Netskope Threat Labs: Over 1,000 UK banking employees could be clicking phishing links every month

Netskope Threat Labs: Over 1,000 UK banking employees could be clicking phishing links every month

Netskope Threat Labs recently published its latest research report on the banking industry. It revealed phishing is one of the most common cybersecurity threats in the banking industry, with financial fraud being the main reason for adversaries attacking the sector. 

The report focuses on three types of threats in the banking industry – social engineering, malicious content delivery and GenAI data security – and revealed the top adversary groups targeting the industry. 

Key findings include:

Social engineering

  • Phishing is the most significant social engineering tactic, used to steal bank account details and banking login credentials from sector staff. Three out of every 1,000 individuals working in banking click on a phishing link each month. Extrapolated against the 362,000 banking employees in the UK in 2023, this means over 1,000 banking staff click a phishing link at work each month
  • Instead of targeting cloud apps, as is common in other sectors, adversaries create tailored phishing pages designed to mimic the target banking institutions’ websites and steal bank account information and login credentials to commit financial fraud

Malicious content delivery

  • Russian criminal groups are the malicious threat actors most likely to target the banking industry, particularly the TA577 and Indrik Spider groups
  • The top five malware families that were recently used to target the banking industry are Downloader.SLoad (a.k.a Starslord); Infostealer.AgentTesla; Trojan.FakeUpdater; Trojan.Parrottds; and Trojan.Valyria         

GenAI data security

  • The banking industry sees lower GenAI adoption than other industries, with 87% of banks using GenAI compared to the cross-industry average of 97%
  • Banks block employees from using GenAI apps more than in other industries, with 93% of banks blocking at least one GenAI app compared to the cross-industry of 77%. Apps most likely to be blocked are Quillbot, WriteSonic and MotionAI
  • Organisations in the banking sector also have stricter control measures for using GenAI apps than other industries, with the intention of mitigating the risk of users leaking regulated data. Data loss prevention (DLP) is the most popular form of GenAI control with over 50% of all organisations in the sector using it to restrict sensitive information from flowing into GenAI apps

“The banking industry stands out as being one of the best at controlling the data risks associated with GenAI apps,” said Ray Canzanese, Director of Threat Labs at Netskope. “They are more aggressive at blocking apps without a legitimate business purpose and using DLP to control what can be sent to allowed apps. The result has been a more strategic and measured adoption of GenAI technology, which results in more secure data. Organisations in other industries can look towards the banking industry as an example of how to successfully control GenAI.

“Adversaries targeting the banking industry are primarily criminals focused on financial fraud, using social engineering and infostealers to try to obtain bank account details and banking portal login credentials. We still see adversaries aiming to sabotage operations, steal sensitive data and deploy ransomware, but in much smaller numbers than the financial fraudsters,” added Canzanese.

Netskope Threat Labs recommended organisations in the banking sector review their security posture to ensure that they are adequately protected against these trends:

  • Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a threat protection policy that applies to downloads from all categories and applies to all file types           
  • Ensure that high-risk file types like executables and archives are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected                                                 
  • Configure policies to block downloads from apps and instances that are not used in your organisation to reduce your risk surface to only those apps and instances that are necessary for the business
  • Configure policies to block uploads to apps and instances that are not used in your organisation to reduce the risk of accidental or deliberate data exposure from insiders or abuse by attackers
  • Use an Intrusion Prevention System (IPS) that can identify and block malicious traffic patterns, such as command and control traffic associated with popular malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions
  • Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains