Banks and other financial institutions are among the most favoured targets for cyber criminals. Such crimes are motivated by greed, and banks are known to store society’s money.
The types of cyber attacks that target banks are normally highly sophisticated. They often involve multiple layers of deception, but usually start with a standard phishing email being sent to a bank employee. The email will contain a link that if clicked, grants the hacker access. Once this has been achieved, the cyber-criminal must evade multiple levels of potential detection, much like a jewel thief sneaking through the laser beams that protect a priceless artifact.
One infamous banking cyber incident known as the Carbanak attack involved hackers inflating unknowing customers’ bank accounts with extra zeros, before transferring the bogus funds to designated accounts, then programming ATMs across the globe to withdraw the cash to waiting accomplices. The crime involved numerous banks and demonstrated an intimate knowledge of security protocols. The attacks netted an estimated $1 billion, and its co-ordination shows just how far cyber criminals will go to commit their crimes when the prize is rich enough.
Australian financial institutions are governed by some of the world’s most stringent regulation regarding security. That said, there have been high level failures, for example Westpac was fined $1.2 billion for serious lapses in its anti-money laundering (AML) protocols in 2021. CBA has also had AML issues relating to their ATMs being programmed to accept deposits beyond the permitted daily limits and apparently failed to detect 54,000 suspicious transactions and subsequently paid a $700 million fine in 2017. These high-profile cases show that even within a well-regulated environment, financial crimes will still occur.
One of the biggest threats to financial institutions is the prospect of insider attack that involves a rogue employee taking advantage of their access to customer account information. As demonstrated by the Carbanak attack, insiders can also use their knowledge of internal security procedures to assist outsiders launch sophisticated attacks. The threat posed by insiders can be mitigated by strictly limiting and tracking employee access to confidential data and networks and implementing other Zero Trust Protocols.
On a personal level, as bank customers we must carefully protect passwords, PINs, financial documents such as bank statements, and monitor our accounts for suspicious transactions. Earlier this year thousands of texts messages were sent out that appeared to come the ANZ bank, requesting customers reset their passwords following a technical incident. The texts appeared very convincing, and the bank was inundated with inquiries causing their phone service to be temporarily overwhelmed.
Banking experts have calculated that every dollar that is stolen via financial crime costs the targeted organisation three dollars in recovery, investigation, and other costs. There is also the reputational damage to consider, given banks need to be widely trusted by the public to successfully operate. Developing a reputation as being vulnerable to attack or prone to security breach can be devastating to such institutions.
For some statistical context, in the 2020 – 2021 year 67,500 cybercrime reports were made via ReportCyber, an Australian regulatory entity. The highest proportion of reports came from Queensland, representing 30% of the total. Victoria was a close send with 29%, and NSW collating 18%. Cybercrime involving fraud made up 23% of reports, followed by shopping crimes at 17%. Based on self-reported numbers, which are considered to be an underestimate, $33 billion worth of losses were reported, with medium sized businesses the most affected. The Australian Cyber Security Centre (ACSC) responded to 1630 cyber security incidents during the same period.
The financial sector has long been the target of criminal behaviour, from bushrangers like Ned Kelly holding up bank branches to sophisticated cyber criminals co-ordinating complex global attacks. This means the industry is more prepared to defend against cyber-attacks than many other sectors that have not typically been targeted like healthcare. That said, banking networks house society’s money, and hackers will continue in their attempts to steal what they can. The game of cat and mouse continues.
If you have any questions about your organisation’s cyber security needs, don’t hesitate to contact Intalock.
Learn more about the Intalock Advisory Service and how to protect your organisation with cyber security solutions.
Download the Intalock Advisory Services Overview – Information sheet.