Digital Transformation » Cyber Security » What cybersecurity threats should financial services be prepared for?

Cybersecurity has been an ongoing concern for a number of years, and it’s affected companies of all shapes and sizes across a variety of sectors. As data becomes increasingly crucial to the core business activities being carried out by those companies, cybersecurity has rapidly evolved from a mere afterthought to the chief risk concern of many organisations – particularly across the banking and financial services sectors.

Those institutions are right to worry.

According to the 2018 half year fraud update compiled by researchers at UK Finance, which represents almost 300 UK-based, banking, mortgage, markets and payments services providers, financial services firms have been facing an unprecedented level of cyberattacks in recent months. In many cases, those increasingly sophisticated attacks are proving very successful.

Although banks and financial services providers were able to prevent a reported £705.7m worth of unauthorised fraud over the first half of the year, cyber criminals still managed to steal more than £503m from UK financial institutions through authorised and unauthorised fraud in the first 6 months of 2018 alone.

That equates to a success rate of around one-in-three attacks, and should speak for itself in terms of just how crucial it is for institutions to invest and deploy adequate cybersecurity processes – as well as the critical, leading role financial directors must take to prepare their companies to face cyber criminals and their sophisticated methods of infiltration.

According to the UK’s Financial Conduct Authority (FCA), UK banks currently spend around £6.7bn per year combatting cybercrime and online fraud – higher than the UK Government’s budget for its national prison system.

To help prepare for these threats, FDs must first learn how to identify them. That’s why it’s necessary to delve into some of the top trends in cybersecurity and the most prevalent types of attacks that are being deployed against banks, financial institutions and their customers in 2018.

Authorised push payments

Without doubt the most common type of online criminal activity affecting financial institutions at present is the authorised push payment (APP). APP scams are well documented across the media, and essentially see a bank or credit account holder tricked into authorising a payment to be made from their account to somebody else’s account.

Fraudsters use a range of social engineering tactics in order to commit APP crimes – although most instances include a criminal posing as a genuine individual or organisation via telephone, email, SMS or social media. Once payment has been authorised by the victim, the criminal will then swiftly transfer money out of their receiving account to numerous other accounts where it can be cashed out.

In terms of APP scams, it’s currently somewhat difficult to chart the long-term growth of this increasingly popular scamming technique in Britain, because UK Finance only began to collect data on APP scams at the start of 2017. However, even over the last 12 months, researchers have charted sizeable growth in reported cases of APP scams.

In the first 6 months of 2017, there were 19,370 reported cases of authorised push payment scams amounting to losses of £101.2m. Meanwhile, across the first half of 2018 there were 34,128 reported cases of APP scams amounting to £145.4m worth of losses. It’s worth noting that over £52m of those losses came from non-personal or business accounts, and approximately 63% of all APP scams are categorised as purchase scams. Purchase scams are a criminal activity in which victims are convinced to pay for goods or services that are never received.

That being said, these jaw-dropping stats need to be accompanied by the caveat that new industry guidelines were introduced last year to improve the identification and reporting of APP scams, potentially inflating figures.

Even so, APP scams are particularly detrimental for customers and victims owing to their limited ability to recover losses. Since this method of cybercrime sees customers authorising payments themselves, unlike unauthorised payments, existing UK legislation gives victims of APP scams no legal protection to recover losses.

Fortunately, industry lobbyists have breached this concern with lawmakers and regulators – while financial providers were surprisingly able to return almost £40m worth of losses to APP victims during the first 6 months of 2018.

Unauthorised payment and banking fraud

Despite the increasing popularity among cyber criminals to deploy APP scams, card payment fraud still poses a seemingly insurmountable hurdle for financial services companies working to tackle cyber fraud. Over the first half of 2018, fraud losses on cards in the UK reached £281.2m. That figure represented a 2% decline year-over-year, although concerned firms should bear in mind the overall proportion of card purchases in the UK has also dropped simultaneously.

Financial institutions are improving phenomenally at preventing unauthorised payment losses, and were able to stop almost £500m worth of card fraud from January to June this year – yet the sheer diversity of methods that fall under the umbrella of unauthorised payment fraud have been spreading risk management teams thinner than many FDs would like over the course of 2018.

Remote purchase fraud is the chief culprit with regard to unauthorised card payment scams, accounting for £211.6m worth of losses so far in 2018 and a 12% increase in reported cases. The bulk of those cases were exclusive to ecommerce and were driven primarily from card data obtained via third part sites and phishing activity.

One unique way in which criminals have recently been working to obtain customer card data, and then steal from financial institutions, is by infiltrating home routers and redirecting visitors attempting to use banking websites to well-designed fake websites. This type of scam sees fraudsters redirect DNS requests to a malicious server, and victims are often unable to realise they’re on an insecure site because the cybercriminals have deployed SSL stripping to overcome certificate validation issues.

More traditional methods of card fraud, such as the use of lost or stolen cards, card not received fraud and counterfeit cards, are dissipating. One area of unauthorised payment fraud that has been on the rise in recent months is card identification theft, which sees a cybercriminal obtain stolen documents or submit fake documents in order to set up an account in someone else’s name. This method of third-party application fraud has risen 44% year-over-year, although it still only accounts for £8.1m worth of losses.

While many financial institutions, FDs and their risk management teams are familiar with some of the more effective preventive tactics available in order to circumnavigate threats like unauthorised payment fraud, remote banking fraud is thus far proving slightly more difficult to crack.

Remote banking fraud is a method of cybercrime in which an individual gains access to the victim’s bank account either online, over the phone or via a mobile – and according to UK Finance it accounted for £137.8m in attempted attacks during the first half of 2018. With regard to losses that financial institutions were unable to prevent, internet banking fraud, in which a criminal gained access to somebody else’s online account, resulted in £56.7m worth of losses at the start of the year.

Call centre scams

Similar to APP scams, call centre fraud is being increasingly deployed against banks and other financial services companies – and it can be difficult for outsourced teams to defend against.

As banking call centres are typically considered somewhat separate from their parent institutions (both in terms of organisation and architecture), they typically fall outside a company’s fraud and loss prevention halo. This means that if call centre agents are left with limited identity verification tools at their disposal, criminals are often able to use simple social engineering tactics to impersonate account holders in order to initiate transfers with the assistance of bank staff.

Earlier this year, the UK’s National Cyber Security Centre warned that cybercriminals were experiencing success with this type of scamming through the act of SIM swapping; a practice that is becoming easier than ever thanks to the increased emphasis banks are placing upon the use of smartphones as part of the customer identification process.

SIM swapping is the process of stealing an individual’s mobile identity by accessing personal information through phishing or open source research to obtain a victim’s phone number before contacting that individual’s mobile phone provider and asking them to transfer the phone number to a new SIM card, answering basic security questions along the way. As a result, the criminals then gain full access to that person’s mobile identity while they are blocked.

Criminals are then free to contact a victim’s bank and pose as that individual, claiming to have forgotten their PIN or other identifying banking information. Call centre staff will typically respond with a request for two-factor identification via text, which is no barrier to the criminal.

According to a 2017 study conducted by Pindrop® Labs, this type of call centre payments fraud has increased by 113% year-over-year, with approximately one in every 2000 calls to banks and other financial institutions having been retrospectively tagged as fraudulent.

Overcoming cybercrime risks

In terms of cybercrime, fraudulent activity targeting customers is inherently the greatest collective threat that banking and financial institutions face. Authorised push payment scams pose a huge hurdle to the sector that has yet to be overcome, while unauthorised payments such as remote purchase fraud, card identification theft and remote banking fraud are pressing companies to demonstrate new and more holistic methods of identification and prevention.

Regardless of company size or offerings, it’s virtually impossible to safeguard against every possible cyberattack. Yet by taking the time to recognise each threat, deploy the appropriate processes and infrastructure, and fully establish and understand an FD’s role in cybersecurity, banks and financial institutions will be well-placed to overcome the globe’s most common cybercrime risks.