Finance sector cyberattacks are increasing, protecting employees must be the priority
As the saying goes, money talks. For cybercriminals, the financial services industry is therefore an enduringly popular target for advanced email attacks, with a single breach capable of unlocking millions in assets.
As artificial intelligence and automation helps criminals scale their operations and makes detection of attacks increasingly difficult, employee awareness has never been more urgent.
We spoke to Mike Britton, CIO at Abnormal AI, about the threats facing the financial services sector and the steps needed to protect the weakest link in the security chain: employees.
What are the main threats targeting the financial sector, and why is this happening?
The operational DNA of financial organisations makes them attractive targets. They’re trusted to handle vast amounts of sensitive data and process millions of transactions each day. Add the large number of high net-worth clients, and you have a treasure trove for attackers.
Every wire transfer or account adjustment represents an opportunity for a large payday. There are few industries with such a direct path to significant profits.
Added to this, the sector depends on a complex web of vendor relationships that rely heavily on email. Whether it’s wire transfers or compliance reporting, there are numerous openings for impersonation and compromise.
In 2024, Evolve Bank & Trust in the US disclosed a breach which originated with an employee clicking a malicious link. Attackers accessed internal systems and the data of 7.6 million individuals, including social security numbers and account information. Evolve declined to pay the ransom, and the data was then published online. This shows how just one single mistake can escalate into a major reputational and financial crisis.
To what extent are advanced email attacks increasing in financial services?
Over the last year, email attacks targeting the sector have increased by 25.2%, largely because attackers now have a range of generative AI tools at their disposal.
Threat actors can easily craft emails that perfectly mimic internal communications and include appropriate jargon and regulatory language. What once required extensive research is now automated in seconds through AI which can analyse large numbers of public communications to create convincing impersonations.
The financial service sector’s expanded digitisation has also added to the attack surface. Trends like remote work, digital-first customer interactions, and automated processing introduce more risk exposure. Verifying all users has become far more challenging. Communications that used to happen in person or over the phone now often flow through email channels that criminals exploit.
Are Business Email Compromise (BEC) attacks still a big problem for finance?
Business email compromise is a targeted form of phishing which occurs when cybercriminals impersonate trusted individuals in an organisation to trick employees into sending money or data. Attackers can hack real accounts to send convincing requests or target executives directly. The primary aim of this technique is to exploit trust.
Interestingly, the overall volume of BEC attacks in the sector dropped 8.5% year-over-year. However, the problem remains a serious one as financial organisations still face a disproportionately high rate of BEC compared to other industries.
The fact that the industry presents ideal conditions for BEC success is the most likely explanation. Financial institutions have well-defined hierarchies that make executive impersonation more credible. A CFO asking for a critical wire transfer authorisation or a Chief Compliance Officer demanding documentation is a regular occurrence that isn’t often questioned within established organisational dynamics.
Added to this, time sensitive factors like end-of-day transfers or compliance deadlines make staff more vulnerable. Criminals understand these patterns and exploit them effectively.
How does generative AI change the threat landscape?
Generative AI has lowered the barrier to launching sophisticated attacks. Previously, only highly skilled attackers could craft convincing impersonation emails. Now, anyone can do it.
Attackers use AI to analyse public sources and craft emails to match a company’s language. Generative tools mean that it’s no longer a challenge to include correct terminology or mirror the communication style of specific executives.
This makes social engineering far more effective, as employees constantly receive messages that appear to come from a position of trust from a range of colleagues, vendors, and regulators.
What are the consequences of a successful email attack on a financial institution?
The impact can be devastating. Beyond direct financial losses from fraudulent transactions, there are regulatory penalties if compliance-related data is breached. Reputational damage has the potential to drive clients away. There’s also an element of operational disruption from overloaded customer support to the cost of forensic investigations and legal settlements.
Attackers often steal and leak or sell sensitive customer data. Once that information is exposed, the damage is permanent and long term, with millions of people’s financial security at risk.
What should financial institutions do to protect themselves and their employees?
It starts with recognising that the threat has evolved. Legacy email security tools that rely on known indicators of compromise aren’t enough anymore. Modern attacks now exploit human psychology, rather than just technical vulnerabilities.
Organisations need AI-native security platforms which are able to detect anomalies in communication patterns and stop threats before employees can engage with them.
For financial organisations, technology alone isn’t enough. Employee education remains critical. Staff need to be involved in regular training to recognise modern phishing and BEC tactics. Organisations should embrace a security culture where employees feel empowered to verify suspicious requests, even if they’re urgent.
Are there any final thoughts about the threats facing financial services?
Attacks will only get more sophisticated as generative AI improves, and the barrier to creating convincing social engineering campaigns will keep dropping. Trust and urgency are now the prime targets for exploitation.
Financial institutions must prioritise defences which can adapt to this, as well as making security a shared responsibility across the organisation. Protecting employee inboxes isn’t just an IT concern, it is a business-critical priority.
