A Boston Consulting Group report found that financial services firms are 300 times more likely than other companies to be targeted by a cyberattack and at an average cost per company of $18.5 million, higher than any other vertical market, according to an Accenture’s study. These trends will only accelerate as cyber criminals increase their efforts to exploit the pandemic.
Incidents and news developments reflect this heightened state of caution for finance-related cyber crimes:
A joint alert from the U.S. government
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of the Treasury, the Internal Revenue Service (IRS) and the United States Secret Service (USSS) issued a joint alert in May for “all Americans to be on the lookout” for fraud attempts using “coronavirus lures to steal personal and financial information.”
In particular, adversaries are seeking to disrupt economic payments from initiatives such as the Coronavirus Aid, Relief and Economic Security (CARES) Act, the $2 trillion economic relief package intended to support American businesses and individuals economically burdened by the coronavirus pandemic, according to the alert.
The Federal Trade Commission (FTC) warns of tax schemes
In April, the FTC issued guidelines to avoid pandemic-related IRS stimulus payment scams. “The IRS won’t contact you by phone, email, text message, or social media with information about your stimulus payment, or to ask you for your Social Security number, bank account, or government benefits debit card account number,” according to the FTC statement. “Anyone who does is a scammer phishing for your information.”
Charity, stock and Small Business Administration (SBA) incidents on the rise
The Small Business Association disclosed in April that a data breach of its online application portal may have compromised the personally identifiable information (PII) – including Social Security numbers, income amounts, names, addresses and contact information – of nearly 8,000 businesses seeking Economic Injury Disaster Loans.
In the same month, the U.S. Securities and Exchange Commission (SEC) published an alert about unlicensed individuals and unregistered firms promising high returns on stocks of companies claiming to market products that can prevent, detect or treat COVID-19. “You may lose a lot of money if you invest in a company based on inaccurate or unreliable claims or rumors,” according to the alert. “False claims about a company’s products and services are sometimes part of a ‘pump-and-dump’ scheme where fraudsters profit at the expense of unsuspecting investors.”
Then, in June, the Cybercrime Support Network warned that adversaries are setting up bogus COVID-19 charity sites and sending out phishing emails posing as charities to get intended victims to make donations.
Online credit card skimmers target ecommerce sites
With more consumers shopping online due to the pandemic, adversaries are leveraging Magecart credit card skimmers in attacks against online customers. Magecart is a consortium of different threat groups known to take advantage of vulnerabilities in third-party ecommerce platforms to inject payment-stealing script in checkout pages. In April, Magecart attacks on online retailers jumped 20 percent.
It doesn’t help that, before the pandemic, hackers already considered the financial industry a primary target: Based upon its analysis of nearly 41,700 security incidents and more than 2,010 breaches, the 2019 Verizon Data Breach Investigations Report (DBIR) reported that the industry accounted for 927 of those incidents (ranked #4 among all sectors) and 207 of the breaches (third overall, behind only the public sector and healthcare).
These organizations also suffered the second-highest average cost of a data breach at $5.86 million – 49 percent greater than the $3.92 million global average for all industries, according to the 2019 Cost of a Data Breach Report from the Ponemon Institute and IBM.
So how should your financial organization address these challenges and threats? We recommend the following three steps:
Sensitize your workforce to COVID-19 scams
Your employees are your first line of defense. Basic education about the pandemic threat landscape – what are the latest attacks, and how should users respond when they receive a suspicious link or attachment in an email from an unfamiliar/untrusted party? – will go a long way. (For starters, they should not click on anything unfamiliar or untrusted, and they should forward these emails to the IT department.)
Encourage password security
Cybersecurity authorities recommend implementing vigorous password policies to ensure that all workers are using strong passwords (with difficult-to-crack, non-sequential numbers and letters, along with symbols and a mix of case-specific capital and non-capital letters) and changing them on a regular basis.
Update and strengthen bring-your-own-device (BYOD) rules
According to recent research, more than three-quarters of remote employees use unmanaged, insecure personal devices (BYOD) to access corporate systems. Organizations must update rules and standards so IT teams and employees can securely manage these devices.
We could not have predicted COVID-19, or the resulting increase in cyber attacks. However, financial organizations can still prepare for the worst in this new, evolving environment. Ultimately, it begins and ends with your people – the more employees know about current threats, good cyber hygiene and device security, the better positioned you’ll be to defend your network, systems and devices. These practices have proven over time to protect, whether during a pandemic or not.