Skip to main content

Digital Heists: Four Emerging Cyber Threat Trends in the Financial Sector

Published Date
Author Lou Senko

By Lou Senko
Chief Availability Officer, Q2

Q2 has the honor of hosting the digital branches for many of the nation’s leading financial institutions – close to 60% of the top 100 banks and over 40% of the top 50 credit unions, according to the Forbes Americas Best Banks (2024) and Credit Unions (2023). Since these financial institutions move over 10% of our gross domestic product (GDP), they have become a major target for cyber threat actors. To stay ahead of these bad actors, it is essential to partner and work together with our customers and their capable IT and Security teams – it makes us all stronger.

Although we can’t predict the emerging threat landscape, Q2 analyzes data on a regular basis to identify thematic issues. When we find a trend, we immediately get those insights to you, our customers. So, let’s talk about four trends we see affecting the financial services industry.

Trend #1 - An explosion of weaknesses within legacy infrastructure and vulnerabilities is increasing at a record pace

In the past ten years, security vulnerabilities have accelerated by over 500%. In 2023, it was reported there were 26,447 Common Vulnerabilities and Exposures (CVEs). Combine that with a 300% increase in deployed servers (>100 million now), and laptops growing 50% (>300 million), representing an incredible expansion of the vulnerability surface area – 5X the vulnerabilities targeting 3X the servers and 1.5 more laptops. Furthermore, 26.5% of those vulnerabilities had an exploit available, with 8% of those considered ‘high-risk’ vulnerabilities due to known active campaigns, weaponized by bad actors or malware. In 2023, the average number of days for an exploit to appear was 44 days after the vulnerability was published – giving vendors and IT teams only a month and a half to produce, test and deploy a patch. Worse yet, nearly 25% of the ‘high-risk’ vulnerabilities had exploits available on the SAME DAY that the vulnerability was published.

What can you do about it?

  • Stay aware of your attack surface – not only an inventory of assets but qualified with a risk rating – informed by its actual exposure to the bad actors, its interconnectedness, and the value of the information either stored on it or flowing through it. This helps create a cross-reference of which vulnerability applies to which assets and can help prioritize the assets that need attention first.
  • Understand the build-of-materials (BOM) of any software you have deployed. Only 28% of the exploited vulnerabilities were at the operating system level, so the application, integration layer, content management software, and desktop now make up a significant part of the risk. A recent study found that 74% of code contained high-risk open-source vulnerabilities.
  • Focus on the basics – use resources like the National Institute of Standards and Technology (NIST) Special Publication 800-40 version 2 – Creating a Patch and Vulnerability Management Program  nistspecialpublication800-40ver2.pdf

Trend #2 - Fraud is increasing

Last year, fraud increased by 14% YoY, topping $10 billion in losses, with each loss increasing by 65%. Although it’s a complex surface, the three largest threat vectors for financial institutions are account takeover (increasing 354%), fraudulent account opening (23% of all opened accounts), and check fraud (increasing 86%).

What can you do about it?

  • Merging the capabilities of your traditional Security team with your Fraud department will bring the best of both worlds together. Fraud can leave a similar trail of breadcrumbs through the applications, with the goal of identifying the initial entry points in the kill chain—similar to that of a bad actor in a cyber-breach. The skills your Security team can bring to augment the Fraud team’s investigations will be invaluable in a cyber-fraud team fusion.
  • Deploy fraud tools that also leverage machine learning and artificial intelligence. Today, 52% of financial institutions are deploying these types of tools to fight fraud. More and more, the best detection is identifying abnormal behavior in the user session, an unusual pattern of usage, or money movement. This is one of the best ways to detect fraud as it is occurring—in time to stop it before it leaves the financial institution and is lost.
  • Aim to detect Account Takeover (ATO) issues earlier, closer to a user's point of interaction where the malicious activity occurred. Once the bad actor has a good login, it is much tougher to catch them in the act. ATO prevention tools generally fall into two categories:
    • Pattern recognition: These tools identify abnormal behavior, learn how a user routinely behaves, alerting when the tool observes an unusual pattern of activity.
    • Spoof-resistant Multi-Factor Authentication (MFA): These tools mitigate the damage when a user unknowingly shares their login credentials with a bad actor, often as a result of a successful social engineering attack. Spoof-resistant MFA – ties the traditional sources of identity proof - something you know (login), something you have (a card, phone), and something you are (biometrics, facial ID) – with a unique certificate on your computing device – so if a bad actor gets the login, it doesn’t work unless it comes from the registered device.

Trend #3Artificial Intelligence (AI) is beginning to have a noticeable impact on cyber attacks

While AI is being used in cyber attacks, we fully expect it to accelerate our need to quickly strengthen our defenses – both technical and procedural.

  • Phishing – When you look at all of the different types of fraud attacks, there are 6X more phishing attacks, and that represents 2X all other fraud attacks combined[BW1] . AI-generated phishing emails, text messages, phone calls and social media interactions have become incredibly hard to detect, increasing the bait rate tremendously. The ability to personalize contact – at scale – makes AI a formidable opponent. Recent research indicates that 60% of participants fell victim to AI-automated phishing emails. Just as advertisements can be personalized to enhance their effectiveness, AI can now tailor phishing attempts in a similar way, leading to more successful malicious outcomes. The over-60 age group has been hit particularly hard. They account for 40% of all attacks with 58% of all losses.
  • Automation Attacks - AI-powered botnets, which are networks of hijacked devices used to direct overwhelming amounts of traffic to target systems, are now scaling faster and more efficiently. This has led to a 22% YoY increase in Distributed Denial of Service (DDoS) attacks on financial institutions, where services are disrupted by flooding them with malicious traffic. Currently, bots represent over a third of all login attempts, and AI helps bad actors build better tools faster, lowering cost while increasing attack speed. Enabled by AI, these automated attacks are compressing the reconnaissance-discovery-attack cycle from weeks to days and even hours.

What can you do about it?

  • Reduce the information you are unknowingly offering to bad actors. When a login attempt fails, don't reveal whether the issue was an incorrect username or just a wrong password. Also, ensure the response time is the same for both cases. This prevents attackers from gaining clues about which part of the login was correct, keeping them in the dark.
  • Implement anti-automation/bot defense. Although tools can’t stop bad actors from attempting an attack, we have seen a tremendous reduction in ‘minutes under attack’ as bad actors quickly realize that we have defenses in place, so they move on to easier targets. Interestingly, even though the sheer number of attacks has stayed about the same over the years, the duration of the attacks has decreased by 97%, reducing the overall impact on our customers and infrastructure.
  • Educate your users. At the end of the day, it’s the human that still clicks on the email, responds to the text, or gives the information to a website they shouldn’t. While it's impossible to prevent every attack, increasing awareness of the risks and encouraging people to stay vigilant improves your chances of defense.
  • Ensure all potential entry points are properly secured, including email systems, USB ports, shared drives, and other access points. If left unprotected, attackers can exploit each of these access points, so it's crucial to implement strong security measures for every avenue that could be used to infiltrate your system.

Trend #4Regular behavior patterns are being established and detected when something is abnormal.

One of the most crucial ways to prepare for future, unpredictable attacks is by creating a baseline that defines what normal activity looks like. Whenever something deviates from that baseline, treat it as suspicious until you can definitively prove it's harmless. Always assume abnormal behavior is a threat unless you can falsify that assumption. Only in this way can you catch an attack that is brand new – be it a bad actor moving through your environment or a proliferating piece of malware.

What can you do about it?

  • Use data. Collect data, analyze it, and look for anomalies/correlations that could be signs of unwanted activity. Use vendor partnerships to enrich your visibility – services like Q2SecurityInsights, which feeds real-time security stream into your Security Information and Event Management (SIEM) tool.
  • Deploy an XDR (Extended Detection and Response) solution, one that can learn each endpoint’s normal behavior and then notify you when it’s acting out of character.

We don’t know what’s coming ahead, but we do know it will move with greater volume and speed. We’ll need to blend proven processes and best practices with cutting-edge tools, data, and AI to stay ahead. It’s a tough job, but that’s why we have great teams and partners who are all vested in the same good outcomes to ensure you, and your account holders are protected.

Stay safe.

Below are links to useful resources and information to learn more: