Of the many threats targeting financial services firms in 2022—distributed denial-of-service (DDoS) attacks, ransomware, business email compromise (BEC) fraud, and more—supply chain insecurity tops the list of most pressing risks for the year ahead, according to a recent analysis of cybercrime affecting the finserv sector.
That’s a key finding from Navigating Cyber 2023, an annual report from the Financial Services Sharing and Analysis Center (FS-ISAC), a cyber intelligence-sharing nonprofit with some 5,200 member institutions, including banks, brokers, insurance companies, and credit unions, representing $100 trillion in assets in 75 countries.
Financial services firms, though generally well-funded and able to deploy the best security toolsets, remain a popular target for cybercriminals.
According to FS-ISAC, its members reported a 300% increase in BEC attacks in 2022 over the year before. Distributed denial-of-service (DDoS) attacks on financial firms in Europe rose 73% in that same period, accounting for half of all DDoS attacks in the region. And while cryptocurrency payments to ransomware attackers may have dipped in 2022—likely due to sanctions against such payments, the report notes—FS-ISAC members still saw a “continued stream” of attacks.
“We’re seeing a lot of the same type of attacks throughout the industry, year over year, as are listed in the report,” says Chris Blow, director of offensive security at Liberty Mutual Insurance.
The report covers the most significant threats that targeted financial services firms in 2022 and provides a look into what the FS-ISAC analysts believe will be the most significant risks throughout the rest of 2023. Spoiler: Thanks to advances in technology, most of the threats we saw last year are likely to rise.
Geopolitical conflict, MFA bypass attacks move center stage
In 2022, the most significant impact on financial services cyber risk proved to be heightened geopolitical conflict. “Existing tensions, exacerbated by Russia’s invasion of Ukraine, sparked a flood of hacktivist activity that continues unabated,” the report states. “China and its goal of Taiwan unification, and Iran’s ideologically motivated attacks on Western financial institutions contribute to the geopolitical cyber threat landscape.”
I was surprised software supply chain threats didn’t top the list for 2022. I’m not surprised to see it top the list for threats in 2023.
Financial services security teams will continue to watch geopolitical tensions in the year ahead, especially in hot zones such as Russia/Ukraine, China/Taiwan, and Iran, among hacktivists who may be politically motivated. Large financial services firms with close ties to any nations engaged in conflict can assume they’ll be targeted.
Assaults on multifactor authentication (MFA) also kept finserv security teams busy last year. In mid 2022, FS-ISAC members experienced a rise in credential-harvesting phishing attacks from Office 365 customers. This type of assault on MFA is typically an “adversary in the middle” (AitM) attack, which involves placing a system between the user and the service they’re trying to access so that credentials such as session cookies can be stolen.
Attackers use the stolen credentials to access protected resources. Such AitM approaches were deployed against financial institutions in the US, UK, New Zealand, and Australia.
Ransomware makes headlines but BEC scams are (much) costlier
Ransomware attacks remain a formidable threat, proving to be a “better business model than ever,” the report notes.
According to FS-ISAC analysts, the top two industries under assault from ransomware in 2022 were manufacturing and the professional, scientific, and technical services sector, with finserv and insurance firms coming in third. Alas, there’s little comfort in third place, given that the majority of finserv’s third-party suppliers and vendors come from the professional, scientific, and technical services sector.
That puts financial institutions at risk even when they’re not directly attacked. Ransomware attacks on third-party suppliers to the financial sector last year included the Irish banking software company CR2, digital security software firm Entrust, and the finance and accounting solutions provider Exela.
While cyber gangs continue to embrace ransomware-as-a-service providers to spread their attacks, BEC fraud is also prevalent. “BEC has become one of the most common and costly frauds impacting firms around the world,” the report declares. BEC can take several forms, but the most reported to FS-ISAC are payroll diversion requests or fraudulent payment requests, as part of an impersonation scam or vendor fraud.
And these attacks add up. According to the FBI’s Internet Crime Complaint Center, the FBI received BEC complaints totaling $2.4 billion. That’s considerably more than the $49.2 million in damages reported from ransomware complaints.
Software supply chain and AI risks may rule the year ahead
Software supply chain threats last year targeted an increasingly digitized business environment, and that digitization shows no signs of waning. In 2022, the most prevalent supply chain attacks reported by FS-ISAC members were the hijacking of software updates, fraudulent code signing, and the compromise of open-source code.
The new tools, such as AI, are making it easier for less skilled attackers to be effective.
Such strategies are only expected to rise given the increasing availability of malware-as-a-service and the skyrocketing popularity of mobile banking apps and open banking. Rolled out widely in 2018, open banking relies on application programming interfaces (APIs) that offer quick access to financial data so consumers can easily evaluate competing banking services. According to one report, attacks on APIs last year jumped 681%.
“I was surprised software supply chain threats didn’t top the list for 2022,” says Blow. “I’m not surprised to see it top the list for threats in 2023,” he adds.
Any hacktivists, along with cybercriminals in general and amateurs with an axe to grind, will all be assisted by advances in artificial intelligence (AI) technology, which may prove to be a game-changer not just this year but for decades to come.
The AI-powered, generative-text chatbot ChatGPT only launched in November and already the tool has been used to create malicious code and convincing phishing emails. Generative language models have also created info stealer malware, encryption tools, and more. Threats like this will keep security pros on the front line continually on guard.
“I’m concerned about organized crime and nascent hackers,” says Blow. “The new tools, such as AI, are making it easier for less skilled attackers to be effective.”
Despite the anticipated flood of AI-enabled attacks, FS-ISAC analysts remain optimistic that AI-enabled defenses will be effective. They also envision an increased investment in automated approaches to vulnerability and patch management. Still, they place their utmost faith in the men and women who serve on financial services security teams.
“Automation,” the report concludes, “will not replace the judgment and expertise of trained professionals for the foreseeable future.”