- Three in a thousand bankers click on a phishing link every month and report claims
- Russia is believed to be the leading force behind the attacks on the banks
- Banks are wary of new technology such as GenAI, which can help to some extent
New research shows that a worrying number of bank employees click on a phishing link every month, making it one of the most common threats in the industry.
A report from Netskope shows that three in 1,000 employees would fall victim to such scams, so of an estimated 362,000 bank employees in Britain in 2023, this equates to more than 1,000 employees clicking on an unreliable link leading to them has been sent.
According to the report, hackers get much of their success from designing phishing pages to impersonate the target bank’s website, stealing bank account information and login credentials to commit fraud.
Phishing is widespread in the banking industry
Netskope identified Downloader.SLoad (Starslord), Infostealer.AgentTesla, Trojan.FakeUpdater, Trojan.Parrottds and Trojan.Valyria as the most recent malware families to be aware of, highlighting that Russian criminal groups are most likely to target these sector will focus.
Despite the serious threat of phishing attacks, banks have proven to be more reluctant to adopt new technologies than other sectors, with 87% of banks using generative AI, compared to the cross-industry average of 97%. More than half of banks also use Data Loss Prevention measures to manage data going to GenAI apps.
“(Banks) are being more aggressive in blocking apps without a legitimate business purpose and using DLP to control what can be sent to permitted apps,” said Ray Canzanese, director of Netskope Threat Labs.
The company’s advice to banks and all other industries is to inspect all HTTP and HTTPS downloads to prevent malware from infiltrating a network. Companies should also ensure that high-risk file types are thoroughly inspected with health and dynamic analysis.
Other basic internet hygiene practices can be adopted by employees, such as questioning the authenticity of emails they receive and participating in training campaigns. Enhanced protections, such as using multi-factor authentication and passkeys, can also help prevent unwarranted access to accounts.