When the first computer viruses emerged more than half a century ago, very few people were concerned. The nerdy gimmicks of the day were simply not on the radar of corporate risk managers, even those in BFSI enterprises.
When the Internet coaxed its way into our homes and offices, business leaders still assumed malware had little to do with the company’s bottom line. Fast forward to now and things are very different. Cybersecurity has a seat at the C-table in every bank. CISOs are ringing alarm bells because cyber-malfeasance is now an industry. There are perpetrators (customers) and initial access brokers (vendors). And there are purveyors of platforms (retailers) that sell data-breach capabilities to anyone willing to buy them.
As the threat landscape evolved, industry experts came to realise that the greatest vulnerability of all is us — the people who use the networks, devices, and services that form the backbone of the global digital economy.
The tool commonly used to compromise the human weak link is phishing, which is a sly mix of simple communication technologies and social engineering techniques. Sometimes the threat actor contacts a group of people through email. Sometimes it is through voice robocalling (vishing), SMS messages (smashing) or QR codes (quishing). Whatever the method or target (spear-phishing for specific individuals; whaling for high-ranked victims), the goal is to gain access so the attacker can waltz through an organization’s digital estate unchallenged.
The retail part now peddles Phishing-as-a-Service, which contains within it all the tools nefarious actors would need to phish our financial waters dry. Like law-abiding cloud services, PhaaS offers subscription-based access to its toolkit, which includes customizable email templates, hosting services for malicious websites, and even customer support.
Go phish
Phishing-as-a-service has been around long enough for its platforms to have earned reputations. In certain circles, brands such as “Robin Banks”, “Tycoon 2FA”, and “ONNX Store” are now recognisable and their functionality well-known, following a barrage of attacks on some of the most high-profile FSI institutions in the US, Canada, and the UK. The email templates provided by these PhaaS platforms are intricately designed to fool employees and customers into believing they are dealing with genuine communications from financial institutions. Attackers get access to campaign dashboards with visualizations of success levels, allowing them to adjust their tactics.
“Without strong email security strategies in place in every bank, we are inviting catastrophe.”
Advanced AI is included for countermeasure evasion, and user-friendly interfaces bring all these capabilities to anyone with a modicum of technical knowledge. The platform takes care of credential harvesting, redirecting hooked individuals to cleverly counterfeited login pages that are ringers for real banking portals. Similar techniques are used to personalize emails, increasing the likelihood that targets will believe they are from a trusted source. And platforms include tools to create malware-laden attachments that require only a single errant click to begin recording keystrokes, taking screenshots, and accessing sensitive files.
Defending against industrialised phishing requires the same of us as it has always done. We must do all we can to arm the workforce with awareness of what is possible. But further, we can use advanced technologies to complement existing security solutions so we can protect our core applications — applications like email, which is the starting point for many phishing campaigns. We can use multiscanning (where many anti-virus engines are used). We can turn to heuristic analysis and, when necessary, machine learning to detect phishing attempts in real-time and ensure the fake emails never reach the target.
Sanitising for safety
One sophisticated approach is to combine multiscanning with deep content disarm and reconstruction (CDR). CDR sanitizes incoming content by dissecting attachments and removing harmful embedded scripts, macros, and even QR codes, then putting the attachments back together such that their core functionality is not compromised. We can go further. Real-time sandboxing is a technique that has gained popularity in the age of zero trust. By isolating files from critical system areas, we can safely examine them for any malicious behaviour. Sandboxing is a critical step in countering zero-day threats.
All these steps are pivotal to a bank’s ability to keep its asset base and its customers safe. Phishing-as-a-service poses an existential threat to financial institutions. They rely on email to the same extent as any other industry but the potential consequences to the wider community are far greater when a bank is attacked. Banks are part of a nation’s critical infrastructure. Without strong email security strategies in place in every bank, we are inviting catastrophe. Financial institutions should be addressing this issue by performing periodic, comprehensive risk assessments on their email systems. This will allow them to weed out vulnerabilities in their security postures and act before it is too late.
Banks, much to their chagrin, find themselves more and more in the cloud as they come to terms with new market realities, including the demands of their customers. When they respond to the clamour for greater and faster digital experiences, they must do so with their vulnerabilities in mind. They must look to cybersecurity solutions that will protect the on-premises and cloud-native aspects of their technology stack.
Real-time anti-phishing and sandboxing with multi-scanning and deep CDR can cover the cloud and premises alike. Such protections can stop phishing emails from reaching employees who will always be vulnerable to the digital con.
