4 things bankers need to know about phishing

When scammers impersonate a brand to steal information, they most often impersonate a bank. That is a finding from a recent study by email security company Vade, which found that 34% of the phishing URLs it detected in the first half of 2022 were impersonating financial services.

That is roughly the same as the rate during the entirety of 2022; Vade said that of the nearly 185,000 phishing pages it analyzed last year, 35% were impersonating financial institutions. In 2020, that rate was 29%.

"The trend toward financial services phishing began in Q1 2021 and continued through Q4," read Vade's 2022 annual phishing report. "Growth in financial services phishing could be attributed to the impact of COVID-19 on the global economy."

Two of the 20 most frequently imitated brands in the phishing schemes Vade detected were Chase and Wells Fargo, according to the company's report. PayPal was also in the top 20; Microsoft was the most common brand imitated.

When employees at small banks receive a phishing email, they are slightly less likely to click a link in that email compared to employees in other industries. Employees at larger banks, by contrast, click phishing emails more often than large companies in other industries.

Those findings come from a recent study by security awareness training platform KnowBe4. The company sent simulated phishing emails to 30,000 companies, most of which had fewer than 250 employees. Across industries, the average rate at which employees of small companies clicked the phishing links was 29%. Among small banks, the rate was 25%.

Those rates increased at the larger end of the company size spectrum. For companies with 250 to 999 employees, 30% of employees across industries clicked phishing links compared to 27% of bank employees. Among companies with 1,000 or more employees, 35% of all employees clicked links compared to 46% of bank employees.

"As cyber threats grow, the communication of these threats is filtering to the masses through social and news media," the KnowBe4 survey report reads. "In some areas, people have more information thrust at them, so their awareness is growing more organically. The question remains if that ground-level awareness will transfer to the workplace and grow with training into something more developed and instinctive."

IT leaders and executives tend to rate security awareness training and tech that scan emails for spoofing, which they also rated as the two most important methods for redressing phishing attacks, as needing improvements.

That is a finding from consulting firm CyberRisk Alliance, which surveyed 221 security and IT leaders and executives, security administrators and compliance professionals, 12% of which the firm said came from financial services.

The CyberRisk Alliance asked each respondent to rate nine email security technologies on a scale from one to seven on the importance of the technology and their satisfaction with the technology. The company also asked the same questions about security awareness training.

After averaging the scores together, only email encryption received a higher score on satisfaction than importance. Spoofing and phishing protection alongside security awareness training received 6.3 out of 7 on importance but 5.8 on satisfaction, suggesting "the need to develop more advanced email protection capabilities in these areas," according to the company's report on the survey.

"For capabilities where both importance and satisfaction scores are relatively high (for example, business email compromise protection and email encryption), organizations believe they are keeping up and should maintain their approach and security controls in this area," CyberRisk Alliance's report reads.