Phishing has long been a staple tactic for cybercriminals – think of those emails pretending to be a credit union asking unsuspecting targets to reset their passwords or update account information. But now, the rise of PaaS platforms has weaponized this scheme like never before, with 49% of all cyberattacks originating from phishing attacks, according to a TrustWave report. These subscription-based services – hosted on the Dark Web – allow even novice criminals access to sophisticated phishing tools through pre-made templates, website cloning kits and features that bypass multi-factor authentication (MFA). By leveraging these tools, cybercriminals can mimic trusted financial institutions with increasing accuracy, which has resulted in a flood of phishing attacks that are not only harder to detect but also far more effective.

PaaS has helped criminals evolve the success, and efficiency, in executing targeted campaigns with a threat actor group whose entire business model and trade craft is crafted phishing campaigns. PaaS is lowering the cost of their operations, leveraging shared intelligence models and community trust to add to the growing threat financial institutions are defending from their targeted staff.

Credit unions, while often seen as less attractive targets for cybercriminals, are not exempt from these growing threats. In fact, close to 10% of all ransomware attacks on the financial services industry target credit unions, the TrustWave report found, demonstrating that smaller financial institutions are still highly attractive to cybercriminals.

Insider threats are often overlooked but pose just as significant a risk to financial institutions as external attacks. These threats come in two forms, unintentional – such as an employee accidentally sharing sensitive data with the wrong email or failing to install security updates – and intentional, in which insiders work with external attackers to exploit their employer for financial gain.

The danger lies in how easily insider threats blend into normal operations. Trusted users are often the ones conducting the malicious activity. Whether malicious or accidental, these incidents are becoming more frequent, with 40% of organizations reporting multiple cases in the last year alone, according to a Securonix report. With the average cost of an insider threat incident crossing $5 million, research from Trustwave found, the financial and reputational damage to financial institutions can be devastating.

The reason PaaS and insider threats are so concerning together is simple: Phishing often leads to access, and insiders can lead to control. While a phishing campaign may trick an employee into giving up credentials, when combined with an insider who is willing to share key details about the institution’s security gaps, this creates a blueprint for a devastating breach.

So, how can financial institutions defend against this dangerous combination of external and internal threats?

1. Limit access to what’s necessary: The principle of least privilege should be a non-negotiable of an organization’s cybersecurity strategy. Employers should limit employee access to only the systems and data required for their jobs. Reducing access permissions minimizes the number of opportunities attackers have if they compromise an account, whether through phishing or insider activity.

2. Monitor continuously for unusual activity: Financial institutions must be able to detect threats in real-time. This includes monitoring for unusual login attempts, access from unfamiliar locations, or sudden spikes in data transfers. Detecting and responding early to these anomalies can be the difference between a minor incident and a full-scale breach.

3. Strengthen insider threat detection: Adequately responding to insider threats requires more than monitoring. Financial institutions should foster a company culture where employees feel safe reporting suspicious activity. This includes anonymized reporting systems that make it easy to flag potential issues without fear of retaliation. Additionally, ongoing training and awareness programs help employees understand how their actions can inadvertently expose the organization to risk.

4. Manage third-party risk: Insiders are not always employees. Contractors, vendors and third-party partners often have access to sensitive systems, and they are just as vulnerable to exploitation. Ensure partners follow strict cybersecurity protocols, conduct regular security audits and limit their access to sensitive materials.

5. Conduct regular phishing simulations: Phishing remains one of the most common ways cybercriminals gain initial access to an organization’s system. Financial institutions should regularly test employees with simulated phishing attacks to gauge awareness and improve responses.

6. Share and collaborate on threat intelligence: No institution can defend itself in isolation. By participating in threat intelligence-sharing networks, financial institutions can stay ahead of emerging threats, share insights from recent attacks and learn from others’ experiences.
These twin flames – external phishing attacks and internal insider risks – are shining their light on vulnerabilities across the sector. PaaS platforms have made the process of launching a phishing campaign as simple as signing up for a subscription and choosing a target. When combined with the rise of insider threats, financial institutions face one of the most dangerous security landscapes in recent memory.

But the situation is not hopeless. Financial institutions that adopt a multi-layered defense strategy with a focus on limiting access, continuous monitoring and strong insider detection can stay one step ahead of these threats. It’s not just about preventing a breach; it’s about maintaining the trust between the providers and customers that the financial industry is built on.

Because once that trust is gone, getting it back is an uphill battle.