The Ongoing Battle Against Phishing Attacks in the Financial Services Sector

Cybercriminals continue to focus on the financial services sector as a prime target to exploit vulnerabilities and gain unauthorized access to sensitive information with financial motives at the center of their drive.

A recent cybersecurity report from Trustwave SpiderLabs, the "2023 Financial Services Sector Threat Landscape," notes alarming trends in the world of phishing attacks. Of interest, tech giant Microsoft and American Express are among the top three most spoofed companies in phishing emails targeting the financial sector.

Phishing and Email-borne Malware

The report underscores the enduring relevance and effectiveness of phishing attacks, with these deceptive tactics still being the preferred choice for cybercriminals to gain a foothold into organizations despite the myriad of technical systems and defenses in place to filter and eliminate these types of attacks, there’s still a gap in the armor.

Surge in Financial Sector Attacks

Web application and API attacks directed at the global financial services industry are on the rise as well. The highest reported percentage from aggregated data found a staggering 65% increase in the second quarter of 2023 compared to the same period in 2022. Within an 18-month period, the industry saw 9 billion attacks, with banks bearing the brunt of the onslaught.

The financial services sector has now ascended to the top position for Distributed Denial of Service (DDoS) attacks with the EMEA region accounting for 63.5% of global DDoS events.

Common Malicious Attachments: HTML Takes the Lead

HTML files are the most prevalent malicious attachments being seen in phishing emails targeting the financial services industry, constituting a substantial 78% of all attack attachments. These files are primarily used for credential phishing, redirector insertions, and HTML smuggling.

33% of these HTML files employ obfuscation techniques to evade detection and defense mechanisms to penetrate and land deliverability to inboxes undetected.

Following HTML files, executables were the second most common type of malicious attachment, accounting for 14% of attack attachments.

Notable information-stealing malware, such as Gootloader, XLoader, Lokibot, Formbook, and Snake Keylogger, made appearances in these attachments. Additionally, Agent Tesla (RAT) was detected within the dataset. In contrast, attackers' use of PDFs (3%), Excel files (2%), and Word documents (1%) has decreased over time.

Brand Power

Voicemail notifications, payment receipts, purchase orders, remittances, bank deposits, and quotation requests rank among some of the most common themes targeting the financial sector with American Express (24%), DHL (21%), and Microsoft (15%) appearing as the most frequently impersonated brands.

Traditional phishing themes without attachments still leverage "Urgent Action" messages, mailbox-related alerts, document sharing, e-signing, account-related alerts, missed communications, meeting-related notifications, and payment/invoice-related alerts. Microsoft (52%), DocuSign (10%), and American Express (8%) were the brands most commonly spoofed in non-attachment phishing attacks.

Evolving Tactics: Enter AI and LLMs

The impact of Artificial Intelligence (AI) and Large Language Models (LLMs), like ChatGPT, continues to grow within phishing attack schemes. As these technologies mature and expand in popularity, it becomes easier for cybercriminals to use them to craft convincing, highly personalized, and difficult-to-detect phishing emails.

Mitigating the Threat

So how can you prepare your organization to avoid becoming a victim of one of these attacks?

  • Consistently conduct mock phishing tests to assess effectiveness of anti-phishing training and retrain repeat offenders.
  • Implement robust anti-spoofing measures, including deploying technologies on email gateways.
  • Deploy layered email scanning solutions to enhance detection and protection.
  • Use techniques to detect domain misspellings to enable identification of phishing and Business Email Compromise (BEC) attacks.

The Bottom Line

In a rapidly evolving digital world, the fight against phishing attacks in the financial services sector remains an uphill battle and a major concern. By staying informed and adopting the recommended tips above, you can fortify your defense against these evolving threats and safeguard sensitive data from malicious cybercriminals.