The evolution of cyberattacks means your cybersecurity strategies can’t stand still

Remember a number of years back when the prevalent email scam was an email from a supposed advocate of a Nigerian prince—one who needed your help to transfer a very large sum of money? Just help the prince out by providing access to your financial accounts to facilitate said transfer, and a not insignificant broker’s fee would be yours to keep.

Ah, for the halcyon days when phishing scams were that easy to spot.

The growing threat of cyber fraud

Unfortunately, cyber fraud has evolved quite a bit since then, with attacks becoming increasingly sophisticated, savvy and frequent. In many cases, the attacks are focused on financial institution accounts and transactions. The Canadian Cybercrime and Fraud Trends Report found that in 2022, Canada experienced a 30 percent increase in human-initiated attacks and a 52 percent increase in bot attacks over the previous year. These attacks coincide with a general increase in people using online systems, with digital transactions growing 32 percent in 2022 compared to 2021.

The report noted that Canadian financial services organizations experienced one of the highest overall attack rates globally—second only to Latin America.

What’s the result of this increased activity? According to the Canadian Anti-Fraud Centre (CAFC) there were 70,878 reports of fraud in Canada in 2022, resulting in $530 million stolen. The CAFC adds that over the next two years, cybercrime activity in Canada is expected to grow. Meanwhile, the 2023 Cybersecurity Ventures Cybercrime Report predicts that the damages from cybercrimes will cost $10.5 trillion USD worldwide by 2025. The main costs will be from data breaches, stolen funds, intellectual property theft, operational disruptions and post-attack recoveries.

Latest trends in cyberattacks

According to an article on TechRepublic, the top cybersecurity threats for 2024 include ransomware attacks, attacks on operational and IT systems, and modernized phishing schemes. The story notes The Dark Web—a hidden portion of the Internet only accessible through specialized software—has become a breeding ground of criminal activity, where fraudsters can obtain malware and purchase stolen credentials to gain access to systems and accounts.

Cybercriminals will be aided by new technologies like generative AI, enabling them to develop increasingly sophisticated phishing and spoofing scams, while scaling their malicious operations to new levels. Traditional methods using mass-mailed generic messages with spelling and grammatical errors are quickly giving way to personalized attacks that use realistic-sounding messaging along with targeted details designed to convince victims of their authenticity.

In their 2023 Payment Threats and Fraud Trends Report, the European Payments Council identifies some of the latest schemes cybercriminals are using. For example, there are new forms of smishing (scams initiated via text messages) whereby cybercriminals use the real name of the customer in the text of an SMS message to gain their confidence. Smishing attacks can be used to lead customers to cloned banking websites where they can collect victim’s access credentials.

Cybercriminals are evolving their tools and techniques to include generative AI and sophisticated social engineering scams.

Another trend is SEO poisoning, where fraudsters buy keywords from search engines to obtain higher rankings, with the goal of directing unsuspecting users to their fake websites. These ‘spoofed’ sites can, for example, impersonate a legitimate web banking website, and be used to collect confidential data or login credentials.

What can FIs and their customers do about growing cyberthreats?

With cyberthreats constantly evolving, there is no silver bullet that can stop all cyberattacks. Rather, there is a need to adopt a flexible and layered approach that combines strong security measures with robust monitoring and detection. Also, with cyber attacks increasingly targeting individuals through social engineering, it requires all participants—businesses, customers and staff do their part by becoming cyber aware.

Financial organizations can work to ‘harden’ their systems—for example, by implementing multifactor authentication and updated cybersecurity infrastructure. They can use AI monitoring systems to detect fraudulent activity, including persistent threats, and dedicate resources toward handling potential cases of fraud.

As a payment services provider, PPJV has made cybersecurity a primary priority, developing advanced fraud solutions with the implementation of the latest real-time cybersecurity technologies in all our modernized payments platforms. PPJV also offers a Fraud Service Desk with 24/7 automated fraud alerts from the Interac Monitoring Detection System, enabling real-time response to detected instances of fraud activity.

However, a key plank in dealing with cyberthreats is awareness and education—for staff as well as customers. Reviewing some of the resources linked to in this article, for example, can help FI staff and leaders become aware of the types of attacks to watch out for, so they don’t fall prey to the latest tricks and can help educate others within the organization. Companies can also invest in resources and insist upon regular cyber training for all employees. Service providers, meanwhile, can provide resources helping customers know how to verify that websites and emails are genuine, while encouraging the use of strong passwords, regular device updates and multifactor authentication for logins.

And this cannot be a one-time campaign. Cybercriminals are constantly changing and evolving their tactics, seeking new opportunities and vulnerabilities. Likewise, FIs, their staff and customers must stay ever vigilant and aware of the latest tricks and trends in cyber fraud and the most current best practices for cybersecurity.

Cyber Terms You Should Know:

Authentication: The provision of some form of assurance that an entity requesting access to a restricted resource is authorized to do so. Such assurances can include login/password credentials, a one-time authentication code, biometric verification and more.

Bot attack: A type of cyber attack that uses automated scripts to disrupt a site, steal data, make fraudulent purchases or perform other malicious actions. Bot attacks can target websites, applications or end-users.

Cyber fraud: A crime committed via computer with the goal of stealing money, sensitive information or other valuable assets from another individual or entity.

Generative AI: A type of artificial intelligence technology that can produce various types of content including text and images.

Phishing: The fraudulent practice of sending emails or other messages pretending to be from a reputable sources in order to induce individuals to reveal personal information such as passwords and account numbers. Smishing is phishing through the use of SMS text messages. Spear phishing is a type of phishing that targets a particular individual or group, often using information specifically designed to fool or be of interest to the target.

Social Engineering: A strategy of cyber attack that focuses on attempting to trick or manipulate individuals into revealing sensitive information or installing malware.

Spoofing: The creation of a website or web page, under the control of fraudsters, that seeks to imitate an authentic website, so as to trick individuals into revealing sensitive information such as their login credentials.

Some Cyber References and Resources

Baseline cyber threat assessment: Cybercrime (Canadian Centre for Cyber Security)

2023 Payment Threats and Fraud Trends Report (European Payments Council)

TechRepublic: Top 7 cybersecurity threats for 2024

Canadian Cybercrime and Fraud Trends Report (LexisNexis)