We observe a significant increase in the number of phishing and fraud attacks targeted at financial institutions, in line with the general rise in the number of all types of cybercrimes. Although they can be aimed at individuals as well, they usually focus on commercial banks due to profitability. Here are some numbers to elaborate on: The cost of phishing per incident to firms is estimated as USD 4.9 million in 2022. In the first half of 2022, more than 255 million phishing attacks were detected, 61% increase in comparison to 2021. Crown jewel of the attacks, financial institutions accounted for 34% of the total.
As you can imagine, phishing attacks and their costs are not expected to fall in the years to come. So, how do we manage it?
In this blog, we will briefly explain these attack types and discuss means of protection.
What Does Phishing Do?
Phishing is a social cyber-attack, as human interaction is essential in its execution. The attacker pursues the victim to click a link in a short message or an email. The simple click can allow the attacker to deny access to a part of the computer system, expose sensitive data for ransomware or upload a malware. As a result, the attacker can steal the victim’s personal or card data, carry out unauthorised transactions. Even though such leakage at the personal level is costly enough, when considered at the corporate level, we can see what’s at stake.
Due to the vulnerabilities of the mail servers firms are using, corporate email addresses that do not exist, such as “[email protected]”, are particularly dangerous and can result in leakage of sensitive data, including information of the customers. Companies that are attacked lose customer confidence and market share, alongside long term financial damage. Therefore, in addition to instant financial loss, phishing inflicts quick mid and long-term damage, which are not easy or inexpensive to compensate.
The Cases of Crelan Bank & FACC
To illustrate with two striking examples, the phishing attacks at the Crelan Bank in Belgium cost the bank USD 75.8 million. It is thought that the fraudsters managed to exploit the CEO’s email address and sent emails on his behalf. The Austrian Aviation Firm, FACC, whose customers include Boeing and Airbus, lost USD 47 million in a similar way, in which the hoax email from the CEO asked an employee to transfer of money. Although the side effects are difficult to quantify, the loss of customers is estimated to be about at least 40%.
All good. But what to do about it?
Responding to Phishing
Both the users and companies can take measures against phishing. The negligence of either is going to cause weakness in defence.
Being alert with high awareness is the most critical way of defending against phishing from the perspective of the users. A little attention to details while going through the email or short message will reveal the nature of the message. It is likely that there will be a misspelling, a letter added to the main domain name, an irrelevant image attached or an unrequited offer. However, even the most conscious user can be a victim. Therefore, companies need to take institutionally protective measures.
One of the most critical of such measures is the detection and remediation of technical vulnerabilities. No matter how cyber-aware the users are, they are not expected to notice such risks. This is where the companies need to ensure the safety of their system. To name a few, verifying and correctly setting the MX, SPF, DMARC records and open relay capabilities of the mail servers will strengthen the mailing security. Although a limited number of companies may carry out these check their own means, we suggest independent and professional assessment. For companies who do not possess such capabilities, professional support is almost an essential in minimizing phishing risks.
Conclusion
It is no surprise that phishing and fraud attacks are on the rise, in line with the general trend of booming cybercrimes. Profits being the driving motivation, the attacks are recently focused more on commercial banks. The consequences are financial, prestige, customer and market share loss.
Users and companies can take measures against phishing attacks. Failure to act on both fronts will render the actions taken only on one meaningless. While make sure users are alert and aware, companies should ensure the security of their mailing systems.
References
https://www.imperva.com/learn/application-security/phishing-attack-scam/
https://chrmanagedservices.com/blog/impacts-phishing/#:~:text=Phishing%20attacks%20can%20cause%20data,keep%20that%20in%20the%20dark.
https://www.hoxhunt.com/blog/what-are-the-top-10-costs-of-phishing
https://m.nieuwsblad.be/cnt/dmf20160119_02078829
https://www.reuters.com/article/us-facc-ceo-idUSKCN0YG0ZF
https://www.jdsupra.com/legalnews/acorn-financial-services-reports-data-5996771/
https://www.vadesecure.com/en/blog/phishers-favorites-top-25-h1-2022