The financial services sector has seen a dramatic increase in cyber attacks, with vendor email compromise (VEC) attacks specifically increasing by 137% in 2023, according to Mick Leach, Field CISO at Abnormal Security. Leach notes that the financial services industry, with its rich array of sensitive personal and financial information, is a prime target for hackers. These cyber criminals employ both traditional attack methods and socially-engineered email attacks to gain access to this information, making vigilance to these threats a priority for security leaders within this sector.
Abnormal Security's data shows that the financial service industry sees roughly 200 advanced cyber attacks per 1,000 mailboxes each week, marking it as one of the most attacked sectors tracked. These attacks often ramp up in frequency at certain times in the year, with peaks seen late January, late September and mid-December of 2023. Leach advises that security leaders prepare for continuous waves of email attacks throughout the entire year.
VEC attacks occur when threat actors pose as a business provider, such as a supplier or vendor, with the aim of defrauding that vendor's customers. They typically achieve this through billing account updates or invoice fraud, often leveraging compromised vendor email accounts to request financial transfers. This method can be particularly challenging to detect given the seemingly legitimate account involved. If an employee is deceived by these attacks, organisations stand to risk significant financial loss. In one case reported by Abnormal, a VEC attack targeted $36 million.
A notable example of such an attack was the $1.4M AUD VEC attack against an Australian financial holding company in the engineering and construction industry. In this attack, the threat actor used previous communication patterns and legitimate invoices to appear authentic. The financial firm was sent two invoices that were nearly identical, with the main difference being the banking information in the second invoice. Furthermore, the attackers created a lookalike domain, identical to the vendor's except for one additional letter, which they used to send the fraudulent invoice from.
Besides VEC attacks, the financial services sector also saw a significant surge in business email compromise (BEC) attacks, which exploit human error by impersonating executives and sending authentic-looking payroll requests or banking account updates. Leach disclosed that organizations in the industry experienced an average of 0.94 weekly BEC attacks per 1,000 mailboxes in 2023, a 70.9% increase over the previous year. The average weekly probability of BEC attacks was 74% in 2023, representing an 11% increase over the previous year.
The continued escalation in the frequency of these email-based attacks targeting human fallibility underscores why organizations in the financial services sector need to prepare to defend against them. Traditional security solutions are often incapable of detecting VEC, BEC and other scams. Therefore, Leach suggests organizations are now adopting advanced cloud-email security measures to combat these threats. Abnormal Security, for instance, uses artificial intelligence and machine learning to identify trustworthy activities, detect anomalous activity, and block invoice and payment fraud, BEC and other threats before they reach employees' inboxes.