Security challenges

How are FS IT leaders responding to phishing threats?

by Egress
Published on 7th Jun 2022

2021 was a banner year for phishing attacks. According to our latest report, Fighting Phishing: The IT Leader's View, more than eight in ten organizations, or 84%, were hit by them last year. That's up from the 73% revealed in our previous report.

Given stats like these, it's no wonder cyber threats now top the list of concerns reported to the Allianz Risk Barometer by business risk experts. Nearly half, 44%, of risk managers surveyed named cyber incidents as a top concern, overtaking natural disasters (cited by 25%), the Covid pandemic (22%), and the global skills shortage (13%).

And while no sector has been spared, financial services (FS) firms remain particularly vulnerable because of the large amounts of data they handle, says Jack Chapman, Egress's vice president of threat intelligence. "Financial services firms are big targets when it comes to cybercriminals," he explains. "Their customer black book and supply chain is incredibly valued from an attacker's point of view."

Our latest report shows how IT leaders from FS firms are responding to  the rising tide of cyber threats.

Insights from IT leaders

For our Fighting Phishing: The IT leader's View report, we interviewed 500 IT leaders in medium and enterprise-level companies across various industries in the UK and US. The survey revealed a 15% increase in phishing attacks across industries from the findings of our 2021 report, ‘The real (and rising) risk of phishing.’

Besides the direct damage caused by these attacks, mitigation can also prove costly. When we look at organizations across all industries, nearly three-quarters (72%) of all IT leaders reported purchasing cyber insurance, and over half (64%) reported retaining legal counsel related to attacks. Moreover, over half (55%) of organizations in all industries also spent money on a forensic investigation related to attacks.

The problem is that these are all reactive measures. These numbers suggest organizations are expecting to be hit by phishing attacks and already preparing to mitigate the damage caused by breaches.

On the upside, organizations are increasingly taking proactive measures, for example, deploying secure email gateways (SEGs). But despite these investments,  nearly nine in ten IT leaders (89%) in every industry expressed frustration with them. In fact, 64% said they weren't worth the time and money.

But when we look at FS firms specifically, some problems become even worse.

Unique challenges for FS firms

Because of the valuable financial data they must maintain, financial services firms get attacked more often than other businesses.

While 59% of all businesses surveyed dealt with ransomware, that number increases for FS firms. Nearly three-quarters (70%) of FS firms we surveyed were hit by ransomware — much of which gets delivered by phishing attacks. That percentage represents 16% more than legal industry respondents and 19% more than general businesses. And these attacks are expensive, totaling nearly six figures ($91,240) in average payouts for FS firms in 2021.

And there's more. Over a third (38%) of FS firms got hit with supply chain compromise in 2021 versus 32% of businesses overall. That means some aspects of payments or supplier interactions were compromised. The same percentage (38%) of FS firms also got hit by whaling attacks — phishing attacks targeting high-level executives — versus 34% of all businesses surveyed.

Perhaps unsurprisingly, the finance teams of FS firms came under fire more often than at other companies — 33% of FS firms versus 27% overall. The ancillary costs are higher for FS firms as well. For example, our report found that 72% of FS firms retailed legal counsel to cope with phishing attacks compared with 64% of all businesses.

Email remains a preferred method of attack.

Email vulnerabilities

According to IBM and the FBI, business email compromise (BEC) — in which attackers assume the identity of a trusted party — remains the most expensive phishing attack vector.

"The main concern with BEC is how it can bypass traditional security solutions and augment other phishing techniques," Chapman says in our report. "This attack vector is so successful as it immediately builds credibility for the attacker by using compromised business email accounts."

For example, a mid-size FS firm in the US described a supply chain attack via BEC. An attacker posed as a legitimate business prospect to entice an employee to open an attachment that contained malware. "The employee was unaware that their personal information, including email credentials, had been compromised and continued using their account," the respondent reported. Once the attacker had access to the employee's email account, they used it to attack other victims, both within and outside the organization.

Fighting back

Given the sophistication of modern cybercriminals, FS firms are increasingly turning to advanced email protection to keep employees and data safe.

Intelligent email security solutions deploy machine learning, natural language processing, contextual analysis, and more to alert users to suspicious emails and weaponized links as soon as they hit inboxes. To learn more, visit our product page for Egress Defend.