The evolving cyber threat landscape in 2022 and how fintechs can mitigate risk
At the end of 2021, it was estimated that cyberattacks cost the global economy a staggering $6 trillion. Cybersecurity Ventures estimate it could escalate to $10.5 trillion by 2025.
Companies that operate in the financial services/fintech arena are, of course, top industry targets for cybercriminals. The industry has for many years been a lucrative target for hackers – both for money and access to mass customer data.
Every week, we read about another victim in the industry. In late October 2021, a new Android banking Trojan called SharkBot, which accesses mobile banking and cryptocurrency apps to transfer funds, was detected targeting international banks in the UK and Italy, as well as five different cryptocurrencies. In the same month, the National Bank of Pakistan also fell victim when its ATMs, internal network and mobile apps were affected.
Cybercrime has accelerated since the beginning of the pandemic, with hackers quick to exploit the growth in home working practices. With many staff continuing to work hybrid patterns, it is critical to put much tighter cybersecurity controls in place.
Adopting a different approach
Before focusing on the biggest cyber threats for the industry, it’s important to stress that organisations need to get into the mindset of the ‘2022 cybercriminals’ and think more like the poacher than the gamekeeper.
It’s imperative to understand how the attacker is exposing vulnerabilities and why. Financial gain remains their primary motive, but reputation and status are also very important. Just as high-profile figures and celebrities seek column inches in the media to raise their profile, the cybercriminal is gaining credibility and cache by their acquisition of data, particularly by trading it on the Dark Web and building a “star-criminal” status.
There is also a need, perhaps more than ever before, for the CEO and the rest of the C-suite to work much more closely with the CISOs, heads of defence and other IT executives around cybersecurity investment. There can’t be silos within an organisation when it comes to bolstering cybersecurity. This will come under even more scrutiny this year, with mounting pressure for financial services organisations to show even more accountability and prove to underwriters they have robust processes and policies in place to mitigate against risk, given the upward trajectory of attacks in recent years.
The growing cyber threats in 2022
The Dark Web: There is still a mystique about the Dark Web and outdated perceptions of what goes on in this murky digital world – that it is simply a marketplace for guns, drugs and pornography. Customer and company data, personal profiling information and passwords are becoming the most sought-after goods on Dark Web forums.
Cybercriminals use stolen data from online identity theft for scams and fraud, including credit card, debit card and loan applications. Recent research data analysed by Wette.de showed the value of hacked PayPal accounts on the Dark Web had spiked by 293% during the pandemic, almost tripling in a matter of months. To compound the issue, ransomware groups are sharing victim information with each other on Dark Web forums, diversifying the threat to targeted organisations.
Beware of double-dipping ransomware attacks: There are also far more “double-extortion” attacks taking place; where hackers threaten businesses with exposing data on the Dark Web if further financial demands aren’t met after the first ransomware attack.
Strong data encryption is no defence here either, as criminals are prepared to play the long game. Some gamble that advances in quantum computing will help them extract data at some point in the future in a “steal now, hack later” approach.
The rise of “typosquatting” techniques – malicious domains: Malicious URLs are used to trick consumers into believing they’re in contact with a genuine brand or organisation before stealing their data, infecting them with malware or convincing them to buy fake goods and services. They register a name that looks similar to a genuine brand, with a small change that could be as simple as inserting a hyphen, changing yourbrand.com to your-brand.com, for example.
An increase in third-party breaches: It is inevitable that we have seen an increase in third-party breaches due to our more complex digital supply chains. Back in 2019, Mastercard suffered a data breach via its third-party supplier where the personal information of more than 90,000 customers of its “Priceless Specials” rewards program was circulated.
Data security and privacy regulations, such as the GDPR, specifically state that data controllers are ultimately responsible for any data that has been shared with others, and so will potentially face the full extent of any fines. With the fintech industry reliant on many third-party suppliers, cybercriminals see them as a strategic target for attacks, so it’s imperative that organisations safeguard their supply chain.
What can organisations do to mitigate risk?
Patching and passwords
As more cyberattacks happen on endpoints, timely updates of security patches on computers are becoming even more crucial to protect systems. This is one of the most efficient and cost-effective steps an organisation can take to minimise its exposure to cybersecurity threats. Employees and contractors should have strong, unique password logins for different accounts.
Take control of threats on the Dark Web
Make sure your technology team is monitoring the Dark Web for your company name, brands, VIPs and so on – when hackers offer data for sale, they will often mention the name of the company. Also check hacker forums and ransomware sites. Using an automated tool is the safest and most efficient way to do this.
Tackling typosquatting
Be proactive to identify fraudulent web addresses mimicking your corporate sites. Make sure the technology department is looking into ways it can help monitor for suspicious domain registrations and provide immediate alerts.
If a suspicious domain is identified, you will need to establish if a website or mail service has been established. The domain can be used for phishing campaigns even if no site is present. Takedowns are complicated because scammers can use GDPR to retain anonymity and removals require justification; typically using trademark/copyright infringement or evidence of illegal activity. Using a specialist service is often advisable. Critically, this is about customer protection and reputation management.
On third-party breaches
Early breach detection is critical with third-party suppliers. When you share your customers’ data with a supplier and they share it with theirs, it remains your company’s responsibility. You should continuously monitor for your data appearing outside your company’s network.
Ensure third-party network access is restricted to the absolute minimum necessary for their role, which will minimise the damage an attacker can do by compromising them. Strict processes should be in place around sending any kind of sensitive files outside of the network to reduce the risk of copied datasets being leaked.
Take control. One of the most effective methods here is to tag datasets with a type of digital watermarking known as a ‘breachmarker’. This takes the form of a unique, synthetic identity placed into the dataset among the thousands of real people. Continuous, automated monitoring can then be deployed to constantly scan for this marker in open and closed web sources.
If a threat actor posts the dataset for sale on a Dark Web forum or dumps it on a website, the monitoring system will detect it and your company – the data custodian – will be sure what data has been involved, swiftly and accurately notify those involved and take steps to try to have the data taken down.
This greatly reduces the financial and reputational impact and goes a long way to getting regulators on side.
About the author:
Jeremy Hendy is CEO of digital risk protection firm Skurio.
Previous positions include marketing director of wireless USB start-up Artimi, VP marketing for Aspex Semiconductor and strategic technology director of Cadence’s wireless and multimedia business unit.