COFENSE.COM© Cofense 2019. All rights reserved.

SHOW ME THE MONEY!A Closer Look at Phishing in the Financial Industry

Cofense Industry Brief

COFENSE INDUSTRY BRIEF: FINANCE

2PHISHING IN FINANCE

WHO NEEDS A MASK AND GUN?

Today’s bad guys just send emails. Old-school criminal Willie Sutton famously said he robbed banks because “that’s where the money is.” But these days, criminals have swapped their masks and guns for laptops. As money has gone digital, financial crime has followed. Today, billions of dollars move across the globe in milliseconds.

That’s why a third of all phishing attacks target financial institutions.1 Sophisticated hacking groups, insider attackers, and other culprits feast on banks, credit card providers, and payment processors like PayPal.

Attacks don’t simply deliver malware to trigger costly breaches. The CEO of Belgian Bank Crelan, for example, fell for a phishing email requesting a wire transfer of $75.8 million.2

As you’ll see in this industry brief, financial companies are fighting back. Defending against attacks is tough, but the cause is hardly hopeless. Let’s start with some Cofense™ data that sounds a positive note.

Susceptibility Rate Reporter Rate Resiliency Rate

32.9%

1.702.02

2.63 2.63

29.5%25.5%23.4%

13.8% 12.5% 11.2%12.6%

Willie Sutton

COFENSE INDUSTRY BRIEF: FINANCE

3PHISHING IN FINANCE

TRAIN EMPLOYEES TO GUARD THE VAULT

With proper training, financial employees will report phishing. The key metric in phishing preparedness is resiliency, the ratio of users reporting a phish to those that fall susceptible. A ratio of 1 to 1 is a decent start, 2 to 1 is good, and anything above 3 to 1 is exemplary. Getting to a 0 click rate isn’t feasible, but when at least one person reports a phish the security operations team can leap into action.

In the chart below, you see resiliency rates as measured in phishing simulations Cofense builds and tracks for financial customers. To help them stay alert, users receive simulated phishes along with education on phishing tactics and clues to help going forward.

It’s easy to see where anti-phishing is paying dividends. Financial services, along with industries like energy, insurance, utilities, and legal, all show strong resiliency over the past year. Why is the resiliency rate higher in energy, for example? Energy and a handful of other verticals run simulations more frequently, not just once a quarter, and use best practices like sending follow-up simulations to people who clicked.

Average Resiliency Rate per Industry, January - December, 2018

COFENSE INDUSTRY BRIEF: FINANCE

4PHISHING IN FINANCE

As attacks evolve, so should anti-phishing training. Smart organizations simulate the latest active threats. This sometimes brings the metrics down, at least temporarily, as employees learn what clues to look for, but it prepares your organization for the next campaign, not the one waged last year—or one that would be stymied by your gateway controls.

Reporting Matters

Timely threat reporting can help prevent steep losses, which are sometimes compounded by regulatory fines and legal penalties. Vigilant users can help save millions in a single event. An Accenture study reveals that incident responders identified about two-thirds of all breaches (64%). Among the breaches not found by professional threat hunters, 72% were uncovered by non-security employees.3

Here’s Another Cross-Industries View:

Compared to 20 industries combined (same industries as in previous chart), financial services fares well in comparison. Likewise for the insurance industry with its own financial products. Both industries are frequently attacked, heavily regulated, and not surprisingly perform well in anti-phishing.

Susceptibility Rate Reporter Rate Resiliency Rate

All Industries

1.89

11.7%

22.0%

11.2%

29.5%

2.63

Financial

8.8%

32.2%

3.66

Insurance

COFENSE INDUSTRY BRIEF: FINANCE

5PHISHING IN FINANCE

THREAT ACTORS PLAY ON EMOTIONS

Our customers train employees to watch for manipulation. These are the scenarios most frequently used by Cofense financial customers. The data is ranked by percentage of users that clicked (susceptibility rate). Typically, the name of the simulation is the email subject line.

Order Confirmation

Manager Evaluation (Credential)

Summer Dress Code

Manager Evaluation (Click Only)

Unused Paid Time Off

Scanned File

Inbox Over the Limit

Employee Raffle

Unauthorized Access (Click Only)

Completed Document

Unauthorized Access (Adult Oriented)

Package Delivery

World Cup Tickets

Log in to Download

Password Survey

File from Scanner

Oktoberfest Lunch Order

Christmas Lunch Voucher

Secure Email

Data Compromised (Credential)

Account Security Alert

Social Media Invitation

Parking Ticket

Financial Messaging Platform

Data Compromised (Click Only)

CLICK % REPORT % RESILIENCY

32.8%

29.8%

26.8%

20.8%

17.9%

15.1%

14.7%

13.4%

13.3%

11.9%

11.7%

11.5%

9.9%

9.8%

9.7%

9.4%

9.3%

9.0%

8.9%

7.5%

7.0%

7.0%

5.6%

3.6%

2.5%

12.2%

26.5%

25.5%

31.2%

18.3%

25.2%

13.5%

16.1%

26.0%

18.4%

41.7%

25.3%

9.3%

35.0%

22.1%

26.3%

12.5%

45.2%

25.9%

31.8%

23.4%

19.6%

45.1%

35.9%

34.1%

0.37

0.89

0.95

1.50

1.02

1.67

0.92

1.20

1.95

1.55

3.56

2.20

0.94

3.56

2.29

2.79

1.34

5.01

2.90

4.22

3.36

2.78

8.08

10.04

13.50

COFENSE INDUSTRY BRIEF: FINANCE

6PHISHING IN FINANCE

Threat actors create phishing campaigns to scam their target, so they pull emotional levers. Note the emotions preyed on throughout these scenarios. “Package Delivery” plays on the users’ curiosity. “File from Scanner” stokes urgency and “Account Security Alert” uses fear to entice a user to click.

These emotions are among the top motivators behind successful attacks. So are the desire to be entertained, the curiosity of social media, and the ego-strokes of numerous reward and recognition themes. All are a part of the phishing arsenal aimed at financial services. When any of these themes become active threats, your organization should train for them, sooner rather than later. If you manage a phishing awareness program, ask your incident responders or threat intelligence analysts which active threats to simulate. Aligning your training program to the current threat landscape will raise the security posture of the organization.

3 PHISHING SCENARIOS BASED ON COFENSE INTELLIGENCE

simulation platform to keep the content relevant. The 3 scenarios above, which appear in the chart on the previous page, are based on active threats in the financial industry.

While the “Completed Document” and “Parking Ticket” scenarios aim to deliver malware, the “Login to Download” scenario seeks to steal credentials. Performance against these scenarios fluctuated greatly, from a ratio of 1.55 to a stellar 8.08. Again, they’re based on active threats and thus are especially dangerous.

Cofense IntelligenceTM analyzes thousands of phishing emails and campaigns per month. Besides helping customers stay ahead of phishing attacks in the wild, the team feeds this information into our

Completed Document

Log-in to Download

Parking Ticket

CLICK % REPORT % RESILIENCY

11.9%

9.8%

5.6%

18.4%

35.0%

45.1%

1.55

3.56

8.08

COFENSE INDUSTRY BRIEF: FINANCE

7PHISHING IN FINANCE

YOU NAME IT, WE’VE SEEN IT

Now let’s examine some real emails financial companies received. What are the tell-tale signs of phishing?

EMAIL 1: “You’ve a new document”

This phish made it past Cisco Ironport, Microsoft ATP Safelink, and Microsoft EOP.

COFENSE INDUSTRY BRIEF: FINANCE

8PHISHING IN FINANCE

This email was spotted and reported by an employee at a financial company on October 29th, 2018. It made it to the end user despite passing thru Microsoft Exchange Online Protection, Cisco Ironport, AND Microsoft ATP SafeLink URL protection.

The email is trying to trick the user into accessing an online document. There is no document, however, just a hacked website looking for credentials. Below is a screenshot of where that “ACCESS” button leads. But security proxies are supposed to block this type of thing, right? Last time we checked, this phishing website remained active and undiscovered by filtering technology.

COFENSE INDUSTRY BRIEF: FINANCE

9PHISHING IN FINANCE

EMAIL 2: New Voicemail From …

As in the previous example, this phishing email made it past Cisco Ironport, Microsoft ATP Safelink, and Microsoft EOP.

Voicemail? From “my contact”? Hmmm, seems phishy—because it is. Fortunately, Cofense has an army of trained phishing experts working in financial services who know that just because your mouse hover says it’s a “safelink,” it’s not. They shared this information with the client’s security teams.

COFENSE INDUSTRY BRIEF: FINANCE

10PHISHING IN FINANCE

EMAIL 3: EMPLOYEE SATISFACTION SURVEY DECEMBER 2018

This phish made it past Proofpoint and Microsoft EOP.

A survey from HR? It has to be safe right? Especially this one—after all, it was scanned by both Microsoft EOP and Proofpoint. Uhhhh, no. Luckily, an informed user did the right thing and clicked the Report Phishing button.

COFENSE INDUSTRY BRIEF: FINANCE

11PHISHING IN FINANCE

Why did Microsoft and Proofpoint miss this? Let’s find out. What’s interesting about this phishing site is that it’s actually hosted on live.com! (A legitimate Microsoft site.)

You actually have to have a valid live.com account to see what’s behind this page. This breaks security technologies like sandboxes that rely on scanning URLs—those automated technologies can’t login to this page...

COFENSE INDUSTRY BRIEF: FINANCE

12PHISHING IN FINANCE

...But Cofense researchers can. Here’s what we found:

Oh look, a file! And it’s virus-free, because it says so. Why didn’t this attacker just attach the malicious file to the phishing email in the first place? Contrary to what you might hear at a security conference, enterprise phishing is not easy for attackers. This attacker needed to stitch together something that would get past Proofpoint, Microsoft, URL scanners, AND automated file sandbox analysis.

COFENSE INDUSTRY BRIEF: FINANCE

13PHISHING IN FINANCE

GET AHEAD OF THREATS

With the Cofense Phishing Defense Center™. How much of your company’s email is actually malicious? The Cofense Phishing Defense Center (PDC) supports a number of financial customers. Each uses Cofense PhishMeTM to train users to recognize phishing and Cofense ReporterTM to report suspicious emails to security teams.

Digging into this data further, it shows that 5.5% of the emails reported were found to be malicious. For a 5,000 user organization, that would translate to visibility of between 96 and 198 real phishing threats delivered to user inboxes every month, threats the security teams would otherwise not see.

The vast majority of these emails targeted credentials. As organizations continue shifting to the cloud, threat actors adjust their campaigns to target cloud credentials. Why? Once threat actors can log into your cloud instance as a legitimate user, they can move around the environment unnoticed. It’s why enabling 2-factor authentication for these environments is critical.

The Cofense PDC provides timely feedback to users who report emails. This is important — users who receive feedback are more inclined to report again, since they can see the role they play in keeping the organization secure. The five financial services customers using the Cofense PDC have an average resiliency rate of 4.0 — higher than the Cofense PhishMe average of 2.63. Again, that’s the ratio of users reporting to those falling susceptible.

What’s a healthy reporting rate? It’s hard to answer definitively. In 2018, the Cofense PDC’s financial services customers had reporting volumes equivalent to 35% of users—those that reported at least 1 email per month, or 350 emails reported per month, per 1000 users. These numbers naturally vary. Sometimes they are high as 72%, or 720 emails reported per 1000 users.

COFENSE INDUSTRY BRIEF: FINANCE

14PHISHING IN FINANCE

If your organization has extended your perimeter to the cloud, but has not implemented a Cloud Access Security Broker (CASB), check out Cofense Cloud SeekerTM. This free tool shows all applications configured in your environment, including rogue accounts not provisioned by IT. You gain a comprehensive view to protect your organization.

This financial company stopped an attack in 10 minutes. A large financial services company found itself at a crossroads. Trained on Cofense PhishMe, its users were doing a good job of recognizing phishing. The next step: report and respond to malicious emails faster.

So, the company added Cofense Reporter to report suspicious emails with one click, along with Cofense TriageTM to analyze them faster and accelerate mitigation. Cofense Triage analyzes emails when ingested from the inbox. It groups like emails by attributes and campaign, making it easier to find and stop attacks in progress. It will also assign a Risk Score, allowing the analyst to prioritize based on threat.

Within a few days, the new investments paid off.

The company’s security team observed a series of reported emails sent, allegedly, by another financial organization, a major credit card provider. It landed in over 200 inboxes and was quite convincing, using the credit card company’s logo to get people to drop their guard.

Cofense Cloud Seeker

STOP PHISHING (AND BREACHES) FAST

COFENSE INDUSTRY BRIEF: FINANCE

15PHISHING IN FINANCE

The landing page asked for a wealth of personal data: name, address, social security number, email, and more. As reported by Cofense, credential phishing accounts for over 50% of malicious emails. Though attackers were after personal data, not company information, they could have connected a few dots to target the corporate network.

The security team quickly blocked the landing page’s domain—BEFORE any users entered data. The attack was stopped in 10 minutes. According to the team, detecting and stopping the email would have previously taken several days.

The financial services industry is heavily attacked and sees its share of high-profile breaches. However, as shown by Cofense data, when financial services companies train employees they will report phishing. In fact, the financial services industry performs in the top tier across major industries, with over 2 employees reporting simulated phishes for every employee taking the bait.

Moreover, as shown by the Cofense customer that stopped an attack in 10 minutes, companies with the right tools can quickly block threats that evade perimeter defenses. The key: simulation training focused on active threats and feeding a phishing-specific incident response platform.

Learn more about how Cofense helps financial companies stop phishing attacks in their tracks.

LET’S REVIEW

COFENSE INDUSTRY BRIEF: FINANCE

16PHISHING IN FINANCE

ABOUT COFENSE

Cofense™, formerly PhishMe®, is the leading provider of human-driven phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. To learn more, visit https://cofense.com/.

SOURCES

1. “Spam and Phishing in Q2 2018,” Kaspersky Lab.

2. “Phishing Attacks in the Banking Industry,” InfoSec Institute, 2018.

3. “From Insecurity to Resiliency: 2018 State of Cyber Resilience for Banking & Capital Markets,” Accenture.