As guardians of global funds and sensitive personal information, financial institutions find themselves on the front lines in the battle against escalating cyber threats posed by social engineering.
By exploiting vulnerabilities in human behavior and coaxing individuals to divulge confidential or unauthorized information, cybercriminals can establish a direct route to valuable systems or data. And nearly every financial institution can be at risk.
In one widely publicized attack, for example, an international electronic banking firm was attacked by the criminal gang, Silence, with a multi-step phishing campaign targeting bank employees.
The gang gathered information about employee targets through malware-free email messages that may have looked like bulk marketing messages or spam. The data collected helped the gang craft a phishing campaign that then delivered a malware-laden attachment. At least one employee opened this attachment and accidentally installed the malware on the bank's network. From there, the Silence gang was able to access bank systems and steal roughly $3 million over three months. In other attacks, the same gang also fraudulently withdrew hundreds of thousands of dollars from other banks in India, Russia, Bulgaria, and other nations.
Understanding Social Engineering Tactics
Social engineering tactics currently used involve a range of deceitful techniques, including phishing, quid pro quo, spoofing, baiting, and account takeover. These attacks prey on individuals’ trust and manipulate a sense of urgency to deceive victims. Tactics such as phishing, pretexting, or business email compromise (BEC) can result in direct financial losses for financial institutions and their customers. Organizations may also suffer reputational damage through data breaches. Moreover, the success of social engineering attacks can pave the way for more sophisticated threats, such as ransomware attacks.
Recent trends, such as the use of deep fakes in robocalls targeting banks, underscore the growing sophistication of these attacks.
The evolution of such tactics is particularly concerning for the financial sector, which is legally and ethically required to safeguard sensitive data such as Social Security numbers, credit information, personally identifiable information (PII), and other banking details. "Bad actors are constantly inventing new ways to deceive," said Robert Weber, a Security Solutions expert at Verizon.
Weber claims that fraud often begins with something as simple as a text message to a potential bank customer. "These messages could be everything as simple as, ‘Hey, we’ve noticed that you’re trying to process this. Please click here to confirm.' And if you click, and it’s not really the bank. It’s some other URL, and some credentials are lost," he explained.
Financial Implications from Verizon's Research
Verizon's 2024 Data Breach Investigations Report (DBIR) recorded a whopping 3,348 incidents in the financial and insurance sector, with nearly 1,115 incidents resulting in confirmed data disclosure. Among other financial and insurance sector insights from the DBIR:
- 69% of breaches involved external actors, and the primary motivation for attacks continues to be overwhelmingly financially driven, at 95% of breaches.
- System Intrusion, Miscellaneous Errors and Social Engineering represent 78% of breaches in the financial and insurance sector.
- For data compromised, personal data, which can be very useful for fraud, continues to be the most desired data type stolen at 75%.
How to Address Social Engineering Targeting Financial Institutions
By identifying and then supporting organizations on their unique security challenges, Verizon can help financial institutions reduce the risk of social engineering attacks, to better protect their critical assets and sensitive data.
While most financial organizations have existing antifraud programs, Weber said many of those programs are reactive, "because some banks may not know what’s out there unless someone complains. We can help them with that reactiveness by supplying them with a proactive report on vulnerabilities and by augmenting that with the needed services."
Addressing social engineering risks takes a layered approach to defense, designed to reduce risks across multiple points of potential exploitation. Top defensive strategies include:
- Employee Awareness Training. "Employees are key targets for social engineering," said Jennifer Varner, Verizon's Director of Cyber Security Solution Sales. So it's crucial to continually educate employees, partners and thirdparties on security red flags (e.g. requests for personal information) and how to help protect their devices with virtual private networks (VPNs) and multifactor authentication (MFA). Training exercises such as phishing, vishing, smishing and quishing tests are critical to keep personnel on alert, empowering them to recognize and resist social engineering attack methods.
- Detection and Incident Response. Technological defenses should include an approach that combines near real-time detection and as well as response capabilities. Verizon's capabilities include security operations services, endpoint and network security monitoring, and incident response services. In the event of a breach,swift and comprehensive incident response and containment can help reduce impacts. "Verizon's Rapid Response team is at the ready 24/7 in the event of a breach," Varner explained. Forensic analysis and root cause identification after an incident can also help organizations strengthen defenses by understanding how to help close vulnerabilities.
- Ongoing Testing and Reporting. With the rapid rate of change in attacks, everyone needs to do their part, staying up to speed on social engineering tactics. One way to enable this knowledge across the organization is to conduct regular security assessments. Verizon offers testing and reporting capabilities that include:
- Penetration testing, including testing for social engineering vulnerability
- Tabletop exercises
- Ransomware assessments
- Cyber risk quantification
- Mobile security policy. Employer-provided mobiledevices can help ensure thatemployees discuss business onbusiness phones. Further,maintaining consistent policy and protection controls acrossall devices helps support regulatory compliance, along with a secure chain of custody and forensics – goals that can be particularly important for financial organizations. Verizon can also help to measure organizational wireless performance.
- Security protection controls. Security and access controls should be applied at all levels. That includes each device, every network, and across all channels, including those introduced by third parties. Some key elements of Verizon's control protocol include:
Integrated solutions using a layered defense approach can help enhance positive security outcomes for greater resilience, while helping organizations address their cybersecurity security investments – including managing social engineering risks.
AI's Impact on Social Engineering
In the future, social intelligence experts predict an increased use of more sophisticated artificial intelligence and machine learning technologies to create highly convincing impersonation attacks, blurring the lines between legitimate and fraudulent communication. In addition, insider threats, in which employees or trusted insiders intentionally or unintentionally facilitate social engineering attacks, are expected to become more prevalent.
Financial institutions must be vigilant and proactive in their efforts to detect, prevent and mitigate social engineering threats. This is the primary way to safeguard financial assets, customers and their reputations.
Financial sector leaders looking to harden their cybersecurity posture against this growing attack type can review the following helpful resource from Verizon: "Expert Guide to Lowering Social Engineering Risks."
This post was authored by an external contributor and does not represent Benzinga’s opinions and has not been edited for content. The information contained above is provided for informational and educational purposes only, and nothing contained herein should be construed as investment advice. Benzinga does not make any recommendation to buy or sell any security or any representation about the financial condition of any company.
