Crimeware

Attacks on Financial Institutions 

Close wife fingers holding plastic credit card on background computer on husband lap, old couple booking hotel using on-line app service and website, make online payment, shopping via internet concept

Last year, Americans lost $12.5 billion to internet crime, which represented a near-25% increase from the year prior. As cybercrime grows increasingly sophisticated, financial institutions loom as targets ripe for attacks—and even more so as bad actors become more adept with AI attacks. There are several concerns facing banks and other financial institutions, including the worry that deepfake technology could allow these bad actors to impersonate employees or customers. Cybersecurity experts believe criminals will capitalize on the popularity of direct payment systems, leading to the exploitation of mobile banking Trojans. These are major concerns for our financial security.

Take, for example, mobile banking apps. As more and more consumers utilize these apps for their transactions, the more they open themselves up to the possibility of potential breaches. Although financial institutions have a robust understanding of how to protect physical assets, they are relative newcomers to the digital security scene. This can also be observed by the prevalence of deepfake technology in bank attacks. A few months ago, a Hong Kong company was defrauded of $26 million after bad actors produced a deepfake video in which the company’s CFO ordered money transfers.

Unfortunately, current cybersecurity approaches of financial institutions have left consumers open to attacks. For example, a recent attack by a ransomware group called LockBit compromised the personal information of more than 57,000 Bank of America customers. Perhaps more alarming is the fact that the bank will likely be unable to determine what information was accessed. This attack occurred in a similar timeframe as when the Federal Reserve sent three notices to Citi Bank to change how it measures risks to cybersecurity. These six-month and 12-month deadlines came after Citi also failed Office of the Comptroller of the Currency exams.

What does this mean for consumers? After all, it is impractical (if not impossible) to suggest totally divesting from banks due to their cybersecurity practices. However, one step that consumers can take is to choose to bank with financial institutions that take their cybersecurity protections seriously. Because although many banks are implementing preventative measures (e.g., security audits, advanced firewalls, multi-factor authentication, etc.), this does not mean that every bank is investing in cybersecurity to the same degree. Choosing to bank with those institutions that can protect your digital assets is the pragmatically safe decision.