4 things bankers need to know about phishing

August 3, 2022 3:48 PM

Some of the most popular methods for promoting inbox security are also some of the least satisfactory, according to IT leaders who participated in a recent survey.

Phishing scams disproportionately affect financial institutions, but employees at many small banks successfully avoid clicking phishing emails at a better rate than most similarly sized institutions in other industries.

Those are two key findings from recent reports that investigated phishing, including its use in data breaches, how phishing affects industries differently, and how IT leaders view the solutions used to fight phishing.

Among the findings is that phishing is one of the most popular methods for infiltrating institutions, according to the 2022 Verizon Data Breach Investigations report, making it one of the most costly means of exploiting businesses.

Even in cases where phishing does not appear to have been directly involved in a data breach, it is an important part of the context of many data breaches. For example, use of stolen credentials tends to be more popular than phishing in data breaches, but phishing is a common method of stealing those credentials.

Here are some of the findings from recent research that explains why it is important for financial institutions to grapple with phishing and what they can do about it.

Financial institutions are the most impersonated brands in phishing scams

When scammers impersonate a brand to steal information, they most often impersonate a bank. That is a finding from a recent study by email security company Vade, which found that 34% of the phishing URLs it detected in the first half of 2022 were impersonating financial services.

That is roughly the same as the rate during the entirety of 2022; Vade said that of the nearly 185,000 phishing pages it analyzed last year, 35% were impersonating financial institutions. In 2020, that rate was 29%.

"The trend toward financial services phishing began in Q1 2021 and continued through Q4," read Vade's 2022 annual phishing report. "Growth in financial services phishing could be attributed to the impact of COVID-19 on the global economy."

Two of the 20 most frequently imitated brands in the phishing schemes Vade detected were Chase and Wells Fargo, according to the company's report. PayPal was also in the top 20; Microsoft was the most common brand imitated.

Small-bank employees click phishing links at a below-average rate

When employees at small banks receive a phishing email, they are slightly less likely to click a link in that email compared to employees in other industries. Employees at larger banks, by contrast, click phishing emails more often than large companies in other industries.

Those findings come from a recent study by security awareness training platform KnowBe4. The company sent simulated phishing emails to 30,000 companies, most of which had fewer than 250 employees. Across industries, the average rate at which employees of small companies clicked the phishing links was 29%. Among small banks, the rate was 25%.

Those rates increased at the larger end of the company size spectrum. For companies with 250 to 999 employees, 30% of employees across industries clicked phishing links compared to 27% of bank employees. Among companies with 1,000 or more employees, 35% of all employees clicked links compared to 46% of bank employees.

"As cyber threats grow, the communication of these threats is filtering to the masses through social and news media," the KnowBe4 survey report reads. "In some areas, people have more information thrust at them, so their awareness is growing more organically. The question remains if that ground-level awareness will transfer to the workplace and grow with training into something more developed and instinctive."

The most popular methods for addressing email security are also relatively unsatisfactory

IT leaders and executives tend to rate security awareness training and tech that scan emails for spoofing, which they also rated as the two most important methods for redressing phishing attacks, as needing improvements.

That is a finding from consulting firm CyberRisk Alliance, which surveyed 221 security and IT leaders and executives, security administrators and compliance professionals, 12% of which the firm said came from financial services.

The CyberRisk Alliance asked each respondent to rate nine email security technologies on a scale from one to seven on the importance of the technology and their satisfaction with the technology. The company also asked the same questions about security awareness training.

After averaging the scores together, only email encryption received a higher score on satisfaction than importance. Spoofing and phishing protection alongside security awareness training received 6.3 out of 7 on importance but 5.8 on satisfaction, suggesting "the need to develop more advanced email protection capabilities in these areas," according to the company's report on the survey.

"For capabilities where both importance and satisfaction scores are relatively high (for example, business email compromise protection and email encryption), organizations believe they are keeping up and should maintain their approach and security controls in this area," CyberRisk Alliance's report reads.

Phishing is among the most common threats in data breaches

The second most common path that threat actors use in data breaches is phishing, second only to use of stolen credentials — categories that can overlap when a breach involves credentials stolen via phishing. In fact, phishing is more common in data breaches than botnets and exploitation of previously known vulnerabilities combined.

That is according to Verizon's 2022 Data Breach Investigations report. Among 4,250 data breaches it investigated, roughly 18% involved phishing. In data breaches affecting financial services specifically, phishing, hacking, and malware were the top three patterns in the 2,527 security incidents Verizon analyzed for the report.

In its report, Verizon said that even if only a small percentage of people click on phishing emails, the sheer volume of emails available to threat actors means they are able to fool millions into turning over their credentials or other valuable information.

"If you wonder why criminals phish, it is because email is where their targets are reachable," the Verizon report reads.