Cybersecurity threats against financial services institutions are rife — and they’re costing millions of dollars. What kinds of attacks are companies seeing, and how can they mitigate those threats?

London, U.K.-based PricewaterhouseCoopers LLC (PwC) surveyed financial services firms across the globe for its 2017 Global State of Information Security Survey and found that they experience between 4,600 and 4,900 cybersecurity incidents annually. In addition, these firms are spending wildly to try and mitigate the problem as security spending in this sector has soared by 67% since 2013 while security-related investments increased by 11% in 2016 alone.

Financial services institutions have reason to be worried, warns Tim Erlin, vice president of product management and strategy with Portland, Ore.-based cybersecurity Tripwire Inc., who sees two main categories of threat facing financial services firms.

“The first involves stealing data, not money, and then using it to generate some income,” he says. Then, the personal information stolen from financial services firms and other companies frequently makes its way to the “dark web.” Personally identifiable information (PII) sells for anywhere between US$1 and US$3.30 per record, according to a report compiled by Los Angeles-based security firm Trend Micro Inc. for CNBC.

“If they have more personal data — things like a Social Security number and home address — they can perpetrate more complex ID theft,” Erlin says

The other threat involves simply stealing money directly, in what Erlin calls a transactional threat. These are fraudulent transactions designed to steal money, and often target users, he warns.

In both types of attack, cybercriminals frequently use malware to gain access, says Erlin. The difference comes in who’s being targeted. When stealing sensitive information from a company, attackers will target employees with malicious software designed to give them control of company computers.

Conversely, transactional fraudsters often focus on financial services customers with their malware. They will infect customers with so-called banking “Trojans,” the software equivalent of Trojan horses, offering an enticing app but secretly installing malicious code.

These Trojans are becoming increasingly devious. One, called Android.Fakebank.B, not only steals account information from a victim’s Android smartphone, but also blocks calls from the smartphone to the target bank so that the victim can’t report a problem.

The two main threat categories that Erlin describes aren’t set in stone. Sometimes, attacks straddle both. Ransomware is a good example. This type of attack targets information, but instead of stealing it for resale, ransomware encrypts it. The data won’t be descrambled until the victim pays the attacker. The victim will typically pay using the cryptocurrency bitcoin, which is both quick to transfer and difficult to trace to a known individual.

Ransomware is one of the biggest threats facing financial services institutions because it’s evolving to target these types of firms, says Laura Payne, co-organizer of Ottawa-based security conference B-Sides Ottawa and a senior cybersecurity analyst with Toronto-based Bank of Montreal.

“There’s certainly known work happening to develop ransomware that moves away from targeting end users and consumers, moving into organizations,” she says. “Financial services institutions are one of those.”

Santa Clara, Calif.-based Intel Security has been tracking the development of targeted enterprise ransomware, and in a 2016 report, it describes software that not only encrypts files, but then seeks out and deletes backups.

Although ransomware is a growing attack vector, according to the PwC report, another increasingly popular threat to financial services firms is business email compromise. Also known as “whaling,” this technique sees attackers emailing senior executives in the company who have access to funds and asking them to resolve a fake emergency (such as an unpaid invoice) by transferring money from the company to a third party.

The No. 1 attack vector for financial services institutions in the past year, though, was phishing. This form of business email compromise is a foundational threat because it can be used to gain the account credentials privileges needed to launch another attack.

Business email compromise attacks will often begin with phishing exercises that give attackers access to executive email systems. The ability to read someone’s email helps them to understand the executive’s typical language and information flow before launching a successful business email compromise scam.

“It’s more important than ever that organizations look at basic hygiene as far as security practices that help keep this stuff out,” Payne concludes.

Cybersecurity guidelines such as Cybersecurity Best Practices Guide from the Investment Industry Regulatory Organization of Canada are a good place to start.

Understanding the existing and emerging cybersecurity threats is a vital part of protecting client data. One thing is certain: just like the tide, they will keep advancing.

This is the first article in a three-part series on cybersecurity.

Up next: Lessons from recent cyber attacks against financial institutions.