A rising number of cyberattacks aimed at the financial sector during the coronavirus pandemic has sent a warning to banks to improve their cybersecurity measures to protect themselves against future risks.
Attacks against the financial sector increased 238% globally from the beginning of February to the end of April, according to data by Carbon Black Inc., a unit of VMware Inc. that offers cybersecurity technology to financial institutions. Ransomware attacks grew ninefold in the period, with phishing emails the primary source.
The coronavirus crisis has created the perfect climate for cybercriminals, with record levels of government stimulus money being released as people work remotely and increasingly interact online.
"There's a perfect storm," said Tom Kellermann, head of security strategy at VMware's security business unit. "Frankly, in my 22 years in cybersecurity, I've never seen it get this bad."
Cybercriminals have been more successful in so-called business email compromise, or BEC, against financial institution executives, said Drew Schiff, director of engagement services at fTLD Registry Services, the organization behind the dot-bank domain extension, which works with more than 500 banks.
BEC typically focuses on senior executives within an organization to exploit their trusted relationships. A criminal will hack into their email server or use lookalike domains to send malicious content to employees or partners from the compromised account.
Technology limitations and the habits of people working from home have significantly increased the opportunities for cybercriminals. While virtual private networks, or VPNs, are meant to be a safeguard for attacks, many employees still do not log into them as they should, Schiff said.
The sheer volume of information exchanged online is another driver for attackers' growing success, with bank staff generally communicating more with each other over email, offering more opportunities for attacks, he said.
The increasing frequency of attacks come as the sophistication of cybercrime is increasing and the behavior of cybercriminals is changing, according to VMware research, which surveyed security leaders at 25 financial institutions globally about current cyber threats.
One growing trend is "island hopping," in which hackers infiltrate financial technology vendors, service providers and other partners to target the primary financial institution. One in three respondents said they had encountered this form of attack in the past year.
"Reverse business email compromise" is a type of island hopping particularly seen in finance, in which a hacker takes over the email server of the partner or supplier and then executes malware attacks against members of the primary organization and board.
Furthermore, cybercriminals have "dramatically increased" their knowledge of the policies and procedures of financial institutions, and now have a better understanding of their blind spots, according to the research.
VMware also recorded a significant uptick in so-called counter incident response, where cybercriminals remain in the financial institution's network after the heist, Kellermann said. The attacker will destroy evidence, manipulate time stamps and otherwise seek to slow down cybersecurity professionals and law enforcement.
Accelerating security efforts
While the increase in attacks is forcing the financial sector to increase its alertness, industry players working with banks to improve cybersecurity are seeing an opportunity to boost those efforts.
FTLD, for one, is collaborating with the European Banking Federation to expand the dot-bank domain to financial institutions across Europe this year and has launched a number of information campaigns.
While the partnership between them was formed before the pandemic, the association is "using the current environment to further inform the banks about this possibility," said Sebastien de Brouwer, chief policy officer at EBF.
That is because dot-bank can help banks prevent cyber scams. Unlike a dot-com extension, dot-bank is exclusive to financial institutions and certain partners, who after a vetting process are able to use it for their URLs and emails. It means it is harder for cybercriminals to create lookalike emails and websites.
The domain was launched in 2015 but FTLD has so far focused mainly on banks in the U.S. Schiff said the organization has seen an uptick in interest and migration of the dot-bank domain in both the U.S. and Europe since the virus outbreak, adding that the pandemic has prompted a "change in prioritization" among banks.
While it is hard to track exactly the degree to which attacks have been prevented due to dot-bank, the feedback from users is that they have seen a decrease in attempts since adopting it. Dot-com domains are simply seen as "an easier target" by cybercriminals, Schiff said.
For VWware, too, COVID-19 has proven to be an "accelerant" for the company's offerings, CEO Pat Gelsinger said when presenting its first-quarter results.
Kellermann said the pandemic is serving as a reminder for the financial sector that cybersecurity is a "competitive differentiator." Banks, he said, are increasingly aligning their defensive strategy to deal with the changing nature of the cybercriminals, including recognizing that cybersecurity is not only about preventing intrusion — the traditional "outside-in" approach — but requires a proactive "inside-out" review of activities and anomalies inside the network.