Finserv Industry Targeted by Phishing Attacks

The financial services industry is under attack. Finserv companies experienced a 147% increase in phishing clicks between January and September 2019 from scammers imitating financial organizations. 

These alarming facts are from a study by Palo Alto, Calif.-based Menlo Security, which provides cloud data protection. The study also showed an uptick in financial services employees clicking on phishing links. Oone particular attack in May prompted the click rate among Menlo’s customers to increase by 274%. 

“Given the data refers to actual clicks rather than phishing emails received, this means that the attack bypassed all existing security defenses, landed in an inbox and was clicked by an employee—basically a worst case scenario,” Vinay Pidathala, director of security research at Menlo Security, said in a blog post announcing the research results.

The bottom line is phishing still works for scammers. “The overall trend of employees clicking on phishing links is steadily climbing, and the unfortunate reality is that attackers are getting better,” Pidathala explained. He noted that despite advances in security technology, phishing attacks still seem to be effective. Attackers are modifying their methods to bypass security defenses and reach end-users. For instance, they are increasingly hosting malicious content or files on SaaS services to trick users and security products into thinking the email is for a legitimate business purpose.

The widespread adoption among organizations of enterprise cloud applications, such as Box, Salesforce, OneDrive and Dropbox, has led to a surge in phishing and credential theft carried out on those cloud services. “Attackers are targeting cloud hosted applications trusted by enterprises to increase their probability of breaching a company, with OneDrive being the most popular application used for phishing, likely because so many enterprises are moving to Office 365,” said Pidathala.

Traditional security products are unable to successfully detect phishing attacks because they are fighting a losing battle and trying to detect what is good vs. bad, Pidathala pointed out. “Vendors will always be one step behind, and this data shows that financial services organizations are clearly not keeping pace with the bad guys,” he said. “The time is now for organizations across industries to embrace isolation and empower Secure Cloud Transformation.”