As reported by The Financial Conduct Authority, British financial service companies have seen a fivefold rise in data breaches since 2018 compared with previous years. As the number of cyber threats continues to increase, a stark reality is setting in for many financial institutions: that if they are currently not confident in their ability to manage their current threat level, they might soon find themselves staring over the cliff edge.

The story of cyber security within the banking industry for 2021 will be one of financial institutions placing greater scrutiny on their existing security environments, reigning in their focus to ensure that they have the strongest foundations to help them weather the ensuing storm.

The problem of third-party security 

Monitoring third parties’ cyber security is a growing concern for banks. There is continuous pressure on financial institutions to achieve full visibility and a complete understanding of their vast network infrastructure, including tightening security over their increasing portfolio of third-party environments. To deal with this issue, it is necessary for financial institutions to meticulously investigate their APIs and consolidate their security architectures so they have an improved awareness of the risks that face their business.

The confusion of cloud misconfiguration

Banks have welcomed cloud technologies with open arms. Cloud as a platform is now being used to cope with a surge in data, improve operational efficiency and develop banking platforms. Financial institutions are especially interested in how rapidly cloud services can be integrated alongside existing operations.

However, as banks try to roll out cloud services as quickly as possible, security is being deprioritised to spin up new infrastructure as a service (IaaS) cloud environments. This has resulted in the risk of access point misconfiguration. If financial institutions don’t make sure that security underpins all cloud initiatives, it is likely that the propagation of these types of risks is only going to increase next year.

As cloud is a comparatively new technology, banks are still grappling with how to achieve complete network visibility and comply with necessary security standards. Confusion around how to secure cloud is no excuse, however, for deploying insecure cloud services. Financial institution security teams need to work with DevOps to establish a better way of working that eliminates the possibility for misconfiguration, and they need to do so quickly. The number of vulnerabilities reported which affect cloud IaaS is likely to increase by 50 percent over 2018 figures by the end of 2021, according to Skybox Security’s 2019 Cloud Trends Report. To manage emerging cloud risks in 2021, we are going to see financial organisations pigeonholed into a position where they have to bolster their network audits and tidy up their firewalls.

Cyber threats to the banking industry from technical debts

Financial organisations are constantly being held back by their often-archaic legacy technology. One sector that will be especially vulnerable in 2021 is the ATM industry. This is because many of their operating systems rely on Windows 7, an operating system that will no longer be supported by Microsoft.

To move forward with their digital transformation plans, banks must continue to deploy new controls on top of their old systems. For security teams to cope with the increasing complexity of their aging infrastructure, they must endeavour to embed security within their transformational plans. It’s imperative they look at how they protect their existing environment while simultaneously bolstering their security measures.

“In addition to Graeme’s informative insights into the state of the current financial industry in the UK, the paramount concern among the relevant security management is trying to keep their current teams as upskilled as possible; as the cyber threats get more and more sophisticated, the harder it is becoming to prevent any future attacks. It’s more a game of detect and fix rather than prevention, which is the wrong way round.”

Ali Twidale – Banking & Financial Fraud Consultant at ESA Risk

Processes and people play a part

Banks aren’t immune to the ongoing cyber security skills crisis. But, as they fight to keep members of their security team on board, there is an absence of staff to keep on top of basic tasks such as vulnerability patching. Despite endeavours to use technology to manage these tasks more effectively, there is still a surprising over-reliance on manual processes throughout the sector. Throughout 2021, financial institutions will need to find fresh means of utilising their existing resource more successfully. This can be achieved through readjusting workloads based on detailed threat intelligence, automating more processes and with greater frequency, consolidating activities, combatting organisational silos, or a combination of these tactics.

Ransomware rises again 

The propagation of cryptominers was a primary concern for many financial institutions at the beginning of 2019 and will continue into 2021. Criminals are profit-driven, and the most profitable tactics for them now are their old favourites: botnets and ransomware.

In response to this threat, banks must prioritise operational resiliency. Right now, many organisations are encumbered by a bloated collection of point products. To increase efficiency and better deal with the changing threat landscape, many are seeking to consolidate their cyber security solutions in 2021. To tackle the imposing threat of botnets, systems should be amalgamated, and data normalised to form an intelligence-driven understanding of the complete network. To spot these attacks and remediate their most exposed vulnerabilities, banks need to have this insight.

2021 isn’t going to be easy for chief information security officers (CISOs) operating in the financial services sector. Only time will tell if the sheer volume of cyber threats and attacks knocking at their door gets too much to handle. As talent remains scarce and threats multiply, banks must be sure to invest in the technology that can keep them abreast of the most critical security issues facing their organisation.

Deepfakes are not a new threat, but have been steadily advancing, making this type of fraud difficult to identify. Most deepfakes are created for entertainment purposes, for example in films to ‘resurrect’ deceased cast members, bringing them back to life on screen. Even a Google search will give you a taste of what can be achieved with deepfake technology, like this video apparently showing Mark Zuckerberg giving a speech about data “stolen” by Facebook. It was created by artists Bill Posters and Daniel Howe to demonstrate the potential power of fake news.

How is a deepfake created?

To create a convincing deepfake video, software is used to analyse the facial expressions of the chosen subject using artificial intelligence (AI). This information can then be used to create a video, superimposing the subject’s face onto real footage of someone else. Fairly convincing results can even be created live during a video call. The poor connection and grainy image we often experience during a video conference would mean that the fake doesn’t have to be perfect to work.

Next comes creating the audio. Freely available software such as Lyrebird AI allows you to impersonate anyone’s voice. “Record 1 minute from someone’s voice and Lyrebird can compress her/his voice’s DNA into a unique key. Use this key to generate anything with its corresponding voice,” says the Lyrebird website. None of this software is illegal or requires a special licence to use, meaning anyone can access it. And if you don’t have the technical knowledge to create a deepfake yourself, you can pay someone else a couple of hundred pounds to do it for you.

Deepfakes in business

But what are the threats to businesses from this type of technology? Admittedly, the chances of someone using a deepfake to impersonate your CEO to extract funds are slim. But, despite the odds, this has happened – and using a far less sophisticated approach than some of the high-profile examples you will see posted online for entertainment purposes. In October 2019, it was reported that a top executive in a UK-based energy company had been duped into transferring £200,000 to cyber fraudsters. The perpetrators used AI voice technology to mimic the executive’s boss, who was based at the German headquarters. The executive was instructed to move the funds immediately to a Hungarian bank account and was told they would be returned later. They never were.

This example demonstrates several factors fraudsters rely upon to ensure a deepfake fraud is successful:

1. Authority: In the above example, the senior executive was the head of the UK arm of the company. Despite this, he still felt unable to question the instructions he was given from his boss. Fraudsters rely on professional hierarchies and social norms to predict people’s behaviour patterns. Authority is a useful tool for criminals because people are often reluctant to question it.
2. Urgency: If we are told something is urgent (especially by a superior) it immediately changes the way we react and inhibits our ability to think clearly. Instead of following the normal steps required, we rush – focusing our attention on getting the task done, rather than how or why we are doing it in the first place.
3. Doubt: 9 times out of 10, phone calls are genuine. Fraudsters rely massively upon the ‘benefit of the doubt’.
4. Distance: Contacting someone through email or by phone creates a barrier, allowing for certain inconsistencies or discrepancies to be overlooked or allowed for. The slight difference in the German executive’s voice in the energy company might have been due to the phone line, or because of background noise, or because they’d been unwell. A difference in tone of voice in an email could be because the person was in a rush.

Deepfakes and Covid-19

Even if you had never used a video conferencing app before the Covid-19 pandemic, you will no doubt be more than familiar with the software today. This influx of inexperienced, regular users of apps such as Zoom, Skype and Microsoft Teams has provided an unending supply of data for cyber criminals to exploit. Zoom came under fire recently when it was revealed that thousands of private recordings of Zoom calls could be easily accessed online by doing a simple search of cloud data storage. The recordings weren’t those held by the platform itself, but were files that had been stored locally by the individual users – an option that was given to Zoom users once a recording had been created. Nonetheless, this still means hours of footage are available for fraudsters to access online and potentially use to create deepfake videos.

In times of crisis, financial institutions will always be prime targets for cyber criminals looking to cash in. For this reason, cyber security is something all firms should be investing in right now. But do they fully understand the risks posed by AI and deepfakes?

In my experience, the answer has to be, no, absolutely not. There is a complete lack of training, education and awareness about cyber risk in general, even in some of the UK’s largest financial institutions. AI now allows cyber criminals to take their phishing to the next level, meaning that we can’t rely on a phone call or even a video call to verify authenticity. The solution is to get a proper HR training regime installed in every institution. Every company in every sector should have one for every worker, from the cleaner to the CEO.

Social engineering

Cyber criminals use a combination of factors to break down security barriers in firms and improve the success rates of deepfakes, including social engineering. This involves manipulating individuals to divulge sensitive information which can then be used to access internal systems, or convincing people to transfer funds or data. Keeping employees happy is a huge part of mitigating against this risk. But ensuring sensitive information is always treated as such should be the first step.

I was delivering a talk at an event recently and 2 women who worked at one of the UK’s largest insurance firms approached me afterwards. They said they were a bit concerned about cyber security in their office because they had a notebook where everyone’s usernames and passwords were kept for convenience. This kind of mistake is frighteningly ignorant, but also terrifyingly common. Once criminals have access to a senior executive’s email account, they can easily impersonate that individual and gather enough data to extract funds or cause untold damage. And that’s before we’ve even entered deepfake territory. All they need is a disgruntled member of staff with an axe to grind and they could easily get hold of that notebook.

Combatting deepfake fraud

AI technology is advancing all the time, so deepfakes are only going to become more convincing. For businesses, this means upping the ante when it comes to verification methods, even if it seems ‘silly’ or unnecessary.

Encouraging employees to feel comfortable in getting verification from a senior member of staff is essential. Measures such as calling someone back if they have phoned you to ask for a funds transfer, or implementing a series of security questions which only that particular person would be able to answer, are vital. Of course, many of the examples we have seen of deepfake voice calls have involved something that doesn’t usually happen, e.g. a call out of the blue from a senior executive asking for an urgent payment. Firms need to create strict protocols that are always adhered to, to ensure that a call like this would immediately trigger alarm bells.

If going against protocol is a common occurrence, it increases the likelihood of a deepfake’s success. Being organised and always following the same process and verification measures – without fail – will mean any deviation from normal practice will be easily picked up. If you are unorganised and regularly make exceptions to the rules, how can you expect your staff to know the difference?

Always one step ahead

Active learning technology allows cyber criminals to boost the success rates of phishing emails and other such scams by gathering data on what works and what doesn’t, then using this information to adapt their approach. Cyber criminals are always one step ahead. This is why it is so important to keep educating staff about the technological capabilities cyber criminals now have. Share examples of incidents that have occurred, remind staff of the protocols they must follow and don’t just limit cyber risk training to new recruits; it should be ingrained in everyday, business-as-usual activities so that being aware of these types of risk is second nature.

The sheer speed with which technology is progressing is what makes deepfakes so concerning. In a documentary called The Weekly for The New York Times, investigative journalist David Barstow followed a group of AI engineers and machine-learning specialists in their quest to create the perfect deepfake. Their abilities and the capabilities of the technology they were using – which could easily fall into the hands of criminals – was as impressive as it was alarming. “It’s astonishing the progress a handful of smart engineers were able to make in a matter of months,” Barstow said. “Teams of computer scientists around the world are racing to invent new techniques to quickly identify manipulated audio and video. The bad news [is] some deepfake creators are incorporating the machine-learning algorithms behind those countermeasures to make future deepfakes even harder to detect.”

Barstow believes that even global web platforms like WhatsApp and Facebook are “woefully unprepared” to help users spot deepfakes. If business is to ensure it doesn’t fall foul of this growing threat, firms need to start taking it seriously now before it’s too late.

Common security mistakes that could result in deepfake fraud:

• Sharing too much information on social media platforms.
• Not questioning authority – assuming because the boss calls you should bypass all normal security protocols.
• Leaving cyber security to the IT people – it should be part of every employee’s induction and ongoing training.
• Not looking after staff welfare – disgruntled employees who have access to sensitive information/internal systems/usernames/passwords.
• Not securing personal devices properly – especially in light of increased home working during the Covid-19 pandemic.
• Trusting someone you have only met remotely.

High-profile examples of deepfakes:

American actor, writer and producer, Jordan Peele, created a deepfake video of Barack Obama making outrageous statements and openly criticising US president Donald Trump to demonstrate the potential power of fake news on politics.

Artists Bill Posters and Daniel Howe made a convincing deepfake video of Facebook CEO Mark Zuckerberg, where he appears to tell CBSN news that he owns “billions of people’s stolen data…all their secrets, their lives, their futures.”

Speaker of the US House of Representatives, Nancy Pelosi, has been targeted several times by individuals looking to damage her reputation through fake videos. The examples here are not technically deepfakes, but the speed and pitch of her voice has been altered to make it sound like she is drunk. It is still not known who is responsible for creating these videos.

Catalan artist Salvador Dalí was brought back to life in 2019 as an exhibition “host” by the Dali museum in Florida. The interactive installation included 45 minutes of footage over 125 videos, which allowed more than 190,000 different combinations depending on visitor responses.

Last year, a suspicious video of the President of Gabon after a long absence sparked rumours of a deepfake, resulting in an attempted military coup. This example demonstrates how even just the knowledge that deepfake technology exists can make us question whether what we are seeing is real.

In July 2020, it was discovered that published British journalist Oliver Taylor, who claimed to have studied at the University of Birmingham in the UK, was in fact a deepfake. Alarms were raised when an article by Taylor was published in US Jewish newspaper The Algemeiner, criticising activist couple Mazen Masri and Ryvka Barnard and accusing them of being “known terrorist sympathisers.” A fabricated photograph and an account on question-and-answer site Quora are the only record of his existence. Despite this, “Taylor” had several articles published in newspapers, including the Jerusalem Post.

The internet enables anonymity and layering between the surface web, which most users browse, and the dark web, which is less accessible. The latter enables various kinds of black-market trading, illegal selling and criminal activity via hidden websites and private networks.

The dark web can be found through The Onion Router (TOR), an open-source software that encrypts users’ data and provides a more private browsing route. Taking the name ‘onion’ from its multi-layered protection of data, TOR makes it harder to trace a users’ activity or location and can enable anonymous online communication.

The dark web is said to be considerably bigger than the mainstream web that most people use. Think of the web as an iceberg, with a huge amount of information above the water in plain sight, but even more hidden in the murky depths below. Yet, for the most part, it remains a mystery, even to law enforcement.

However, illegal operations running through the dark web have been revealed and shut down in the past. For instance, in January 2021, a worldwide illegal marketplace was found and its operations stopped. ‘DarkMarket’ was a selling place for various illegal merchandise, including drugs, malware and stolen credit card details. The marketplace was only available to dark web users for the purpose of ensuring identities remained hidden, but the efforts of international law enforcement agencies eventually were able to infiltrate it and take the site down.

Nevertheless, this hidden part of the internet is still at large, as criminals take advantage of law enforcement’s lack of knowledge surrounding it. As internet service providers cannot directly observe web traffic on the dark web, it is extremely difficult to locate its online criminals, as opposed to crime or fraud that takes place on the surface web.

Further examples of the illegal activity on the dark web include:

• Black markets selling weapons and drugs
• Gambling
• Illicit pornography
• Hacking groups and services
• Scams
• Malware and ransomware.

Users of the dark web have now started to exchange money using cryptocurrencies, such as Bitcoin, meaning they can implement further anonymity when conducting purchases. However, the users are also unsafe to potential scams within the dark web itself. Some black markets are advertised using false URLs and users can expect to be exposed to malware including phishing (fraudulent messages that invite malware into a users’ device to steal their data), botnets (a chain of internet-connected devices that are infected with malware) and keylogging (covertly recording the strokes on a keyboard to hack the users’ device).

Some services are false, for instance the option to hire a hitman or buy a certain weapon might just be a scam. Phishing can lead to identity theft or extortion, which is difficult to protect yourself against unless browsing using fake information. Users often create throw-away accounts with fake emails, usernames and bank details in order to protect their identity. They might also install antivirus protection against malicious malware and avoid downloading files from the dark web, unless scanning software is in place to protect against infection.

A Case Study

In 2011, Silk Road was founded and put up on the dark web as an online marketplace that allowed users to obtain illegal drugs. Silk Road used Bitcoin and, being on the dark web, was able to remain undetected or face government regulations.

Silk Road enabled over 1 million transactions over a couple of years, but in October 2013, after international appeal and long-term investigation followed by infiltration, it was finally taken down.

The fact the site was operational for almost 3 years is owed to the anonymity of the dark web, where, it appears, you can say what you want and do what you want. The nature of its privacy and the restricted control of authorities over user behaviour makes it a safe space to speak out, increasing its popularity amongst civil liberties groups and activists that seek to shield their identity. Many journalists, aid workers and whistleblowers use it as a platform for free speech; communities form within the dark web, outside of its criminal activity networks. For people living in countries that deny them the right of free speech, the dark web is a platform that offers exactly that, with the security of knowing that they cannot be easily traced.

Law enforcement is able to infiltrate the dark web, however, as shown in the case of Silk Road. Authorities can often source the cause of security breaches or cyber fraud by conducting long-term investigations into the dark web, meaning that despite its anonymity, it is only a matter of time before online criminals are brought to justice. Other organisations, such as media companies, might also use it to browse for whistleblower activity for news stories.

This ‘dark’ side of the internet is a double-sided coin, enabling both positive and negative online activity, most of which would not be permitted on the parts of the internet the majority of us know.

The average person will likely face fewer sophisticated threats than, say, a senior politician, activist, or CEO. High-profile figures may be targeted with phishing emails that are looking to steal secrets from corporate networks or initiate the transfer of large sums of money. You, your friends, and your family will likely face different threats from people you know seeking revenge or, more likely, crime groups using automated tools to scoop up credentials en masse.

We all like to think we’re not susceptible to social engineering or other kinds of cyber attacks, but the truth is that even intelligent, self-aware people get caught up in online scams that can have very damaging consequences, financially or socially. Even if you think you know what you are doing, you can still be a victim – I was!

Understanding the threats is key. Everyone has their own threat model that includes things that matter most to them – what is important to you may not be equally important to someone else. But there is a value to everything you do online, from Facebook and Netflix to online banking and shopping. If one of your accounts is compromised, stolen login information or financial details can be used across the web. It is that sort of scenario that lets people order takeaways through compromised accounts.

While Facebook, Twitter, Instagram, and other social networks are less likely to contain your credit card details, there are other types of risk. Hacked social media accounts can be used to post compromising messages that could embarrass or defame somebody, be used for harassment, or to build up a picture of who you are and everyone you know.

Discovering if you have been hacked can be a rather complicated task. You could wait to have it proven by losing control of your precious accounts, but like anything, it is better to be proactive and stop it from happening in the future. If you think you have been hacked, here is where to start and what you can do next.

Have I been hacked? Spot unusual behaviour

The clearest sign that you have been hacked is when something has changed. You might not be able to access your Google account using your regular username and password, or there may have been a suspicious purchase charged to one of your bank accounts. These are fairly obvious indications that you’ve been compromised in some way—and hopefully banks will detect any suspicious payments before things spiral too far.

However, before any of your accounts are compromised, there may be warning signs. The account that someone is trying to break into may warn you about unusual attempts to log in. For instance, Facebook and Google will send notifications and emails alerting you to attempts to access your account. This will usually be if someone has tried to get in and failed, but alerts can also be sent when someone has successfully signed in from an unfamiliar location.

There is barely a day that goes by without some company, app, or website suffering a data breach — from Adobe to Dungeons and Dragons. These breaches can include phone numbers, passwords, credit card details, and other personal information that would let criminals steal your identity, among other threats. Companies should be quick to tell you if they have been compromised but using a breach notification service can also give you a heads-up. Haveibeenpwned and F-Secure’s identity checker will tell you about old data breaches but can also alert you to new cases where your details are swept up in compromised accounts.

Take back control

Once you know your account has been hacked, that is when the hard work begins. Regaining control of an account may not be straightforward—depending on who has access to it—and there’s a good chance it will involve a lot of admin: anything from telling everyone you know that your email has been compromised to dealing with law enforcement.

First of all, you should get in touch with the company that owns your account. Every firm will have their own policies, procedures, and recovery steps when it comes to compromised accounts. These can easily be found through an online search. (Some popular sites’ compromised account tools: Facebook; Google; Netflix).

When recovering a compromised online account, you’re likely to go through different steps depending on whether you can still access it or not. If you can access the account, companies will often ask how it was compromised and provide suggestions on steps to take.

If you can’t access it, you will likely be asked to provide more information about how the account was used (previous passwords, email addresses, security questions, and more). If a person or a group claims to have accessed your account and messaged you about it, don’t click on any links they send, as these may be false claims and further attempts to access personal information.

Account recovery through the company where you have been hacked is the first step in taking back control. You should make sure that all apps and software you use (on phone and desktop) are up-to-date. What other action you take is specific to what was compromised. For instance, if you can get back into a hacked email account, it is worth checking the settings to make sure they have not been manipulated. A setting to automatically forward all your emails to another account may have been turned on, for example.

You should change the password of the compromised account and any other accounts that use the same password (more on that later) and get in touch with anyone who may have been impacted by the hack. For instance, if messages have been sent from your Instagram account or you’re forced to create a brand-new social media account, you may need to let friends and family know the details of the new account or explain what the random messages were about.

If appropriate, you can also report hacking to law enforcement bodies. Cases of harassment can be reported to the police.

Secure everything

The best way to reduce your chances of being hacked is to limit your personal attack surface. The better your online hygiene is to begin with, the less chance you have of being compromised. (Although some attacks will always happen; particularly those from sophisticated actors who are going after specific targets).

Information on you is key to a successful attack, so minimising your available private data online should push the attacker onto the next, less fortunate victim. If your accounts have been compromised once and are being attacked by an organised group, there is a greater chance you may be targeted again.

When you are thinking about your online presence, you should take into account how much information you’re proactively putting out there. What I tell people is, Google yourself, lock yourself down, make it harder to access information about you. When you post your photos to Instagram, or you make posts to Facebook, or you tweet something about your location, people can take that content and information, put it into another context and, suddenly, you have been done. What people can really give away about you is the information that you have already given away about yourself.

Practically, there is a lot that can be done to shore up online accounts. Everyone should be using a password manager to create and hold unique, strong passwords. Nobody should be using the same password across multiple websites, even if you perceive your risk of being hacked to be low.

If you have been hacked on one account, this should be the motivation you need to check the other online accounts you use: Update passwords and check security settings. When updating accounts, you should also attempt to use complex security questions where possible. The answers should be something that only you know.

While you are in the mindset of updating passwords across your accounts, also take some time to consider the old zombie accounts you no longer use. What information is stored in that old Hotmail account you never use?

As well as a password manager, multifactor authentication (MFA) should be turned on for as many sites and services as possible. This is one of the most effective ways to secure your accounts from hackers. The most common type of MFA is two-factor authentication (2FA), where another piece of information, on top of your password, is required to log in to a service. Most commonly this is delivered via an SMS message, authenticator app, or physical security key. View a list of websites and apps supporting 2FA.

For people with the highest threat levels, there are a number of extra steps that can be taken. To increase online privacy and anonymity you can use a VPN, Tor, or Google’s Advanced Protection program.

If you have been a victim of cybercrime or online fraud please report it to Action Fraud.