The rise in digital payments and widespread working from home as a result of the Covid-19 pandemic means banks must deal with a more complex cyber-threat environment.
In just a few months, the Covid-19 pandemic has upended commercial and social norms across six continents. As national authorities, businesses and consumers scramble to respond to this evolving crisis, other actors have capitalised on the prevailing environment of uncertainty and fear. In particular, these conditions have offered cyber-criminals a fertile opportunity to expand the threat landscape from which they operate. The outcome is alarming: malicious cyber-incidents, ranging from phishing emails to ransomware to brute force attacks, are exploding. And, in the relative chaos of atomised workplaces and erratic consumer behaviour, the financial services sector has emerged as a key target.
The scale of the problem is laid bare by research from VMware Carbon Black, a US technology group, which points to a 238% increase in cyber-attacks on financial institutions, globally, between February and April 2020. Over the same period, ransomware attacks on the sector increased by a factor of nine. The research also highlights a correlation between cyber-attacks and the pandemic’s evolving news cycle. As media coverage has spiked in specific moments, aligning with grim Covid-19 milestones, so too has the volume of attacks on financial institutions.
Uncharted waters
Changing patterns of business and consumption, across most of the world’s major economies, have helped fuel these dynamics. “Social distancing has created a surge in demand for contactless payments, digital cash transfers and online banking, as well as remote working by bank employees,” said Alessandro Roccati, senior vice-president at Moody’s. As a consequence, banks, in common with most other large enterprises, are now dealing with a more complex cyber-threat environment from a position of relative weakness. Unable to rely on the cybersecurity infrastructures in place across their physical footprint, banks are now facing off against hostile actors in uncharted waters.
“Today, there are so many [possible] attack avenues. Employees are now working on endpoints [a computing device] that are no longer part of [an organisation’s] infrastructure and not in [their] headquarters,” says Liviu Arsene, global cybersecurity researcher at Bitdefender, a cybersecurity firm. “These endpoints are connected to consumer-grade networks; home routers are being used as opposed to corporate infrastructures. [In an office environment], especially within banks, you have all of these perimeter defences, like advanced firewalls and web application firewalls, and all these network technologies that usually safeguard employees.”
Human weakness
Indeed, research from Orange Cyberdefense, the cybersecurity arm of telecoms giant Orange Group, points to the ways in which the Covid-19 pandemic has changed security threat models for the private sector at large. This includes users connecting from insecure systems and environments, to reduced control and visibility over IT systems, to staff being more vulnerable to social engineering. This last point, in particular, is important because social engineering presents an above average threat for the financial services industry. Broadly defined, it stems from any effort to fool or deceive individuals, as it relies on the exploitation of human psychology to achieve a specific objective.
“Social engineering is where criminals look to exploit more of the human element of cybersecurity. So they’re encouraging somebody to click on a link or to give details over the phone. The targeted individual believes that they’re interacting with someone legitimate. And then the cyber-criminal is able to use the information or credentials they have secured to enact an attack or crime,” says Stuart Reed, UK director of Orange Cyberdefense.
In an inaugural study known as Security Navigator, published by Orange Cyberdefense in June 2020, the company analysed a year’s worth of data generated by its 16 cybersecurity operation centres around the world. The research indicates that the financial services sector, relative to all other analysed sectors, was subject to the highest number of social engineering-based events, accounting for just over 10% of the industry’s total cybersecurity incidents over the 12-month period.
“This perhaps is because financial services is generally a [well protected] industry. Therefore criminals need to find some other way of being able to infiltrate those systems and then enact financial crimes. Social engineering can be an effective way for them to do that. And that certainly seems to be the evidence from our research,” says Mr Reed.
At risk
The opportunities for social engineering-based incidents have only increased in light of the increase in remote working. As the research from Orange Cyberdefense indicates, the reduced supervision of in-house IT and cybersecurity teams places banks, and other institutions, at a distinct disadvantage against the growing threat from attacks that originate through social engineering methods.
Meanwhile, the economic fallout from the Covid-19 pandemic is stimulating other threats that stem from cyberspace. This includes the increased use of money mules – individuals recruited into money laundering schemes, typically under false pretences – to aid criminal organisations and other malicious actors in their efforts to move money through the financial system. Mules are often recruited through social media channels, including Snapchat and Instagram, or through bogus online job advertisements, among other means. With unemployment and job insecurity on the rise, more people are falling victim.
“We are seeing a surge in this type of activity. [This is one way] that criminals are really targeting the population now. People are at home, everyone is in front of their laptop, so it’s easier to get individuals involved in these types of schemes,” says Araliya Sammé, head of financial crime at Featurespace, an enterprise financial crime risk management firm.
In recent times, individuals have been lured into muling activity through scams linked to Covid-19. This has included schemes billed to facilitate the flow of funds to healthcare groups and charities, when in reality money is being laundered through criminal networks. A small commission is paid to the mule for each transaction, leaving some individuals dependent on this source of income. “The criminals are highly sophisticated. They are really getting into the population’s mindset in terms of who to target. There is a whole range of criminal activity and we only see the tip of the iceberg when we read the news,” says Ms Sammé.
Think again
It is immeasurably more difficult for banks, in particular, to detect abnormal payments and spending patterns in a world turned upside down by Covid-19. Traditional, rules-based frameworks for analysing customer behaviour are of limited value in a pandemic. Similarly, financial institutions that have adopted machine learning technology to bolster their money laundering detection based on past corporate and retail behaviour will need to rethink their approach, according to research from the Bank for International Settlements’ Financial Stability Institute. One answer to this challenge lies in adaptive technology.
“Most of the [existing] solutions are rules-based. Those rules are implemented following indicators, typologies or red flags that are provided by the regulators. So if the criminals know these rules, they can work around them. So you need smarter solutions that try to understand behaviours in customers at an individual level, but also in terms of drawing comparisons to their peers,” says Ms Sammé.
“Everybody is now transacting differently. So if the traditional solutions are rule-based, they will not cater for a change in behaviour, meaning [they are] not adaptive. You need to be able to cater for those changes in behaviour or context. And our models have been trained to do that,” she adds.
Alongside improved technology offerings, a holistic approach will be needed to mitigate the threats posed by cyber-criminals. As the range of attack vectors increase, and the threat landscape facing banks and other private sector organisations expands, only a mobilisation of the entire cybersecurity ecosystem can counter the menace.
“The bottom line is that a mature approach to cybersecurity has to be layered and it has to be continuous. It’s not just about the technology. It’s about the processes that you have in place, and it’s also about the awareness and education of people. So from a financial services or from a banking perspective, it’s important that there is this notion of a shared responsibility, having everybody working as part of your organisation and understanding the role that they play,” says Mr Reed.
