Cybercriminals are professionalizing and a new threat is on the rise.
By Elizabeth Judd
With a new year comes a whole new set of cyber worries threatening to cost leaders at banks much-needed sleep.
Between 2018 and 2022, the FBI received 3.26 million complaints about cyber-attacks, with reported losses of $27.6 billion. In 2022, 800,944 cybercrimes were reported in the United States, according to USA Facts– and the numbers are expected to climb. And an additional cyber threat looms: “Advances in artificial intelligence are making cyberspace increasingly dangerous,” reports Harvard Business Review.
The dollars at stake are increasing. According to a 2023 report by IBM, finance firms are averaging $5.9 million per data breach.
Below are seven growing cybersecurity threats, as well as some suggestions for how banks can keep data secure.
1. Third-party risks
Topping any list of cyber-related nightmares are the risks posed by fintech firms and other vendors.
“The problem with third-party risk,” says Paul Benda, EVP for risk, fraud and cybersecurity at American Bankers Association, is “that banks don’t know what they don’t know.”
Benda maintains that insisting on penetration testing, or “pen testing,” is one excellent way to batten down the hatches with third-party vendors. Pen testing typically involves a cybersecurity expert waging a simulated attack on a system to identify vulnerabilities.
Paying close attention to pen-test results can reassure financial institutions about the security precautions taken by vendors. If a vendor refuses to share results, that’s a major red flag.
Beth Sumner, VP of customer success at Finosec, a computer and network security firm, says that June 2023 interagency guidance on third-party risk management by the OCC, the FDIC and others is an excellent place to learn more about pen testing and other precautions. In addition, she emphasizes the importance of not only getting testing data from your third parties but from the vendors that they contract with, as well.
“Even when you’re doing business with a reputable company, the question is: Who are they doing business with?” Sumner says. “You really need to go down that rabbit hole of who are your vendors’ vendors.”
2. AI-enabled phishing
Phishing attacks, responsible for 41 percent of cybercrimes in 2022, became far more effective with the unveiling of ChatGPT in late 2022. The widespread availability of generative AI tools marks the end of an era of ungrammatical phishing texts and emails with typos and colorful capitalizations and the arrival of slicker attacks.
Phishing has steadily gained in popularity, says Benda, because “criminals realized that it was a whole lot easier to shift from trying to break down the door themselves to convincing you to give them the key.”
Benda points out that phishing scams enabled by artificial intelligence can be extremely sophisticated. He explains that hard-to-detect “deep fake” tactics are now easier than ever to pull off.
It wouldn’t, for instance, be all that challenging for a cybercriminal to duplicate the voice of someone’s boss and leave that individual a voice message, directing a specific action be taken. And in fact, in mid-2023, the APWG, or Anti-Phishing Working Group, reported that the volume of voicemail phishing is increasing.
Ways financial institutions can combat AI-enabled phishing include educating employees and customers about the existence of these scams, says Benda.
The latest technology tools can also help. Benda notes that using geolocation to verify communications is one powerful measure. Another is strengthening multi-factor authentication.
3. Ransomware
In November, the headline-grabbing hit against the American arm of ICBC, China’s megabank and the world’s largest lender by assets, raised alarms about ransomware for financial executives everywhere.
Ransomware today comes in many shapes and sizes. At its most basic, bad actors enter a company’s system and install malware that encrypts files, blocking access until a large sum is paid. In what’s known as double extortion, criminals use stolen customer data to extort a bank’s customers, threatening to release sensitive data to the public or the black market.
David Shipley, CEO of Beauceron Security, a New Brunswick, Canada-based cybercrime consultant, says most financial institutions are well fortified against ransomware and so the attacks generally target easier prey, such as third-parties that banks use as vendors.
“The ransomware story for 2024 for community banks will be hits on the supply chain that will reverberate and cause all kinds of grief, particularly breaches that contain material customer information,” Shipley says.
Help for financial institutions is out there. In October, state bank regulators released the 2.0 version of their Ransomware Self-Assessment Tool, or R-SAT, which walks bankers through a process to identify potential cybersecurity problems.
4. The changing nature of cyber insurance
Until quite recently, financial institutions viewed cyber insurance policies as a useful way to transfer risks and costs of a breach to a third party.
This is changing, says Shipley, as cyber insurance policies grow more restrictive. He notes that many insurers have written onerous exemptions into their policies, while others have pulled back on the sums covered for bank losses due to fraud. For financial institutions, the takeaway here is to review cyber insurance policies carefully, making sure to understand all terms and exemptions.
5. Staffing challenges
“At a community bank, the individual who gets the title of chief security officer is usually the individual who was out of the room when the board voted,” jokes Sumner.
The line contains more than a kernel of truth.
“Practically nobody wants to be in charge of security,” says Sumner, noting that there just “aren’t enough qualified people in the banking industry who know about IT or information security.”
The IT skills gap has widened since COVID hit. Prior to the pandemic, she says, IT banking jobs were often plum positions for someone possessing the right skill set and a love of small-town life. In the past few years, these same individuals have been wooed by other industries offering remote work and hefty salaries.
Given a talent shortage, many banks are using virtual information security officers and virtual CIOs rather than placing someone who lacks the necessary skills in an increasingly key role, says Sumner.
6. WormGPT and HaaS
Just as generative AI swiftly altered how legitimate businesses operate, AI has spawned a transformation within criminal enterprises.
“The evil versions of generative AI are often open-source technologies that anyone can create from,” says Shipley. He notes that while ChatGPT has guardrails to prevent criminal activity, cybercrime tools like WormGPT are designed to facilitate malicious attacks.
“Criminals are standing up their own versions of generative AI that don’t have limitations,” says Shipley. “They can blatantly say, ‘Please help me create a compelling phishing email’ and the program will do just that.”
Shipley urges bankers to retire the worn image of hackers as loners, wearing hoodies and operating out of basements. In an age of HaaS, or hacking as a service, bad actors may be salaried employees working at operations with well-staffed call centers and other professional trappings.
7. Quantum computing
A truly existential cyber threat is in the making with the rise of quantum computers, that harness quantum mechanics to produce far greater processing power than today’s supercomputers. Although quantum computers exist today, they are in their infancy. Someday, however, their capacity for large-scale calculations could cause massive trouble, perhaps even decrypting the entire Internet.
Sounds like sci-fi? Yes and no.
ABA’s Benda urges security officers at financial institutions to begin taking the issue of quantum computing seriously. While a true threat may not materialize for several years, it’s not too early, he says, for banks to learn about quantum-resistant algorithms and begin taking “inventory of systems that could be susceptible to quantum computers.”
Elizabeth Judd is a freelance writer based in Chevy Chase, Maryland.
