When cybercriminals go phishing, it’s financial firms they want to land.
According to research published last month by the Anti-Phishing Working Group, the financial sector (including banks) was the most frequently victimized by phishing in Q2 2022, accounting for 27.6% of all phishing attacks.
And there’s a good reason why. As a highly lucrative industry predicted to grow to over $25 billion this year, cybercriminals realize financial services firms can be bountiful waters for them – waters that they know are often not impenetrable. In 2020, Australian hedge fund Levitas Capital was famously forced to close after succumbing to a phishing attack via a fake Zoom invite – proof that there’s both huge potential and precedent for hackers to target financial firms.
In addition, changing office dynamics and evolving workplaces have made businesses more vulnerable. As demonstrated through the Levitas breach, the rise of remote working has created a corresponding increasing in phishing risks. As organizations rely even more heavily on emails and electronic communications to conduct business, they need to realize that one simple employee mistake can have a heavy cost and compromise their business.
Spotting a phishing attack
Phishing attacks are commonly launched via emails and are designed to steal information or money from the victim. They often include links that, once clicked on, will install malware on a device.
Phishing emails will vary in levels of sophistication but their goal is to appear as a genuine email to the recipient. But if you and your employees know what to look for, you can recognize clues that can help you quickly identify an email as fraudulent.
To start, look for emails with bad grammar, suspicious attachments, unrecognizable email origins, any requesting a form of payment or those inviting you to “urgently” log into your account.
Protect your waters
While the risk of phishing attacks is high, your business is not powerless in the face of attacks.
One crucial step all financial services firms should take is investing in employee education that trains teams to spot phishing and other cyber attacks. Phishing attacks are successful because they rely on simple human error – so the more you train and arm your team, the more protected you’ll be. Teams should understand to ignore or thoroughly vet emails with ‘urgent’ links or download attachments, and when it comes to unexpected emails, know to navigate to the sender’s website or call a known contact at the sender’s organization to confirm the email is genuine rather than clicking links. Phishing simulations, as offered by Drawbridge, are a great way to ensure teams have truly absorbed their training and know what they need to do in the event of an attempted attack.
Another often overlooked but critical action for firms is to ensure they are performing continuous cyber security assessments and due diligence across their networks and their third-party vendors.
Third-party vendors can be a weak link in your security armor as they can offer access to your data and network – but that third party may have much lower levels of security than your firm. Protect yourself by implementing vendor due diligence best practices such as regularly communicating with vendors and sending out due diligence questionnaires to measure and monitor cyber risk. Investing in a platform like Drawbridge can streamline this vital and allow you to distribute questionnaires and track responses in just a few clicks.
Financial and private equity cyber security has never been more important as the threat landscape continues to advance and cyber risk ramps up. Now is the time for firms of every size to make phishing protection a priority if they want to avoid being caught on the hook in the next phishing attack.