to the experience. The need to enter OTPs for each banking transaction can become cumbersome and tedious for the unacquainted. But this can be mitigated through the use of OTP autofill, where the banking app detects the OTP sent over SMS and automatically enters the code into the field, speeding up the process.
Biometrics can also be a promising option, but since facial and voice recognition and fingerprint scanning aren't available on all mobile devices, these still have limited adoption.
Since digital finance emerged as the standard in recent decades, banks have been dealing with the dilemma of legacy technologies. It is still common for core banking systems to use mainframes running on old programming languages like COBOL. These technologies are fairly robust, but they do have their limitations. To overcome these, banks are now actively modernizing their systems. Not only will this speed up their infrastructure, it will also make their systems more compatible with today's technologies.
From a cybersecurity standpoint, modernization efforts also provide the opportunity for these projects to incorporate security measures into the new systems. Aside from improving security in the customer front, banks can now also improve their policies and processes at the backend.
Measures such as pervasive encryption, where data is encrypted at all levels whether in-transit or at rest, can be implemented so that all information can be kept safe even in the event of data leaks and breaches. Banks can also integrate identity and access management to ensure that users can only access the information and actions to which they are cleared.
This allows security teams to manage accounts and credentials where they can easily revoke access to any potential rogue or compromised accounts, Implementing MFA for internal logins can also ensure that even if an employee's credentials get phished, hackers would not be able to compromise the system further.
A tough battle ahead
Considering what is at stake, it is reassuring that the finance industry is taking cybersecurity seriously. Surely ordinary customers would not want to lose any of their hard-earned money to cyberattacks.
However, phishing campaigns are increasing in scale and complexity. Hackers are improving their spear-phishing methods where messages are now highly-personalized, thereby improving the deception. Mobile-focused phishing campaigns or "smishing" have also gone up in scale. Just a few weeks ago, the US Federal Communications Commission (FCC) warned Americans of increased smishing activities.
Thus, it is imperative for banks and financial institutions to stay ahead of the game. Employing better technologies and raising everyone's ability to discern fake messages are key to minimizing the phishing threat. Banks can also work hand-in-hand with telco firms to ensure that banks cannot be impersonated via calls and spam texts.
The war against phishing will be an ongoing one, and everyone who participates in the industry must do their part,
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.