7 Key Takeaways for Financial Services from Recent Research

Akamai has been publishing the State of the Internet (SOTI) reports ever since we added cybersecurity controls to our platform approximately 10 years ago. The reports have traditionally tackled one topic, such as phishing or API attacks. 

This time, however, we have taken a much broader approach and cover a number of issues that impact the financial services industry. Some of the topics into which we dove deeply include web application and API attacks, zero-day threats, account takeover (ATO), and phishing trends.

The top 7 insights 

Here are the top seven trends we gained from this research:

1. The financial services industry ranks #1 for phishing, #2 for DDoS attacks, and #3 in web app and API attacks.
2. Distributed Denial-of-Service (DDoS) attacks against financial institutions remain steady year-over-year, but attacks are shifting regions, with attacks against EMEA increasing to 73%. 
3. The financial services industry shows the highest growth in web application and API attacks with a 3.5x surge. 
4. Exploitation of new and emerging vulnerabilities, like the Atlassian Confluence RCE vulnerability (CVE-2022-26134), is found to begin within 24 hours of disclosure and peak quickly.
5. Attackers are focused on customer-related ATO and web scraping-related attacks, as is clearly shown by the 81% growth in bot activities against financial institutions.
6. Phishing attacks target consumers (80.7%) more than business accounts; on the dark web, there is massive demand for consumers’ compromised accounts, which are used in fraud-related attacks. 
7. Phishing campaigns (like Kr3pto) are introducing techniques that bypass two-factor authentication (2FA) solutions using one-time password tokens or push notifications. 

Here are the insights on how to leverage these trends

Now, let’s take a deeper dive into each insight, and review the best actions to take in response to the current threat landscape to these trends.

1. The financial services industry ranks #1 for phishing  

Engage with leadership about how your organization compares with peers and across industries. Senior leaders and the board often want to know how they compare with other companies and sectors, so this is a good chance to show where the organization ranks on the attack spectrum. 

2. DDoS attacks against financial institutions remain steady  

Reevaluate risk profiles based on threats as well as changing regulations like the European Union’s Digital Operational Resilience Act (DORA). As the threatscape changes, it is important to validate your risk appetite and acceptance decisions. Do so after a major event or change, or at least annually.

3. The financial services industry has the highest growth in web application and API attacks

Understand your attack surfaces and risk exposures to help you devise mitigation plans. There are two things that always provide great return on investment: (1) increasing situational awareness, and (2) minimizing your attack surface. You should think about these two things both internally and externally if you have a matrixed environment.  

 Consider administering cybersecurity training to employees to raise cybersecurity awareness regionally. In this SOTI report, we observed a 449% surge in web app and API attacks in APJ, which is reflective of the growing number of cyberattacks in the region. 

A recent survey indicated that more than 50% of leaders in Asia think that employees lack the necessary cyber training or knowledge. We believe that equipping employees with knowledge is a critical part of any first line of defense against such attacks.

4. Exploitation of new and emerging vulnerabilities can begin within 24 hours of disclosure and peak quickly

 Have crisis management plans ready to deal with zero-day attacks internally and with third parties. The plans should be tailored based on type; for example, product, protocol, threat, or hardware vulnerabilities. Once you have playbooks for each type of emerging threat then you need to conduct exercises periodically to validate and improve them. These steps will pay dividends by minimizing effort and disruption when the next zero-day hits. 

Evaluate mitigation techniques like app and API protection, web application firewalls, and microsegmentation until patch management can fix the vulnerability. 

5. Attackers are focused on customer-related ATO and web scraping-related attacks

Update playbooks, based on factors like speed of attacks being operationalized  and volume of threat attempts, and test assumptions about what would trigger threats and the tools needed to mitigate them. As attacks become faster and consume more resources, it is vital to review processes and update where needed.  

6. Phishing attacks target consumers more than business accounts

Understand that you are not only protecting the company, but also your customers and their access. This should be explicitly stated in your incident response program. Typically, security operations centers and threat intelligence teams are very internally focused. 

Partner with fraud and other teams to help protect not only employees, but also the customers. You’ll want to provide a great customer experience effort for access and security. 

7. Phishing campaigns are using techniques that bypass two-factor authentication solutions

Consider adding the Fast Identity Online v2 (FIDO2) standard as a criteria for your security tools requirements. Many of us have a multifactor or two-factor authentication solution in place, but it is important to have a regular review of the threat landscape to validate that the existing solution still meets your leadership's risk appetite.  

As always, we support adopting industry best practices and processes such as Cyber Kill Chain,  MITRE ATT&CK framework, and NIST 800-207 Zero Trust Architecture.

Five categories of attacks

Let’s take a closer look at attack methods. In our 2022 Web Application and API Threat Report, we talked about the three types of campaigns we were seeing (persistent, short burst and big bang). This time, we share a look at individual attackers across Akamai systems tracked via Client Reputation. We found five basic categories of attacks:

1. 42% account takeover (fraud-based attacks)
2. 39% web scrapers (information-gathering attacks) 
3. 7% scanning tools 
4. 6% web attackers 
5. 6% Denial of Service  

The last three categories, although lower in volume, are still dangerous and could cause a major impact for individual companies. 

Consider these categories as ways to think about evaluating and analyzing your threat environment, and measure how well your organization is set up to deal with each category. This can also be a great format to brief your leadership on what you are defending against. 

Summary

The financial services sector's cybersecurity programs are some of the most mature in the world, but cybercriminals continue to innovate and find ways to revitalize old attack methods. By covering a spectrum of threats, this report provides you with the best practices to reevaluate risk in your program, and insights to drive your threat intel and exercise teams. 

Stay plugged in to our latest research by checking out our Security Hub.