6 top cyberthreats banks coped with in 2022

December 27, 2022 9:00 PM

Millions of bank customers lost data to cybercriminals this year in data breaches, and while banks often do not publicly disclose the details of how those breaches happen, data from cybersecurity and research firms indicate these attacks often happen for many of the same reasons.

For example, phishing is one of the most popular methods for infiltrating companies, according to the 2022 Verizon Data Breach Investigations report, making it one of the most costly means of exploiting businesses.

Even in cases where phishing is not directly involved in a data breach, it is an important part of the context. For example, use of stolen credentials tends to be more popular than phishing in data breaches, but phishing is a common method of stealing those credentials.

Phishing and reused passwords are only two of the many cybersecurity threats that banks faced this year, and banks will likely continue to face many of the same threats in the new year. This article enumerates these top threats and the preventative measures banks can take against them.

Rawpixel.com - stock.adobe.com

Phishing and other impersonation attacks

Phishing is by far the most common type of internet crime, according to a March report from the FBI, netting 320,000 victims last year and $44 million in losses. Financial institutions are the most impersonated brands in phishing scams, according to a study this year by email security company Vade.

Phishing attacks this year against financial service customers, such as the campaign against Intuit last summer, offered lessons to banks about what they need to do to react to phishing attacks against their own customers. Another phishing case, which affected Cloudflare and Twilio employees, offered lessons on good and bad ways to respond — and the kinds of systems banks need in place to reduce their risk.

Bad actors have employed increasingly sophisticated and complex schemes, including offering phishing software on the dark web, for $50 a month. Some of this software is designed to specifically target bank customers.

Financial institutions are also employing increasingly sophisticated schemes to ward off phishing, including by replacing the .com in their companies' domain names with .bank — kind of like .edu or .gov, but for banks.

Ransomware

A major payment security standards group released a warning at the beginning of the year that ransomware is a growing threat to banks, and the numbers bear this out.

Ransomware attackers threatened to extort $866 million from U.S. bank customers last year in a record-breaking scourge primarily perpetrated by threat actors affiliated with Russia, according to data released last month by the Financial Crimes Enforcement Network. The amount of money attackers threatened to extort has more than doubled since 2020.

The threat actor behind LockBit, a strain of ransomware, held data at multiple financial institutions hostage at the beginning of the year. The episodes provided case studies in how ransomware groups work, and how they deploy their capabilities.

Exploitation of software vulnerabilities

One of the most potent vectors for attack that a cybercriminal can use against a company is exploiting publicly known weaknesses in software that the company uses. This kind of attack can occur when the company does not update its software in a timely manner, giving cybercriminals time and opportunity to strike at security holes that can and should be closed.

This is exactly the kind of attack that banks need to better protect against, according to a circular published in August by the Consumer Financial Protection Bureau. The bureau said banks could face legal liability for not adequately protecting consumer data in cases where they do not implement timely security updates.

The bureau also said banks need to implement stronger password management and multifactor authentication to avoid liability.

Weak or unprotected passwords

Password managers have gotten a bad name in recent weeks in wake of the cyberattack that exposed encrypted credentials and unencrypted contact information for customers of LastPass, a popular service for keeping track of logins. But security experts still recommend all people use some kind of password manager, even if it isn't LastPass.

The chief information security officer of Navy Federal Credit Union, Mike Newborn, made exactly that recommendation in an interview this year. As tech companies and banks continue to work toward a passwordless authentication, strong and unique passwords remain a necessary encumbrance, and people need a way to keep track of that kind of information, Newborn said.

Cyber talent shortage

As the need for cybersecurity talent grows, the number of people working in the profession has not grown quickly enough to keep pace. Though not as direct a threat as a weak password or a spear phishing email, this cybersecurity talent shortage presents a threat to banks' security, according to a 2020 report from the Carnegie Endowment for International Peace.

Experts disagree about the right way for banks to address this talent shortage — whether they should focus on retraining and upskilling their own employees or attract new recruits. Regardless of the path a bank chooses, teaching cybersecurity skills is hard, and so trying to hire someone to do the job;

Partners with security soft spots

Cybercriminals have breached companies and governments by going through tech vendors many times before, but perhaps most infamously in 2020. That year, Russian-backed hackers penetrated thousands of organizations through malicious code they put into Solarwinds' network management software updates.

Banks need technical service providers to run their operations, but these partnerships also present cybersecurity challenges. According to a survey of bank cybersecurity professionals, 60% of financial institutions last year were victims of a cyberattack that originated outside their company. As long as banks rely on other companies to keep their data secure, these partners also expose the banks to potential cyberattacks.