Anthropic sparked alarm after announcing that its Mythos model had uncovered widespread vulnerabilities across the financial sector, prompting Japan to launch a consortium to address what officials describe as “a crisis already at hand.”

Earlier this month, Anthropic said a preview of Mythos ​identified thousands of critical vulnerabilities spanning all major operating systems ​and web browsers in financial services.

In the wrong hands, a model like Mythos could exploit previously unknown weaknesses faster than organizations can patch them, potentially triggering severe global consequences.

“AI risks and Quantum Day concerns have put cyber teams on high alert, as the acceleration of both AI and quantum computing pose yet-to-be-identified cyber threats to existing structural architectures based on cloud models and encryption algorithms designed to protect sensitive data,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research.

“Mythos has uncovered vulnerabilities that have not yet—to our knowledge—been exploited,” she said. “But all these warnings fall under the basic cybersecurity adage, it’s not a question of ‘if’ but ‘when.’”

Restricted Release

Concerns escalated after Anthropic stated that Mythos is too dangerous for broad release. The company has made the model available only to the U.S. government and a select group of American organizations, a decision that has raised concerns the technology could become a form of geopolitical leverage.

There is also growing anxiety that a leak or cyberattack could place Mythos’s capabilities in the hands of malicious actors. These fears intensified after Anthropic disclosed that its next-generation Capybara models were leaked due to human error.

Proactive and Self-Governing

In response, Japan is forming a task force that will include the Financial ​Services Agency, the Bank of Japan, the National ​Cybersecurity Office, the country’s three largest banks, and the ⁠Japan Exchange Group.

Officials say urgent action is needed because the financial sector’s high level of interconnectedness and reliance on real-time systems amplifies systemic risk. Another concern is that many banks continue to rely on legacy infrastructure, leaving them especially vulnerable and unlikely to modernize until it is too late.

“Sadly, the financial services infrastructure—for as sophisticated as it is—relies on not only antiquated architecture and systems but also antiquated ways of addressing risk,” Goldberg said. “Banks cannot wait for regulators and auditors to tell them what to do. They need to be proactive and self-governing. But, sadly, we’re likely to see something catastrophic before any banks start to take AI cyber risks and Quantum Day predictions seriously.”

The post Japan Assembles Task Force to Assess AI’s Financial Services Risks appeared first on PaymentsJournal.

Organizations have begun to cede ground in the fight against AI-driven fraud, in part because bad actors have the freedom to experiment with and deploy artificial intelligence without the regulatory or organizational constraints that govern legitimate institutions.

This allows cybercriminals to rapidly adopt frontier AI—cutting-edge models that stretch the technology’s capabilities in areas such as reasoning and coding. These emerging systems are not only more powerful, but they can also significantly reduce the time, expense, and skill required to perpetrate sophisticated fraud campaigns.

IBM recently highlighted this trend with the launch of an enhanced set of cybersecurity capabilities. As cybercriminal operations increasingly rely on autonomous agents, the company  noted that fraud defenses must adopt a similar playbook.

To this end, IBM will launch two cybersecurity tools. The first is an assessment solution designed to evaluate an organization’s defenses for vulnerabilities to agentic threats and other security gaps. The second is an agentic service that deploys multiple AI agents to automate fraud detection, enforce organizational policies, and address any cybersecurity deficiencies.

A Pressing Need

Unfortunately, there is a pressing need for stronger fraud defenses. The FBI’s annual Internet Crime Report found that both fraud losses and complaints reached all-time highs last year. For the first time, the bureau also measured the impact of artificial intelligence on fraud, finding that AI-related threats accounted for 22,364 complaints and nearly $893 million in losses.

Equally concerning, data from the Association of Certified Fraud Examiners and SAS indicates that bad actors are increasing their use of AI across nearly every stage of their operations. In particular, the study found that AI’s ability to generate highly convincing images, audio, and video has contributed to a rise in deepfake scams.

Devastating if Weaponized

More concerning still, the ACFE/SAS report suggests that some bad actors are already experimenting with quantum-enhanced AI. Quantum computing represents a significant leap beyond conventional systems, and integrating AI with quantum architectures could hypothetically make these models far more efficient. While this evolution could transform many industries for the better, it could also be highly destructive if weaponized.

For example, Google researchers have conducted quantum computing experiments suggesting that more advanced systems could potentially break widely used cryptographic methods underlying cryptocurrency security—systems long considered rock solid—far more quickly than previously estimated.

If quantum computing can compromise digital asset safeguards, it could pose serious risks to the broader financial services industry.

“We’re close to where quantum computing is going to break encryption,” Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, told PaymentsJournal. “This goes back to the whole risk that we see with the way we’re securing data today. Data is tokenized or encrypted; card numbers are tokenized as they’re transmitted as this is a requirement for PCI compliance.”

“If quantum computing is able to break that encryption, then we’re ultimately sending card data in the clear and it’s setting us back 20 years,” she said. “Tokenization will mean nothing.”

Finding Inventive Implementations

These trends carry significant implications for the financial services sector, where banks and credit unions operate under strict regulation and a strong mandate to protect customers. As a result, many institutions have been cautious about adopting new technologies that could introduce additional risk.

While this caution is understandable, resistance to technological innovation has also created cybersecurity gaps. Addressing these vulnerabilities will require not only greater adoption of emerging technologies, but also a fundamental rethinking of cybersecurity strategies across the industry.

“Bad actors can adopt those technologies quickly, and they’re incredibly creative,” said Suzanne Sando, Lead Fraud Management Analyst at Javelin Strategy & Research, in a recent PaymentsJournal podcast. “I don’t want to give them applause for that, but they’re incredibly inventive in the way that they take risks to use new technology. It’s difficult for FIs to keep pace when it comes to the adoption of any innovation.”

“It’s no surprise that AI is a problem for criminal manipulation,” she said. “But we also know that it’s a huge asset for financial services that they could make great use of in terms of automating certain aspects of the customer experience. Or even the employee experience, for things that maybe used to be a manual review of transactions, or typical tasks that were completed during fraud investigations.”

The post Cybersecurity Must Evolve as Frontier AI Fuels New Fraud Risks appeared first on PaymentsJournal.

More emails about privacy practices and data disclosures are landing in consumers’ inboxes. As users’ digital footprints expand, these messages seem to come from every direction—big-box retailers, healthcare providers, financial services firms, and even streaming services.

While these emails may feel like a rote legal exercise to some—or an unwelcome intrusion to others—the growing emphasis on protecting personal data is a positive trend. These notifications not only provide greater transparency but also serve as an opportunity to build trust with consumers who are increasingly concerned about how their data is collected and shared.

Despite improvements in messaging, there are still many areas where privacy processes can be optimized.

For example, the emergence of open banking has introduced a web of intricate relationships between banks and third-party providers. As Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, examined in the Data Transparency in the Age of Cyber and Privacy Risk report, this complexity—combined with escalating cyber threats—has made delivering clear, effective privacy disclosures both more difficult and more essential.

A Hot Topic

Historically, privacy disclosures were often treated as an afterthought, buried within layers of website navigation. Even when customers managed to find them, they were frequently confronted with dense, jargon-heavy documents that were difficult to understand.

“It’s been nice to see that as we have done our Cyber Trust in Banking evaluations over the course of the last three to four years, that financial institutions are making it much easier for consumers to find privacy disclosures on their website,” Goldberg said. “In some cases, financial institutions are even breaking out privacy disclosures for senior citizens, for children, and for those who fall within the working-age consumer category.”

Along with this personalized touch, institutions should prioritize clarity and accessibility, ensuring disclosures are easy to find and written in plain language. In addition, privacy documentation should be updated regularly—at least on a quarterly basis. Many consumers seek out these materials to confirm that their financial institution has adequate data protections in place. Outdated policies can quickly erode that confidence.

When significant policy changes occur, customers should be notified as soon as possible. However, even in the absence of major updates, periodic privacy notices remain valuable. These communications act as important touchpoints, reinforcing that customer data is both protected and prioritized.

Ultimately, the goal of these privacy best practices is to foster trust—a challenge that continues to grow amid persistent concerns around the economy, fraud, and evolving technologies.

“We’re finding that consumers are actually reading privacy disclosures,” Goldberg said. “A lot of that has to do with the fact that privacy is such a hot issue for consumers, especially in this age of AI. Consumers have concerns about their data being everywhere and they’re starting to pay attention.”

“Making it easy for consumers to find those disclosures—and this would apply to any business, but financial institutions in particular—is important because consumers want to know that their data is secure,” she said. “They want to know their privacy is being respected.”

Linked by Choice

While financial institutions are doing a better job of managing their own privacy policies, the increasing role of fintechs in the digital banking ecosystem has rapidly muddied the waters.

For example, customers attempting to understand how their personal data is shared with third-party partners often encounter a labyrinthine task that rivals the privacy practices of the past. In many cases, opting out of data sharing is just as cumbersome, despite being a feature that should be straightforward and accessible.

On the other hand, placing all third-party relationships front and center in a website or app risks overwhelming users with too much information.

“There are so many places where your data is linked,” Goldberg said. “Sometimes it’s by consumer choice—I choose to link my bank account to my Venmo account, that’s a choice I’ve made. I choose to link my bank account to some of the retailers that I use. When I log into online banking, I’m going to see all of those connections, and for some consumers, that may be overwhelming.”

“It’s a fine line,” she said. “Part of it goes back to knowing your customer and knowing what your customer can handle. Some of the options that you provide to one customer may not be the same as the options you provide to another. That’s where it gets a little bit difficult for financial institutions because it’s not a one-size-fits-all approach.”

Thinking Ahead to Open Banking

Although the proliferation of fintech companies has made privacy documentation more complex, these providers play an integral part of the predominant open banking model. This trend is unlikely to reverse, as consumers increasingly expect the convenience and functionality fintechs enable. Moreover, the competitive nature of financial services demands strong technological infrastructure—something many banks can’t build independently.

The benefits of open banking have prompted many regions to develop regulatory frameworks to support it. In the United States, however, a more market-driven approach has created challenges for financial institutions seeking to define their privacy and security strategies.

Most notably, uncertainty remains around the final implementation of Section 1033—the open banking rules finalized by the U.S. Consumer Financial Protection Bureau—which continues to leave key questions unanswered.

“Financial institutions don’t have a lot of guidance to go on,” Goldberg said. “They need to be thinking ahead because we know open banking is here. It makes life easier for the consumer; it’s not something that we can just forget about. But we do also have to remember—from a financial institution perspective—that there are privacy considerations that have to be taken into account and transparency is key.”   

The post As Open Banking Fuels Interconnectivity, Privacy Matters More appeared first on PaymentsJournal.

One of main challenges in combating scams is defining them properly. Romance, investment, and impersonation scams can take many forms and arrive through a wide range of channels.

Another critical issue is communication. One financial institution may uncover and address a scam affecting one of its customers, but upon further examination, that incident may be just one part of a global campaign orchestrated by a fraud ring.

To address both challenges, the Global Anti-Scam Alliance (GASA) is launching scam.org, a platform that offers resources including scam education, reporting tools, prevention guidance, and victim support. The platform will be AI-powered through integration with OpenAI and has secured buy-in from many of the world’s leading cybersecurity firms.

“This is a meaningful partnership and highlights the great work GASA is doing,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “A relatively new entrant, GASA has made significant strides over the last 18 to 24 months to bring the global community together to address social-engineering risks.”

An Agnostic Threat

This industry-wide approach has become increasingly necessary as scams continue to spiral out of control. Recent data from BioCatch found respondents reported a 65% year-over-year increase in the total number of scams between 2024 and 2025. These scams are becoming agnostic, targeting industries, demographics, and platforms with equal ardor.

This threat would not be able to reach such scale without two factors: technology and organization. Criminals can now use AI to make their communications appear more legitimate, while the cloud model has enabled the rise of cybercrime-as-a-service operations.

For example, the Tycoon 2FA phishing toolkit was sold as a subscription service on social media. The toolkit was recently taken down, but not before playing an integral role in more than 100,000 breaches across a variety of organizations.

An Overarching Approach

Taking down Tycoon2FA required a coordinated global effort between law enforcement, technology companies, and cybersecurity firms. A similarly broad approach will likely be required to quell the threat of scams.

Scam.org can play a key role by facilitating data-sharing and communication that will be critical to that fight. The platform will also give consumers a resource they can turn to at a time when many scam victims feel isolated and powerless. Ultimately, however, its success may depend on whether consumers are willing to report what happened to them.

“While the mobile app security features included in Scam.org are notable, consumers will still be expected to make decisions about what is suspicious and what is not,” Goldberg said. “Ultimately, helping consumers remove their mobile numbers from robocall lists and protect and remove their compromised PII on and from the dark web will be the only solution that stops SMS-based, smishing scams.”

The post Global Scam Reporting Platform Launches with OpenAI Support appeared first on PaymentsJournal.

One of the most prolific phishing-as-a-service toolkits of all time was not widely used to send consumers phony unpaid toll texts or urgent account alert emails. Instead, Tycoon 2FA was primarily leveraged to target paid accounts associated with organizations.

Although financial services and healthcare companies have typically been prime targets for fraud attempts, cybercriminals appeared to deploy Tycoon 2FA more arbitrarily. According to The Hacker News, the tens of millions of phishing messages created with the platform led to breaches at over 100,000 organizations across industries, including schools and hospitals.

The worldwide phishing threat spawned by the toolkit prompted a coalition of public and private entities to band together and take down the service. This alliance included Europol and other law enforcement agencies, Microsoft, cybersecurity firms, and Coinbase. This effort ultimately resulted in the takedown of the 330 domains that formed the criminal network’s infrastructure.

“International, coordinated efforts to take down organized cybercrime rings, cybercrime-as-a-service networks, and phishing-as-a-service networks—like this one—are necessary,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “But sadly, these takedowns only result in short-term gains, as new networks and models quickly step in to replace the ones taken down.”

Streamlining Cybercrimes

Prior to the disruption, a monthly subscription to Tycoon 2FA could be purchased on social media platforms like Telegram for roughly $350. In return, users gained access to a dashboard where they could create and monitor phishing campaigns, along with templates and tools designed to streamline cybercrime.

As with many phishing attacks, these tools were used to craft messages impersonating widely used services like Outlook, SharePoint, and Gmail. The goal was to capture sensitive data such as login credentials or multi-factor authentication codes. Once stolen, the information was often transmitted to criminals in near real time.

A Massive Issue on Multiple Fronts

One of the most alarming aspects of phishing-as-a-service platforms is how they simplify the process for novice bad actors and dramatically expand the reach of their campaigns. These services are also highly customizable. Microsoft attributed much of Tycoon 2FA’s success to its ability to convincingly mimic legitimate authentication processes.

Even more concerning, Tycoon 2FA subscribers were able to engage in ATO jumping. After compromising an account, criminals could send phishing messages from that email address, making them appear to come from a trusted user.

This means a single phishing message can quickly spiral into a major problem for organizations on multiple fronts.

“Law enforcement is caught in a perpetual state of reaction when it comes to fighting cybercrime,” Goldberg said. “From a global perspective, U.S. consumers and business, which are typically the primary cybercrime targets, pay the price. In the case of Tycoon 2FA, the vast majority of compromised targets were in the U.S., followed by the United Kingdom and Canada.”

The post Authorities and Tech Firms Team Up to Take Down Phishing Platform appeared first on PaymentsJournal.

Many of the fraud threats facing organizations today are not new. However, the convergence of these threats—combined with ever-evolving technologies—has created a formidable challenge for cybersecurity teams.

This environment is calling some of the most fundamental security tools into question and threatens to permanently reshape the cybersecurity paradigm.

As Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, detailed in the report, 2026 Cybersecurity Trends, there are three main threats that loom large, including increasingly sophisticated infostealers, quantum computing encryption decoding, and rising supply chain risks.

Removing Trust from the Chain

The supply chain is a critical channel for organizations, but it has also long been a point of vulnerability. This reality drove the adoption of controls such as Know Your Customer and anti-money laundering processes. Despite these safeguards, the current threat landscape is more perilous than ever.

“The threat landscape is growing—and exponentially—and the reason is because there’s more digital data,” Goldberg said. “Every third party that you work with, every organization that’s tethered in that supply chain has its own set of data, so you increase the exposure risk. Any third party that you’re working with, you’re only as secure as your weakest link.”

To address this risk, organizations must return to the fundamentals of a zero-trust approach. This requires assuming that no vendor, and no data, can be trusted until it is explicitly verified. While adopting this mindset is imperative, it also demands greater due diligence to ensure that vendors consistently adhere to rigorous security standards.

Compounding this challenge, cybercriminals now have access to increasingly sophisticated, AI-powered tools. As a result, organizations must monitor communications more closely to validate their authenticity. These steps are critical, but given the sheer scale and interconnected nature of supply chain risks, the most impactful solution would be an industry-wide effort.

“The email verification strategies like DMARC and DCAM are going to become increasingly important, because we’re going to have to constantly be re-verifying the authenticity of senders and recipients,” Goldberg said. “There’s no one solution or one answer, but we’re going to have to all be in agreement. Because whatever we decide, it’s going to have to be industry agnostic.”

Stymying the Infostealers

Infostealers represent another significant threat that requires a similarly holistic response. Infostealers are a form of malware capable of capturing large volumes of data from infected devices—including browsing activity, credentials, and even screenshots.

What makes infostealers particularly concerning is the speed at which they’re evolving. Many variants can now easily bypass security controls that were previously considered effective.

Consider the customer onboarding process at a financial institution. Customers are typically asked to create a username and password. If the customer is using Chrome, Google may suggest a strong password, one that meets length requirements, avoids personal information, and includes a mix of characters. This password is then stored in Google Password Manager.

“The challenge is that with these emerging infostealers, they’re able to go in and capture your browsing history,” Goldberg said. “Even if you are a savvy user and you’re going in and clearing that browsing history and you’re clearing the cache every time you open your browser—which I would argue no one is really doing—these infostealers are able to go in and capture screenshots.”

“Even if you cleared the cache, if they’ve captured a screenshot of what your browsing history was, they’re also able to capture autofill data,” she said. “Any of those passwords that have been autofilled, they’re able to capture that, so they’re circumventing everything.”

This convenience can introduce downstream risk. For example, when a financial institution detects suspicious card activity, it will usually close the compromised card and issue a replacement. Because many cards are stored in digital wallets, customers often receives a digital card immediately, with the card number automatically updating in their wallet before a physical card arrives.

If an infostealer has already compromised the credentials used to access that digital wallet, a criminal could gain immediate access to the new card number as well.

“A lot of banks don’t appreciate how sophisticated these infostealers are,” Goldberg said. “It comes back to the fact that we have to get away from usernames and passwords. The only thing I can think of at this point that’s going to help us get over the hump is something like YubiKey, which is that physical hard key token that you would have to have on your person when you login to the online banking or the mobile banking.”

“Ultimately, what we have to decide as an industry is how are we going to get beyond passwords,” she said. “Until then, we have to get to a place where we as an industry are reauthenticating those users on a more regular cadence. Maybe it has to even happen as often as once every two weeks. That’s going to be a huge shift for the industry, it’s going to require a massive overhaul in culture and in technology on the bank side, and I don’t think we’re there yet.”

Cracking Quantum Computing

While a complete move away from traditional usernames and password may not be imminent, continued advances in computing could eventually force a shift in authentication and encryption protocols. One of the most consequential developments is quantum computing, which applies the principles of quantum mechanics to solve highly complex problems.

Quantum computing holds tremendous potential across many domains, including cybersecurity. However, bad actors are also exploring ways to exploit its capabilities. For example, a recent study by a Google researcher found that quantum computers could crack a 2048-bit RSA encryption key, a common online data security standard, in less than a week.

“We’re close to where quantum computing is going to break encryption,” Goldberg said. “This goes back to the whole risk that we see with the way we’re securing data today. Data is tokenized or encrypted; card numbers are tokenized as they’re transmitted as this is a requirement for PCI compliance.”

“If quantum computing is able to break that encryption, then we’re ultimately sending card data in the clear and it’s setting us back 20 years,” she said. “Tokenization will mean nothing.”

This is not the first time that expanding technologies have prompted a change in encryption methods. A decade ago, Triple DES was the encryption standard, but as criminals’ capabilities increased, vulnerabilities in the format were exposed.

This caused organizations to shift to the more robust Advanced Encryption Standard (AES). Unfortunately, a similar scenario may be playing out with AES.

“We have to start thinking ahead to how we are going to secure data, and maybe it means we hold less data,” Goldberg said. “It could go back to where consumers are having to input data all the time. It’s a challenge because the data is out there; the data’s not going away. We’re just adding more to the digital footprints.”

“Maybe that’s going to require us to take a step back,” she said. “Maybe that’s going to require us to manage the digital data in a different way and maybe it’s a combination of things where we continue to rely on digital data, but it has to be coupled or partnered with something that’s more tangible and physical.”

The post The Fraud Epidemic Is Testing the Limits of Cybersecurity appeared first on PaymentsJournal.

In just two months of investigation, a form of malware known as Lumma Stealer was found on nearly 400,000 computers. This infostealer, which pilfers personal credentials like passwords, credit card numbers, bank account information, and cryptocurrency wallet logins, was ultimately shut down through a joint effort by Microsoft and law enforcement agencies.

However, the damage from Lumma has likely already been done. The infostealer has been around for years and remain popular with cybercriminals due to its efficiency and effectiveness. Even more concerning, new variants of this malware—and others like it—are constantly emerging.

Since most stolen credentials end up for sale on the dark web, it has become critical for organizations to integrate tools that can detect and protect against compromised data.

As Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, outlined in the report, Dark Web Threat Intel: Critical Pillar of Modern Cybersecurity, adopting these tools is just the first step that organizations must take to protect their operations from the growing infostealer threat.

Bundling Personal Info

A malware variation known as a digital skimmer is often used in e-commerce applications to capture payment card data during checkout. By contrast, infostealers can capture all available browsing data related to a purchase.

This breadth of access makes infostealers a particularly pernicious threat, as they can collect far more data at a much wider scale.

“Let’s say that you have session history,” Goldberg said. “If you don’t go and clear out your browsing data—which I don’t think most of us do on a regular basis—these infostealers can steal your cookies. Some of them can even steal your autofill data. Once they get access to that browsing history, they compromise all kinds of accounts.”

“Stealing your digital wallet and credit card data is just scratching the surface, and some of these emerging infostealers even have the capability to capture screenshots,” she said. “Even if you were to go in and clear the browsing history at some point, once that infostealer has infiltrated you and captures screenshots—unless you go in and change passwords that were captured in that browsing data—they’ve got your information.”

Because of these capabilities, analysts estimate that infostealers have enabled the theft of billions of personal credentials. The data they collect is easily aggregated by bad actors and frequently auctioned on the dark web.

While individual data elements are sometimes sold piecemeal, a disturbing trend has emerged in which complete bundles of personal data are sold together.

“What makes infostealers so attractive to cybercriminals is that they can package data,” Goldberg said. “They could package your date of birth, your commonly used passwords, your username, as well as your credit card data and your Social Security number. All of that could be packaged and sold so that it’s easy to take over your identity or to use bits of your information to create a synthetic identity.”

Reducing Password Dependency

To defend their customers, financial institutions must take a multi-pronged attack. One of the most important ways to neutralize the threat from malware designed to steal credentials is to reduce the use of these credentials.

“We have to get away from usernames and passwords.” Goldberg said. “The less consumers are asked to do to authenticate themselves, the better off we’re going to be. The more back-end analytics that can be used to authenticate an individual or a device, the safer we’re going to be—because humans are always going to be the weakest link.”

The vulnerability of the end user is one of the reasons why phishing attacks have become so prevalent in recent years. Bad actors can now leverage sophisticated technologies to craft messages that appear to originate from legitimate sources. For example, many consumers recently received phony texts regarding unpaid tolls that purported to be from government agencies.

Criminals will couple these convincing communications with social engineering techniques, where they pressure the user to take urgent action. These tactics—phishing and social engineering techniques—are the foundation of many fraud attacks, and infostealers are no exception.

Because these attacks have become increasingly effective, it’s imperative to move away from the traditional username/password paradigm. However, the widespread reliance on login credentials makes this shift unlikely to happen in the near future.

“The big takeaway for banks and credit unions is that we have to start looking ahead to building a bridge that’s going to carry us from where we are today with usernames and passwords into the future where we don’t have usernames and passwords,” Goldberg said. “That’s going to mean multifactor authentication. It’s going to mean behavioral biometrics and analytics that are used to complement usernames and passwords.”

“Eventually, we get to the point where we can just get rid of usernames and passwords altogether,” she said. “Another gap-filling measure is to ensure that passwords are strong and that you’re requiring your customers and members to change passwords on a fairly regular basis—at least every 90 days.”

Dark Web Intelligence

In addition to shoring up authentication methods, financial institutions must take steps to uncover what data may have already been compromised. This requires leveraging dark web threat intelligence platforms, which constantly monitor the dark web for any information to an institution’s customers or members.

“Let’s say that they have Bank of America as a client,” Goldberg said. “The dark web threat intel provider then will go out and scour the dark web—or even the open web, social media posts and those types of things—to see if there’s any anything that’s linked to Bank of America.”

“Oftentimes, Bank of America as a client will also provide the dark web provider with any kind of data that might help them pick up on accounts that may have been compromised,” she said. “Then, the dark web threat intel providers try to prevent that data from being exposed in the first place.”

A proactive feature of many dark web threat intel platforms is the deployment of analysts who infiltrate the dark web while posing as cybercriminals. These analysts monitor threat actor communications to detect emerging threats or breaches.

In some cases, they can even repurchase stolen data on the dark web and return the compromised credentials or information to the client before further damage occurs.

Getting Off the Fence

As fraud losses and systems impacts worsen, more organizations have become aware of the damaging potential of malware. However, the added impacts of infostealers mean that financial institutions must implement strong defenses now.

“One of the big takeaways is that there are still some organizations out there that have been a bit on the fence about how relevant dark web threat intel is,” Goldberg said. “These infostealers aren’t new, they’ve been around for a while. But they continue to evolve, and we continue to see new and more powerful strains of them.”

“If you weren’t convinced before, you should be convinced now that dark web threat intel is critical, because it helps you get to a position of being more proactive and predictive with cybersecurity, versus being in this reactive mode once the fraud already takes place,” she said.

The post To Track Down Stolen Data, Dark Web Threat Intelligence Is Key appeared first on PaymentsJournal.

In a bid to curb an escalating wave of phishing and financial fraud, Google has filed a lawsuit against a group of cybercriminals allegedly behind large-scale credential theft campaigns.

These threat actors, known as the Smishing Triad, use a phishing-as-a-service toolkit called Lighthouse to develop and deploy convincing text-message scams. These fraudulent texts contain malicious links to phony websites designed to pilfer victims’ personal and financial data. Like many phishing attacks, they often pose as urgent notifications from legitimate organizations like E-ZPass, the U.S. Postal Service, or Google.

According to Google, the Smishing Triad’s operations have comprised between 12.7 million and 115 million credit cards in the U.S. alone, with victims spanning across 120 countries.

Segmenting Fraud Operations

One of the most troubling aspects of modern cybercriminal organizations is how organized and widespread they have become. Investigators, for example, found that the Smishing Triad had roughly 2,500 members active on the Telegram social media platform, where they both recruited new participants and shared instructions on how to operate Lighthouse.

The group had also divided its operations into specialized teams. Researchers uncovered a data broker group responsible for supplying lists of potential victims and contacts, a spammer group tasked with sending text messages, and a theft group that coordinated the actual attacks.

Unfortunately, these kinds of organized cybercriminal syndicates are becoming increasingly common. Palo Alto Networks recently uncovered attacks by the Jingle Thief group, which uses phishing techniques to infiltrate gift card systems and issue cards for resale—particularly around the holidays.

The Demand for Action

Understandably, these threats have prompted action, but Google is the first company to take legal action. The tech giant has filed claims under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse (CFAA) Act.

While the immediate goal is to shut down the Smishing Triad and the Lighthouse platform, Google also hopes to deter copycat groups from treading a similar path. Regardless of the outcome, the lawsuit represents just one tool in the broader fight against fraud. Google has also called for tougher regulations to curb cybercrime and improve coordination across the industry.

The post Google’s Latest Weapon in the Fight Against Fraud: Litigation appeared first on PaymentsJournal.

A substantial amount of customer data was stolen in a hack of Oracle’s enterprise software suite, an incident that could have far-reaching ramifications.

According to Google, the breach was carried out by CL0P, a group of cybercriminals responsible for a string of high-profile ransomware attacks. These attacks often target third-party software providers with the goal of pilfering large volumes of corporate data.

The criminals targeted Oracle’s E-Business Suite of applications, which clients use to manage vital operations like logistics, supplier data, and customer information. Google believes that CL0P conducted extensive research into Oracle’s potential vulnerabilities and began extracting data from Oracle clients as early as three months ago.

Because the breach may have gone undetected for such an extended period, the full extent of the damage is still undetermined. Google analyst Austin Larsen told Reuters that “we are aware of dozens of victims, but we expect there are many more.” He noted that due to the scale of CL0P’s previous ransomware campaigns, there were likely more than 100 companies impacted by these attacks.

An Organizational Epidemic

Ransomware attacks have become a global epidemic, impacting organizations of every type and size. Recently, state governments in Nevada and Ohio have both experienced ransomware attacks that disrupted administrative systems and potentially compromised residents’ data.

In addition to public infrastructure, healthcare providers and financial institutions are common targets for ransomware because their systems store vast amounts of personal and sensitive data.

Frequent and Severe

Regardless of the sector, both the frequency and severity of ransomware attacks continue to increase. Data from Trustwave SpiderLabs shows that the percentage of reported ransomware attacks involving U.S. organizations saw a substantial uptick last year—from 51% in 2023 to 65% in 2024.

Several factors contribute to this surge. One is the rise of new technologies such as artificial intelligence, which has supercharged the sophistication and speed of fraud and cyberattacks.

Another is the growing presence of organized groups of bad actors such as CL0P, which can carry out large-scale attacks with precision. While these groups may initially focus on stealing protected data, their ultimate goal is financial gain. Many of Oracle’s clients have reported receiving extortion demands from CL0P, with ransom requests reaching into the millions for the return of stolen company data.

The post Oracle Hack Likely Impacted Over 100 Companies appeared first on PaymentsJournal.

Fraud has surged as cybercriminals have developed new technologies and tactics. Wealth management clients have become prime targets—in large part because they have more to lose. Even though high-net-worth individuals may be at higher risk from fraud, they also have a powerful resource to help protect them: their financial advisor.  

As Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, detailed in The Understated Cyber Vulnerabilities of Wealth Management Clients report, wealth managers must consider particular variables when developing strategies to safeguard their clients. Creating these defenses is critical for financial advisors, not just to protect clients but also to build relationships that can span generations.

Considering the Whole Household

The fraud landscape has shifted dramatically in recent years amid the emergence of technologies like artificial intelligence. AI-powered tools have made it harder to discern fraud attempts from legitimate communications, and bad actors increasingly utilize phishing attacks that impersonate major companies like Amazon or PayPal.

Along with more convincing messages, cybercriminals can glean more data about their targets from the internet because individuals often post detailed information about themselves online. Armed with this knowledge, bad actors can send timely and crafted messages to potential victims, such as emails or texts purporting to be from a friend or relative.

What’s more, it is often not simply the wealth management client who is the target. Increasingly, cybercriminals are casting a net wide enough to include their families.

“One thing that stands out about wealth management clients from our survey that I think is surprising is that among the majority of wealth advisors that we surveyed, most of their clients have children under the age of 18 living in their house,” Goldberg said. “That raised a big flag for us, because we know from separate research that we do at Javelin that households that have children under the age of 18—by default—are at greater risk of being targeted by a social engineering attacks, such as a scam.”

Social engineering techniques, whereby bad actors manipulate their targets to goad them into compliance, have become a fixture of fraud attacks across the board. However, children can be especially vulnerable because they are typically more comfortable with interacting online and sharing personal data.

Children are also more likely to be present on social media platforms like YouTube or Instagram and be active in online gaming communities like Fortnite.

“It’s just simply that children are more likely to be targeted,” Goldberg said. “Children post a lot about themselves on social media. They’re more likely to interact with people they don’t know in real life. The prevalence and the use of online gaming platforms put them at risk. And if you have a child in the house who has been victimized, you’re more likely to have another adult or even child in the house victimized.”

In addition to children, wealth managers should consider that seniors are a top target for cybercriminals. Many elderly adults use social media and e-commerce platforms but may not be as equipped to identify threats or resist social engineering tactics as younger adults are.

Because more adults are caring for elderly parents or relatives, wealth managers must consider their clients’ whole households.

Protecting Identities and Accounts

Although wealth management clients may not face threats that are significantly different from those being deployed against consumers generally, they have an extra layer of protection in their financial advisor.

However, cybersecurity has sometimes been a blind spot for family offices. Many advisors may have developed robust strategies to protect their clients from medical or property emergencies without considering that a cyberattack can be just as damaging.

“This offers a unique opportunity for wealth advisors to build on the long-term relationships that they already have with their clients and to be there as a resource to provide their clients with guidance about cybersecurity best practices,” Goldberg said. “How can they protect themselves if they feel that they could be victimized by a scam? Most importantly, if they are victimized by a scam, knowing that they could turn to their wealth advisor for help.”

One of the most important steps wealth managers can take is to stay on top of fraud trends and educate their clients accordingly. Bad actors are constantly shifting their techniques to find vulnerabilities they can exploit. Additionally, financial advisors should detail the actions clients should take if they feel they have been compromised.

Beyond education, an ever-growing array of software tools can help wealth managers keep their clients’ data safe.

“One of the things that we highly recommend in the report is that wealth advisors offer white-labeled identity theft protection services to their clients,” Goldberg said. “This would be the wealth advisor partnering with a company that offers identity theft protection and then taking that identity theft protection and packaging it and white-labeling it.

“It’s putting your brand on it, but then selling it at a discounted rate or maybe even offering it free of charge to your high-wealth or high-value clients, because when their identities are protected, their accounts are protected. It just helps to reduce the risk of fraud.”

Building Relationships Through Cybersecurity

Like all consumers, wealth management customers are increasingly concerned about the rising fraud threat, and many are unsure about how to protect themselves.

Providing cybersecurity education and developing a prevention plan can substantially strengthen the relationships between advisors and clients. Once this trust is established, it can create relationships that can last for generations.

“As we’re looking at generational wealth, the more that wealth advisors can do to shore up and reinforce that relationship with the clients they have today, the more likely they’re going to get the children of their clients today and the grandchildren to stay on as wealth advisory clients,” Goldberg said. “It is just about relationship building and maintenance through cybersecurity.”

The post Uncovering the Cybersecurity Threats Wealth Management Clients Face appeared first on PaymentsJournal.

As email fraud filters become more sophisticated, cybercriminals are turning to Apple’s iCloud to bypass safeguards and deliver phishing messages.

According to BleepingComputer, bad actors are sending fraudulent calendar invites that claim a victim’s PayPal account has been billed for hundreds of dollars and instruct them to review a purchase receipt.

The objective is to pressure the target into calling a fake customer service number to dispute the charge. Once on the phone, bad actors attempt to convince the victim to download software that grants criminals access to personal and financial data, while also creating a gateway to install malware.

Phishing Through Trusted Channels

This type of callback phishing scam is not new, and email filters are increasingly designed to weed out such messages. What makes the iCloud-based attacks particularly threatening is that they are sent from Apple’s legitimate website, giving them a much higher chance of reaching their intended audience.

In the example uncovered by BleepingComputer, the iCloud calendar invite was sent from a Microsoft 365 account controlled by the bad actors. Since the email originiated from an Apple account and was then forwarded by a Microsoft account, it didn’t trigger any red flags. Similarly, these attacks have a greater chance of fooling their targets since they appear to come from legitimate sources.

Suspecting All Communications

Impersonating brands like Microsoft, Apple, Amazon, and PayPal has been a common practice for bad actors. While these attacks were originally easier to spot due to typos or grammatical irregularities, phishing attacks have become increasingly hard to discern.

They are also often coupled with social engineering tactics, where an individual is pressed with urgent language that demands immediate action. The combination of realistic messages and strongarm tactics is too often effective—especially against older consumers.

In addition to fabricated messages, there is a growing trend where cybercriminals exploit loopholes in organizations’ platforms for financial gain. For example, bad actors have sent phishing requests to users on PayPal’s legitimate platform, which appear disturbingly convincing.

As phishing messages become more sophisticated, users must suspect all unsolicited communications, especially those that request immediate action.

The post Bad Actors Exploit Apple’s iCloud Calendar for Phishing Attempts appeared first on PaymentsJournal.

Bad actors seeking to overwhelm organizations’ networks through distributed denial-of-service (DDoS) attacks have put the financial industry in their crosshairs.

Research from the Financial Services Information Sharing and Analysis Center (FS-ISAC) and cybersecurity firm Akamai found that DDoS attacks increased exponentially from 2014 to 2024, peaking in October with 350 recorded events. Due to the nature of these attacks, each incident involved thousands—or even millions—of malicious activities.

The financial industry was by far the most targeted sector in the study, and the frequency of DDoS attacks against it continues to rise. While these attacks often focus on organizations’ websites, there were also frequent DDoS attacks on APIs that facilitate aspects like logins and payments.

Multi-Dimensional Assaults

APIs are the connections that power modern banking infrastructure, allowing banks to work with partners to provide services ranging from credit scoring to peer-to-peer payments.

While these solutions have been game-changing for many financial institutions, the study also noted that the rapid adoption of APIs in financial services has expanded the potential attack surface for bad actors.

In many cases, DDoS attacks are mere nuisances that are easily defeated by financial institutions’ defenses. However, the most alarming finding in the study was not just the growing frequency of these attacks, but their increasing effectiveness.

“DDoS attacks are becoming increasingly sophisticated, evolving from simple network flooding to targeted, multi-dimensional assaults that exploit intricate vulnerabilities across the entire supply chain,” said Teresa Walsh, FS-ISAC’s Chief Intelligence Officer and Managing Director, EMEA, in a prepared statement.

Outsourcing the Operation

Even though these attacks are becoming more complex, that doesn’t mean there are barriers to entry for bad actors. Overall, DDoS usage is increasing. This not only makes it easier for cybercriminals to outsource their operations, but it also makes it difficult to identify the perpetrators.

DDoS is a subset of the growing cybercrime-as-a-service model, where criminals provide illicit software or services to individuals or groups for financial gain. As these services offer sophistication at a wider scale, financial institutions will have to continually find new ways to defend themselves.

The post DDoS Attacks Increasingly Flood Financial Services Firms appeared first on PaymentsJournal.

AI agents have featured in some of the most intriguing recent product launches, but cybersecurity experts have mixed feelings about the technology.

Data from SailPoint found that 96% of tech professionals view AI agents as a growing security threat. Yet, nearly all respondents indicated they plan to expand their use of agentic AI in the coming year.

The top concern voiced by respondents was the agents’ access to protected data, followed by the risk of unintended actions. The third-most reported concern was the possibility that an AI agent could share sensitive data without permission.

Data and Privacy

All these issues have been present in generative AI platforms, where models have frequently reached inaccurate or false conclusions. Due to the persistent black box issue, analysts are often unable to determine why AI made the wrong decision.

Additionally, privacy has been a constant concern for AI models that require vast amounts of data. While most of the well-established gen AI platforms—such as ChatGPT—are built to protect sensitive data, AI agents often require access to private information to carry out their tasks, including financial details.

In this light, a troubling finding from the SailPoint study was that just under a quarter of respondents reported their AI agents had been manipulated into divulging access credentials.

Furthermore, 80% of respondents said they had discovered their companies’ AI agents performing unintended actions, such as accessing systems without permission, disseminating protected data, and retrieving inappropriate content.

The Age of Agentic Commerce

Despite these concerns, the age of agentic commerce is advancing. Visa and Mastercard have unveiled platforms designed to transform AI agents into personal shoppers, enabling them to search for items and make purchases with minimal user interaction.

PayPal quickly followed these launches by partnering with Perplexity to integrate its payments directly in the AI platform’s chat.

Given the powerful potential of AI agents, many more initiatives are likely to emerge across multiple industries, including cybersecurity. However, organizations must constantly prioritize privacy and security in these initiatives.

This sentiment was echoed in the SailPoint study, where 92% of respondents stated that governing AI agents is essential to enterprise security.

The post Why Cybersecurity Experts View AI Agents as a Double-Edged Sword appeared first on PaymentsJournal.

For over 140 years, Marks & Spencer (M&S) has been a fixture of Britain’s retail landscape, but the department store has faced sharp losses and operational issues following a devastating cyberattack.

Shortly after the April ransomware incident, M&S halted online and in-app order—services the retailer has yet to restore. According to Reuters, Marks & Spencer hasn’t resumed its online operations out of an abundance of caution.

A group of hackers gained access to the store’s systems and threatened to shut down the company’s network if a ransom wasn’t paid. M&S refused to succumb to the threat actors’ demands and is now working to restore all its systems.

The attack is estimated to have cost Marks & Spencer $80 million, but the impacts could go beyond monetary losses. While M&S said it was surprised by customers’ willingness to shop in-store, store-sourced voices raised concerns that customers could eventually lose patience with the lack of digital options—potentially leading to reputational ramifications if the outage persists.

Aggressive, Creative, and Effective

The M&S attack was the handiwork of a loosely affiliated network of hackers known as Scattered Spider, which has carried out attacks around the globe. A smaller group within the network, called DragonForce, is behind the M&S hack as well as similar efforts against UK retailers Harrods and the Co-op.

Though British merchants have been the initial targets, Google recently warned that Scattered Spider could be just as likely to target their U.S. counterparts.

“US retailers should take note,” John Hultquist, Cybersecurity Analyst at Google, told The Independent. “These actors are aggressive, creative, and particularly effective at circumventing mature security programs.”

The Magnitude of These Attacks

Bad actors targeting large organizations is not a novel phenomenon, but the scale of damage is broadening. For example, crypto exchange Coinbase was recently hacked in an incident that could cost the company up to $400 million, after cybercriminals bribed Coinbase contractors to divulge protected customer data.

Similarly, the M&S breach derived from a contractor relationship. At least two logins used in the hack were linked to Tata Consulting Services, a company that provides IT and help desk services for the retailer.

The magnitude of these attacks will likely prompt many organizations to reevaluate their partnerships and reassess their security measures. However, as criminals become increasingly innovative, businesses will also need to find creative ways to defend themselves.

The post One Month Later, Marks & Spencer Is Still Reeling from a Cyberattack appeared first on PaymentsJournal.

The U.S. Office of the Comptroller of the Currency (OCC) confirmed that a breach of its email systems in February was a significant incident that exposed highly sensitive information.

An independent bureau of the Treasury Department, the OCC monitors the activities of all U.S. banks, including federal savings associations and agencies of foreign banks. In addition to safeguarding trillions of dollars in assets, these institutions also hold substantial stockpiles of private data belonging to consumers and businesses.

According to Bloomberg, hackers gained access to the mailboxes of 103 OCC officials, including senior deputy comptrollers and international banking supervisors. The breach went undetected for over a year, until a Microsoft security team noticed unusual network behavior.

All told, the bad actors were able to access over 150,000 emails during the they had access to the OCC’s systems. These communications included information about the condition of banks under federal oversight.

A Threat of National Proportions

According to a Bloomberg source, the cybercriminals were able to breach the OCC’s systems after hacking into an administrator’s account. It is unclear how the threat actors gained access, who they are, or what their motivations were.

However, it is clear that the emergence of new technologies has elevated cybercriminals to a threat of national security proportions. The U.S. National Security Administration (NSA) recently issued a cybersecurity advisory about fast flux—a tactic that allows bad actors to rapidly change the IP address associated with a domain name.

The NSA stated that because fast flux enables cybercriminals and nation-state actors to build command-and-control infrastructures that conceal nefarious activities, the technique poses a threat to national security.

Harm to Public Confidence

As fraud and scams have spiraled out of control, the extent of financial losses and data breaches has reached new heights. In addition to these losses, the constant barrage of fraud attacks could have even greater impacts—such as the loss of consumer confidence in critical aspects of the country’s essential infrastructure.

“The analysis concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence,” wrote Kristen Baldwin, Chief Information Officer at the OCC, in a draft letter to Congress.

The post Year-Long Breach at U.S. OCC Exposed Thousands of Emails, Sensitive Data appeared first on PaymentsJournal.

The United States National Security Administration (NSA) has issued a cybersecurity advisory about fast flux, a technique commonly used by cybercriminals to avoid detection.

Fast flux allows bad actors to rapidly change the IP address associated with a domain name. The NSA said that because fast flux allows cybercriminals and nation-state actors to create highly resilient and available command-and-control infrastructures that obfuscate their activities, it poses a threat to national security.

This infrastructure can be exploited to conduct espionage and hide other cyberattacks, like phishing campaigns and distributed denial-of-service (DDoS) attempts. For example, a group known as Gamaredon, which is believed to be linked to Russia, recently used fast flux to conceal spear-phishing attacks against Ukrainian organizations.

What is particularly concerning about this incident is that even though the group’s attacks have been described as “reckless and not particularly focused on stealth,” the threats have still managed to evade detection by leveraging techniques like fast flux.

Cyber Fusion Deployment

This is part of a growing trend where sophisticated technology is lowering the barriers to entry for criminals. Often, bad actors use phishing attacks to gain access to an organization’s systems, after which they can deploy various forms of malware.

As cybercriminals become more cunning and creative, organizations must adapt by expanding their cybersecurity strategies.

“The best defense for financial institutions, and any critical infrastructure industry, is to ensure that threat intel sharing is brought to the fore, through information sharing and analysis center (ISAC) participation and consortium efforts facilitated via private sector collaboration,” said Tracy Goldberg, Director of Fraud & Security at Javelin Strategy & Research.

“The DDoS attacks (waged against the U.S. by the Iranian government) of the mid-2010s took top-tier banking institutions offline,” she said. “It was only after strong intel sharing—facilitated by ISAC participation—around suspicious IP addresses and domains became commonplace that U.S. banks were able to successfully mitigate those attacks. A similar strategy is required here, heightening the need for more cyber-fusion deployment across the financial services sector.”

The post NSA Warns Fast Flux Technique Makes Cybercriminals a National Security Threat appeared first on PaymentsJournal.

Last year, a breach of cloud storage company Snowflake resulted in data stolen from more than 150 companies, with more than $2 million extorted from victims. The attack was carried out by an infostealer, a type of malware that didn’t directly infiltrate Snowflake but instead entered through a client with weak security measures. The growing market for financial data stolen by hackers has made these attacks an escalating threat to financial institutions worldwide.

In a PaymentsJournal podcast, Mike Kosak, Senior Principal Intelligence Analyst at LastPass, and Jennifer Pitt, Senior Analyst in Fraud and Security at Javelin Strategy & Research, looked at the threat that infostealers currently pose to banks. They discussed how infostealers present risks even to third-party vendors, and how organizations can stay one step ahead in protecting their sensitive information.

What Are Infostealers?

Infostealers are a specific type of malware that collects critical information from victims’ computer systems. They primarily target browser-based data, such as credentials, session tokens, and details about software that can be extracted from the operating system and sold to malicious brokers.

Infostealers are generally small, lightweight programs built for speed. They’re designed to execute quickly and then delete themselves. This rapid execution is a key reason why infostealers are so difficult to detect. In 54% of the cases that security service Spycloud examined, the victim had an active antivirus program running on their system.

Infostealers are typically sold by initial access brokers, a subset of the cybercriminal ecosystem focused on gaining entry to systems. This initial access allows other, more specialized groups to take action using the stolen information, including ransomware operations and nation-state threat actors. These brokers are agnostic to the buyer, willing to sell the data to anyone.

FIs Are Especially Vulnerable

Infostealers often target financial institutions, not just because they hold the money, but because they can scrape passwords from customers’ browsers, which frequently include login credentials for financial institutions. This tactic is a way to circumvent many of the fraud and account takeover prevention measures that FIs have in place.

Customers at financial institutions often reuse passwords across multiple accounts, including those at different banks. Many of these financial accounts are linked to other services like email or social media, with the same passwords being used. These reused credentials are especially valuable to infostealers.

These kinds of attacks are not limited to customers; employees have also fallen victim. If multi-factor authentication is not enforced for employees, they often use weak, short passwords or reuse them across multiple systems. Some employees continue to access personal accounts or use personal devices at work.

In recent months, major browsers have implemented strong mitigations, but larger infostealers have been quick to figure out workarounds.

“They’re constantly evolving,” said Kosak.  “It’s a very effective marketplace and a very effective tool. It’s cost effective and it works. That keeps bringing on more of these threat actors, both people who are trying to make money on the initial access broker sites and the developers themselves.”

Infostealers are also targeting session tokens, which can be used to circumvent credentials if the right protections aren’t in place. If criminals get the data fresh enough, most of it ends up available for sale within a day of the of the time that it’s stolen.

The Hidden Risks

The risks to financial institutions from infostealers are broader than they might initially appear. While the primary threat is theft, there is also fraud loss, operational risk, and reputational risk. Once a financial institution starts losing a significant amount of money from this, if it lacks proper protections in place with the media, the reputational risk can be massive.

FIs should also consider their business-to-business connections. Infostealers can target supply chains and third-party vendors just as easily as customers or the business itself. Supply chain vulnerabilities can have second- and third-order effects, impacting customers as much as a direct breach of the institution.

When an organization hires cloud service providers or third-party vendors to protect its data, the original institution remains responsible for vetting that third-party processor. It must ensure the vendor has the proper security protocols in place to deter infostealers.

“The Snowflake data breach happened because they hired a third-party company that didn’t require multi-factor authentication,” said Pitt. “Ultimately, the customer is going to hold the initial institution responsible. They’re going to start leaving banks for somebody else that will actually protect their credentials.”

The Latest in Prevention

Identity and Access Management (IAM) programs can significantly reduce the risk posed by infostealers. An effective IAM strategy includes strict access controls and continuous monitoring to detect and respond to suspicious activity. When only authorized users can access sensitive data, it becomes much harder for threat actors to exploit stolen credentials.

Multi-factor authentication remains absolutely critical, as is requiring customers to use unique and complex passwords for every account. If passkeys are an option, use them as well.

“That’s an absolutely critical next step when we think about how to mitigate this risk in the longer term,” Kosak said. “Passkeys are going to become more and more important. We’re still very early in the adoption cycle on that, but they’re phishing resistant.”

Another important factor for FIs to be aware of is cracked software. People concerned about infostealers should resist the temptation to download and install free software applications.

“If you see something that looks a little off the books, it’s probably going to come with a nasty surprise,” said Kosak. “They direct people to these YouTube links that deliver malware. Stick to known app stores.”

Behavioral detection, including user behavior analytics and device fingerprinting, is emerging as a strong defense against infostealers. They help detect account takeovers, for instance. If an FI detects any anomalous behavior, they can have processes in place to mitigate these risks and cut off the actions as they’re happening.

Polite Paranoia

All financial institutions have annual training requirements that everyone must complete to understand the threat environment. There’s another aspect that can be a bit harder to implement and articulate—the culture side. The core issue is instilling a culture of polite paranoia.

“You’ve got to be willing to raise questions both up and down the chain if you see something that’s suspicious,” said Kosak. “Being willing as a new junior associate to raise your hand and say, ‘hey, this seems suspicious to me, that’s a cultural aspect to an institution.’ Being willing to be challenged if you’re a senior in that institution and say, ‘hey, I’m glad you’re asking that question.’ That’s really powerful too.”

“These threat actors will use fear and intimidation and psychological pressure to get people to act without having the time or feeling like they have the channels to raise questions,” he said. “Polite paranoia takes that away from them.”

The post Infostealers: The Latest Cyberthreat Facing Financial Institutions appeared first on PaymentsJournal.

There’s a growing consensus among organizations as diverse as financial institutions, consumer advocacy groups, and card networks that scams are out of control. And yet, the U.S. still lacks a consistent framework to identify, categorize, and address this spiraling threat.

In the Getting Personal With Scams report, Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research, detailed how the many methods criminals use to perpetrate scams demand a more holistic solution for identifying and sharing threat intelligence.

A Damaging Threat

Scams peaked during the pandemic as more consumers engaged on social media and shopped online. While there has been a slowdown with the return to brick-and-mortar stores and increased face-to-face communication, scams remain a significant threat.

Although the total number of scams may have declined, the number of scam victims surpasses those affected by other types of fraud. For example, in 2023, there were 15 million traditional identity fraud victims in the U.S., according to Javelin. In comparison, 24.1 million people fell victim to scams last year.

The prevalence of scams has even begun to impact consumer shopping patterns. Some victims have shied away from purchasing items online, and many have closed accounts entirely. Some consumers have stopped using digital banking services. While individuals must take steps to protect themselves from scams, completely withdrawing from the digital world is an ineffective strategy.

Many consumers are taking these actions because they believe their governments, financial institutions, and businesses aren’t doing enough to reduce this threat. According to Javelin, scam mitigation efforts vary by country, and the U.S. has plenty of room to improve in this area.

“We’re just not doing enough,” Sando said. “Financial institutions are not required to reimburse scam victims, and there are a lot of other international economies that have regulations to do so. I’m not saying that’s the way it should be—I don’t think we are going to get to a point in the United States where scam reimbursement happens anytime soon—but it doesn’t mean there aren’t things that we can do to at least tackle the problem better.”

Standardizing the Nomenclature

One of the biggest issues in the U.S. is the lack of a comprehensive system to categorize and log scams and bad actors. The Javelin report identified over 16 categories of scams, yet it was still not an exhaustive list. Criminals exploit any method of communication to reach their victims and leverage all available technology and tactics to accomplish their goals.

Because scams take so many forms, different organizations may use varying names for the same scheme. Even within the financial industry, one institution might categorize a scam differently than another. Without standardized nomenclature, understanding the full scope of the problem becomes extremely difficult.

The issue is exacerbated because there is no overarching system to track scams.

“You may have a consumer who became a victim of a scam that might report it to the FTC, or to their financial institution, or to law enforcement,” Sando said. “They might even go to the IC3 Internet Crime Complaint Center. But none of those systems will talk to each other, so we’ve got this skewed idea of what’s happening within the realm of scams.”

There have been efforts to standardize scam documentation, such as the ScamClassifier Model that was recently released by the U.S. Federal Reserve. Based on the Fed’s FraudClassifier system launched five years ago, ScamClassifer is a voluntary framework designed to serve as a central hub for documenting attempted and successful scams, threat actors, and fraud trends.

A more structured approach to scam documentation helps organizations understand the trends affecting their institution and customers. This, in turn, allows them to allocate fraud and scam detection budgets more effectively, focusing on the most relevant threats.

“The idea is how do we get to a point where we can at least be united to fight scams,” Sando said. “A lot of those problems come down to how you’re categorizing it. If you don’t have a handle on what’s going on in your own backyard, you can’t fight the problem.”

Keeping the Cards Close

One of the challenges with systems like the ScamClassifier model is they are voluntary. Even if organization does utilize it, many are reluctant to share this data with others, especially if it could include proprietary information. Financial institutions, in particular, have been hesitant to communicate with competitors.

However, better communication is the key to fighting a growing problem that can irreparably damage the relationship between an institution and its customers.

“At the very least, have your own organized way of tracking scams,” Sando said. “But sharing the information is just as important. You have to know what’s going on within your own neighborhood to fight the crime. And how can you do that if you’re keeping your cards so close to your chest?”

Framing the Problem

Once banks and credit unions become more informed about scam trends, they can better educate their customers and members. Understanding these trends also helps financial institutions implement technologies that can mitigate the issue.

For example, many organizations don’t have real-time scam detection. Especially when consumers aren’t reimbursed for falling victim to a scam, financial institutions should have measures in place to prevent fraudulent transactions from settling.

While there are clear actions organizations can take, criminals still have a head start. This makes it critical to take proactive steps to combat scams now.

“With this report, it’s just framing the problem,” Sando said. “There’s not even a huge solution, because we are still at this point in the U.S. where we haven’t done anything to fix this problem—and that’s the problem.”

The post Fighting the Surge in Scams: Why Standardization and Communication Are Key appeared first on PaymentsJournal.

Cybercriminals have more tools at their disposal than ever before, and they’re using them to target consumers in increasingly complex and effective ways. However, just because one of a financial institution’s customers falls victim to a scam, it doesn’t mean it was an isolated incident. In fact, emerging technologies are allowing criminals to organize and carry out attacks on a much larger scale.

2025 Cybersecurity Trends, a report from Javelin Strategy & Research’s Tracy (Kitten) Goldberg, Director of Fraud and Security, Suzanne Sando, Senior Fraud and Security Analyst, and Jennifer Pitt, Senior Fraud and Security Analyst at Javelin Strategy & Research detailed how criminals are using technology to accomplish everything from scams to disinformation campaigns, and it also highlights the steps financial institutions can take to protect themselves.

The Dual Role of AI

Artificial intelligence has become a key component of fraud mitigation systems, but it has also become a fixture in many fraud operations. However, at this juncture, AI is having a greater impact in the fight against fraud.

“You don’t have AI that is successfully fooling authentication technology, but you do have AI that’s fooling consumers,” Goldberg said. “They’re not able to take my image and fool facial recognition technology, but they could potentially fool my neighbor. AI is a concern, but I think the concern is more on the social engineering piece and how humans are manipulated.”

There have always been criminals willing to exploit others for fraudulent purposes, but the techniques and tactics they use have become more complex. For example, cybercriminals are leveraging AI to create deepfakes which can mimic voices or personas, using this technology to create fictitious communications.

Criminals also deploy cheapfakes, where they edit or alter actual videos or audios and present an individual’s words out of context to commit fraud or spread disinformation.

The proliferation of social media and the increased isolation of many individuals has fueled the rise of romance scams, where cybercriminals feign romantic interest to obtain personal details from consumers.

Because more children have unmonitored access to the internet and social media, cybercriminals have also engaged in manipulation and cyber bullying tactics in efforts to get kids to provide their personal information.

Though there are more types of fraud attacks, there is still an overarching theme.

“Whether it’s someone trying to socially engineer a consumer into providing access to their bank account details or a hacktivist group that’s spreading disinformation, the end is the same,” Goldberg said. “They’re convincing consumers of something that is not true and getting these consumers to provide information about themselves, or to believe a falsehood.”

Rethinking Security: Biometrics Over Passwords

Fraud attempts are designed to manipulate consumers, so financial institutions should bolster their consumer education efforts. However, organizations will never be able to fully account for the actions of its customers. This means institutions must find ways to remove the consumer from the cybersecurity equation.

One of the most effective ways organizations can do this is to move away from username and password verification. Criminals can hack passwords, manipulate consumers into providing them, or purchase login information from bad actors on the dark web.

Because usernames and passwords are an increasingly ineffective means of security, FIs should lean on biometrics to verify their customers’ identities. In addition to fingerprint scanning and facial recognition technology, there are behavioral biometrics platforms, which monitor how a user interacts with their device. There are also tools to verify the validity of the device itself to ensure the right consumer is granted access.

All in all, financial institutions must take a bigger-picture view of fraud. The advent of technologies like machine learning and AI means it is easier for organized groups to carry out fraud at scale.

A bank might uncover what initially appears to be a conventional scam, where a criminal has socially engineered a customer into providing access to their bank account details. However, the perpetrator could have ties to a nation-state threat actor or a fraud ring conducting attacks or spreading disinformation.

“For the financial services industry, this is why we’re talking about cyber fusion deployment,” Goldberg said. “It’s where they’re bringing in some of the tools that they use for anti-money laundering, Know Your Customer compliance, and fraud mitigation. This helps with some of the scam detection, but then also with how they can tie that into who is behind some of these attacks.”

Following the Trails of Cyberthreats

A cyber fusion approach emphasizes the importance of shared threat intelligence within an enterprise. One of the key components is attribution, which involves identifying the actors behind cyberattacks.

“You’re pulling in anonymized data signals that could help to track money mule activity or fraud activity that might go into a Suspicious Activity Report (SAR),” Goldberg said. “This could potentially tie the attempt in with other indicators that you might have on the fraud side that could relate to potential scams or social engineering. Then it’s sharing that, not only across your enterprise, but with other organizations as well.”

Collaboration across the financial services industry—whether through a consortium or other mechanisms—is critical for exposing fraud techniques and tracking threat actors. Unfortunately, significant progress toward industry-wide collaboration or widespread cyber fusion adoption has been slow.

That said, solutions do exist. Many larger financial institutions are already implementing cyber fusion strategies, potentially setting an industry precedent. In addition, vendors are available to aid financial institutions with implementation. The strategic use of partners and tools across an enterprise, coupled with consortium data and anonymized data signals will be essential for achieving a holistic cyber fusion approach in the financial services industry.

“The whole ecosystem is a complex puzzle with a lot of different pieces, but we think that it all fits together,” Goldberg said. “It’s hard to connect those dots, especially when you have something as common as a romance scam or a pig butchering scheme. But if you start to trace the breadcrumbs, you might find that this is connected to a much wider network that is supporting something much more nefarious, which could even be a national security issue.”

The post A Robust Cyber Fusion Strategy Is Integral to Fight Fraud Threats appeared first on PaymentsJournal.

Healthcare organizations safeguard substantial troves of personal and financial data, making them prime targets for cybercriminals.

According to a survey from the Healthcare Information and Management Systems Society (HIMSS), more organizations are strengthening their defenses. The study found that 55% of healthcare organizations plan to boost their cybersecurity spending this year.

“Healthcare must invest more in cybersecurity, perhaps second only to education, à la the PowerSchool breach,” said Tracy Goldberg, Directory of Fraud and Security at Javelin Strategy & Research. “Healthcare is widely known for its cybersecurity vulnerabilities, and exposure of employee and patient Personal Identifiable Information.”

“Breaches and ransomware attacks—which exfiltrate sensitive PII and then hold the healthcare organization for ransom under the threat of exposing the stolen data on the dark web—are and have been all too common for many years,” she said.

The Change Healthcare Data Breach

Just as concerning as the frequency of ransomware attacks is their magnitude. Many healthcare leaders are reevaluating their cybersecurity solutions and third-party relationships in response to the largest healthcare data breach of all time—last year’s ransomware attack on UnitedHealth Group Subsidiary Change Healthcare.

The attack compromised the PII of over 190 million people and, much like the PowerSchool breach, was traced back to a cybersecurity lapse. Cybercriminals gained access to Change Healthcare’s systems using a single set password on a user account that lacked multi-factor authentication.

Increasing Cybersecurity Budgets

This incident, along with the rise in ransomware attacks targeting healthcare organizations, has forced a shift in the industry. According to HIMMS, healthcare organizations have historically allocated 6% or less of their IT budgets to cybersecurity. Now, nearly a third of respondents plan to spend more than 7% of their IT budget on cybersecurity this year.

This heightened focus on cybersecurity is critical because the ramifications of data breaches extend far beyond the healthcare industry.

“The lack of cyber focus and investment on the healthcare side has a domino effect on other industries, such as financial services,” Goldberg said. “These sectors eventually have to pick up the pieces of stolen consumer PII that turns into identity theft and subsequent fraud.”

The post More Healthcare Providers Are Bolstering Cybersecurity Infrastructure, Study Finds appeared first on PaymentsJournal.

Back in 2011, a group of Iranian hackers launched a series of distributed denial-of-service (DDoS) attacks against nearly 50 U.S financial institutions. The attacks were alarming enough, disabling bank websites and preventing customers from accessing their online accounts. However, the situation became even more troubling when it was revealed that these attacks were sponsored and directed by the Iranian government.

Since then, nation-state cyberattacks have remained a top concern for cybersecurity professionals. Countries like Russia, China, and North Korea have joined Iran in being held responsible for these advanced persistent threats, commonly referred to as APTs. In a PaymentsJournal podcast, Stephanie Schneider, Cyber Threat Intelligence Analyst at LastPass, spoke with Tracy Kitten, Director of Fraud and Security at Javelin Strategy & Research, about what financial institutions can do to combat these threats from rogue nations.

The Big Four

The four nations carrying out these attacks are playing the long game. They’re patient, developing tools and tactics to achieve their objections, and essentially have an open checkbook to fund their operations. They’re also good at remaining undetected for as long as possible, allowing them to continuously siphon information or maintain access for future operations.

Understanding these nations’ geopolitical context and their distinct motivations for engaging in cyberattacks is key.

The Chinese government, for example, conducts cyber activities to advance their national interests and economic position. They’re interested in obtaining intellectual property and data from private and public sectors to position themselves as an economic powerhouse. By actively infiltrating Western critical infrastructure, they’ve aimed to establish persistent access for potential disruption during future conflicts.

The Russian government enables broad-scope cyber espionage to suppress certain sociopolitical activity, such as in their ongoing war in Ukraine. Their focus is on stealing valuable information related to active conflicts to position themselves as a great power, rivaling the West and the U.S.

North Korea aims to collect intelligence, conduct disruptive attacks, and generate revenue. They continue to seek ways to get around their heavy economic sanctions to fund their weapons program.

Finally, the Iranian government has exercised increasingly sophisticated cyber capabilities to suppress sociopolitical activity. They also see themselves in competition with the West, specifically the U.S. Interestingly, Iran has also started to conduct more financially motivated attacks, like ransomware. Like North Korea, Iran is under tight sanctions and needs to generate revenue. But they’re also interested in creating chaos and disrupting their adversaries’ incident responses, as the 2011 attacks demonstrated.

“Iran’s attacks were a big wakeup call,” said Kitten. “That catapulted information-sharing among financial institutions. That helped to cement the fact that we need to be sharing threat intelligence and looking for indicators of compromise.”

The Nature of the Threat

There are three basic types of threats at play here. The first is monetary attacks, particularly as several of these countries seek ways to bypass restrictive sanctions. As a result, they’re targeting banks and trying to steal cryptocurrencies. Financial espionage also provides an avenue for gaining political leverage.

“Think about the sensitive personal information that a bank has access to,” said Schneider. “They’re trying to erode customer trust in critical infrastructure, things that regular citizens depend on. If they can shake that trust, that can also be beneficial for them.”

Then there’s the idea of hybrid or unrestricted warfare. There is an increasing number of attacks on critical infrastructure, including not just financial institutions but also sectors like energy and water. These attacks are designed to disrupt operations, incite panic, and spread misinformation in the background of ongoing conflicts.

Security professionals are growing more concerned about the idea of collaboration between these nation-states. Different techniques are being used by China, for example, as opposed to Russia. If Russia collaborates with China, it could become challenging to determine whether a cybercrime is being perpetrated by Russia or China.

“In the coming year, the discussions around threat intel—and especially around attributing indicators of compromise to specific threat actors—is going to become critically important,” said Schneider.

Tools of the Trade

Nation-states are continuing to invest and develop their tools to be harder to detect and defend against. They tend to use large language models (LLM) like ChatGPT in their cyber operations as support for their campaigns rather than using these tools to develop novel techniques.

But for the most part, they’re turning to the easiest way in, which tends to be social engineering and phishing. Humans remain the weakest link in security.

“We’ve seen time and time again these Russian APT groups using watering holes and conducting social engineering to get folks to click on links,” said Schneider. “It’s really basic stuff, but it’s effective.”

Criminals have also been creating synthetic identities, using them to set up bogus accounts and carry out attacks against financial institutions.

“The APT groups purchase bits and pieces of PII [Personally Identifiable Information] from multiple sources and then create a new identity,” said Kitten. “That’s been challenging for financial institutions to detect and track.”

Technology is moving toward creating realistic deepfakes specifically designed for fraud and account takeover attacks. As the financial sector uses more voice verification, someone could take voice samples of an individual and create a deepfake call powered by an LLM that’s been trained by using stolen credentials, biographical, or personal information from that individual. The result is that voice-authenticated AI could respond to challenge questions based on that stolen data in real-time.

Taking Protection

What should organizations do to protect themselves from these threats? The first step is practicing good cyber hygiene.

“APTs have access to advanced tools and resources, but they will use the easiest method available so that they don’t burn those novel tools,” said Schneider. “Using a password manager, creating long complex passwords for each account, making sure that your systems are up to date—those types of things are really simple, but really important to get right.”

The entire organization should buy in to these efforts, from the CEO down, to provide investments in solutions that can be used across departments. Employee training and awareness is crucial to protecting against things like social engineering threats.

About half of the population is now using pass keys to mitigate cyber threats, according to some reporting. These allow users to log into a site or device by using something like a fingerprint or PIN.  Pass keys have the advantage of being phishing-resistant, reducing the human element, and they cannot be shared.

Finally, organizations should consider setting up an advanced threat detection program, including threat intelligence.

“I would encourage financial institutions, especially smaller ones, to ensure that they’re working with third-party vendors who are trusted, experienced partners,” said Kitten. “Make sure they’re asking the right questions and thinking five years out about what this solution is going to look like.”

Schneider added: “If we’re aware of who is interested in targeting us, and staying up to date on the latest tactics, techniques and indicators of compromise, we will be in a much better position to defend against those threats.”

The post The Growing Threat of Cyberwarfare from Nation-States appeared first on PaymentsJournal.

Malware-as-a-Service (MaaS) now accounts for over half of cyber threats targeting organizations. These threats have become more prevalent as cybercriminals increasingly outsource their operations.

According to a research from Darktrace, the use of MaaS tools picked up steam in the latter half of 2024, making up 57% of identified fraud activities. One of the most commonly used malware tools is Remote Access Trojan (RAT) software, which allows cybercriminals to take control an infected device remotely. Once inside, they can steal data, harvest credentials, or monitor a user’s activities.

MaaS is a subset of the broader Cybercrime-as-a-Service (CaaS) model, where criminals offer illicit software services to individuals or groups for financial gain. These services—sold through CaaS platforms—can include ransomware attacks, data breaches, and Distributed Denial of Service attacks that can cripple an organization’s website for days or even weeks.

Phishing for Entry

The most common entry method for CaaS attacks remains phishing.  Darktrace’s survey uncovered over 30 million phishing emails in the past year alone. Of these attempts, 38% were highly customized spear phishing attacks targeting high net-worth individuals.

However, spear phishing can also be directed at specific customer bases, as seen in the attacks on CrowdStrike’s customers following the global outage caused by the company’s software update last year.

Impersonating Services

As with the attacks targeting CrowdStrike’s customers, Darktrace observed that many phishing communications impersonated third-party services that organizations frequently rely on. The report identified phishing emails that appeared to be from Microsoft SharePoint, Adobe, and QuickBooks, among others.

Cybercriminals have also increasingly impersonated major merchants to scam consumers. Separate data from the Federal Trade Commission revealed that Best Buy, Amazon, and PayPal were among the most frequently impersonated retailers.

The advent of new technologies like artificial intelligence has made these scams more effective. According to Darktrace, 32% of phishing attempts now employ novel social engineering techniques designed to manipulate recipients. Many of these messages feature AI-generated text that is both complex and compelling.

As CaaS platforms provide advanced tools to even tech-challenged threat actors, organizations face growing risks in an evolving fraud landscape filled with emerging threats.

The post Malware-as-a-Service Lowers the Technology Bar for Threat Actors, Study Finds appeared first on PaymentsJournal.

Cyber fraud presents a unique threat to small and mid-sized financial institutions, which often lack the resources or expertise that major banks possess to fend off account takeovers and other cyberattacks. However, they face the same risks from hackers as any larger institution.

In a PaymentsJournal podcast, Mike Kosak, Senior Principal Intelligence Analyst at LastPass, spoke with Tracy (Kitten) Goldberg, Director of Fraud and Security at Javelin Strategy & Research about the evolving threat landscape confronting smaller financial organizations. Their discussion covered the emergence of nation-states as threats, the rise of deepfakes, and why information-sharing may be the most effective defense.

Where the Threat Lies

The biggest threat currently facing FIs is financially motivated cybercriminals. Their attacks typically focus on finding other ways to access legitimate accounts, as well as infiltrating the institutions themselves. Their goal is to either steal money directly or collect data to use as ransomware.

These institutions are also facing threats from so-called hacktivists aiming to cause reputational damage. Such actors seek to acquire data that can embarrass either the institutions or their customers.

While these infiltrators are often assumed to be rogue operators or members of hacker gangs, there’s also the possibility that they’re sponsored by nation-states, such as Russia, Iran, or China.

“One of the things that smaller financial institutions need to keep in mind is that it’s not just the data, it’s not just the money, and it’s not just ransomware gangs,” said Kosak. “It may be their connections to other organizations. A lot of nation-states are increasingly targeting FIs based on their connections to other organizations, to get their foot in the door within that larger sector.”

How Criminals Are Leveraging Social Engineering

In the fight against cyberattacks, humans are always the weakest link. The same techniques used to socially engineer consumers into falling for scams can also be waged against bank employees or contact center staff. These employees may then be coerced into divulging sensitive information, such as intellectual property or details about customer accounts.

One tactic that has grown in popularity in recent years involves performing reconnaissance on LinkedIn or other social media platforms to figure out the right individuals to target. Once a criminal successfully impersonates an employee, they call the IT help desk to try and reset a password, which also gives them access to protected information.

“These attacks are getting much more targeted,” Goldberg said. “They could include everything from stealing from consumers to roping them into money mule activity that’s being used to launder funds. This could be used to support some kind of terroristic financing. You might assume it would be larger institutions that would be more concerned about that, but it can trickle down to the smaller institutions as well.”

One of the most dangerous threats to smaller banks comes from infostealers, a type of malware designed to collect information from targeted computer systems. Over the past five to seven years, industry specialists have seen these attacks grow by more than 200%.

Initial access brokers leveraging infostealers are quick, efficient, and they’ve got plenty of buyers for the data they pilfer. From a supply-and-demand perspective, this creates strong incentives for others to move into this space. Even when law enforcement disrupts the work of a significant infostealer, there are still plenty of opportunities for initial access brokers to fill the resulting void.

Collective Insights Help Fight Fraud

When institutions share the threats they encounter and their analysis of the situation, everyone gains from the collective insights. However, when banks choose not to share that information, the only ones who benefit are the threat actors themselves.

Smaller, resource-constrained financial institutions may find it challenging and time-consuming to determine not only how they’re being targeted but also who is behind the attacks. Yet, this information is key.

“If you can understand not just how they’re targeting you, but who’s targeting you, you get a much broader picture of the sort of tactics, techniques and procedures you need to defend against,” said Kosak. “If you’re just focusing on activity, you’ve already seen, you can block against those efforts, but you don’t know what’s next.”

The Growth of Deepfakes

The democratization of deepfake technology has advanced rapidly, leaving every financial institution vulnerable to its threats. Technology has progressed to the point where criminals can now create deep fakes on their phones, with just a few seconds of an audio clip.

Increasingly, deep fakes are being used to call into customer service centers and impersonate legitimate customers. This creates a problem for voice recognition technology as an authentication factor, intensifying the arms race between institutions trying to verify customer identifies and criminals attempting to bypass those efforts.

While the number of deep fake calls has gone up substantially over the last two years, the long-term concern is around video deep fakes. Perhaps the scariest part of this threat is that it’s only the beginning of how far it can go.

A related threat comes from synthetic identities. Criminals steal personally identifiable information (PII) to create new personas that can open accounts and infiltrate supposedly secure systems. These identities can be very difficult to detect since they do not involve using the identity of an actual customer.

Fighting Back

So, what should smaller FIs be doing to protect themselves from these threats? The enforcement of basic multi-factor authentication, for both customers and employees, remains absolutely critical. Moving toward passkeys as a technology, which are more phishing-resistant, is also important.

Beyond that, a right-sized threat intelligence program can be beneficial for any financial organization. A program that includes external engagement can help facilitate information sharing, allowing even small institutions to make critical connections.

Consumers have come to rely on financial institutions or other entities to let them know if their identities have been breached in some way. That makes educating both customers and employees a key part of any strategy.

People interacting with cybercriminals will always be the weak spot in the defense against them. Identity and Access Management (IAM) programs, which manage user identities and control who can access certain resources, are a way to automate a critical part of the process. Kosak and Goldberg advocate automating as much of the defense as possible.

“The more you can take the human out of the authentication process, the better off you’re going to be,” Goldberg said.

The post The Looming Cyber Threats Targeting Smaller Financial Institutions appeared first on PaymentsJournal.

The Digital Operational Resilience Act (DORA) went into effect last week in the European Union, and many of the region’s financial institutions are not yet compliant with the new cybersecurity laws.

DORA is a set of tough regulations designed to strengthen the technology operations of financial institutions. These laws also extend to their partners. The legislation aims to prevent data breaches, cyberattacks, and system disruptions that could lead to widespread financial impacts.

Compliance with DORA is mandatory, and violations come with substantial penalties. Financial firms may face fines of up to 2% of their annual global revenue. Furthermore, individuals can also be held accountable under DORA, with penalties of up to $1 million for non-compliance.

Surpassing the Baseline

DORA mandates that financial firms install sophisticated IT risk and incident management systems. It also requires more substantial reporting and documentation, periodic operational resilience testing, and the sharing of intelligence about risks, incidents, and bad actors.

The scope of the regulations is far-reaching, which is why many of the EU’s financial services organizations are struggling to understand what is required of them.

“We saw this too with GDPR (General Protection Data Regulation) and other broad legislation that is subject to interpretation—what does it actually mean to comply?” Harvey Jang, Chief Privacy Officer and Deputy General Counsel at Cisco, told CNBC in an interview. “This lack of a common understanding of what qualifies as robust compliance with DORA has in turn led many institutions to ramp up security standards to the level that they’re actually surpassing the “baseline” of what’s expected of most firms.”

A Mindset Shift

One of the most impactful aspects of DORA is it forces financial institutions to shine a spotlight on their third-party relationships. Organizations will be required to conduct assessments of “concentration risk” to ensure they aren’t outsourcing too many functions to third parties or relying too heavily on partners for critical operational tasks.

While banks may ultimately be responsible for compliance, the new rules will also put pressure on financial technology organizations. Under DORA, technology providers can be fined as much as 1% of their average daily worldwide revenue for up to six months for non-compliance.

The increased scrutiny on third-party relationships could prompt a total mindset shift in how EU’s banks engage with their fintech partners. Many banks have relied on these partners to help them accomplish digital transformations on a faster and wider scale. However, due to the vulnerabilities this model creates, financial institutions may need to scale back their outsourcing strategies.

“Advances in technology may allow financial institutions to move services back in-house, simplifying this aspect and reducing the risk of non-compliance,” Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, told CNBC in an interview. “Either way, existing contracts will need to be updated to ensure compliance is contractually mandated and monitored between entity and provider.”

Under the Microscope

Regulators have long been concerned about the increasing role of fintech companies in the new banking-as-a-service model. Many technology companies have built their financial solutions with speed and innovation in mind, while compliance was often an afterthought. That mindset doesn’t align with the heavily regulated and highly scrutinized financial services industry.

In the U.S., concerns about the relationship between unregulated fintechs and banks reached a head after the highly publicized collapse of fintech Synapse. Synapse failed to keep proper records of funds for its customers, particularly Evolve Bank & Trust. When Synapse went bankrupt, roughly $85 million in funds were frozen—with no records of who it belonged to.

In the aftermath of the Synapse collapse, lawmakers have increasingly put fintechs and financial institutions under the microscope. The continued demand for regulation has even called the banking-as-a-service model into question.

Controlling Data

Another model that hinges on the capabilities of third-party financial companies is the open banking model, which has long been considered the future of the financial industry. In open banking, third parties serve as facilitators, enabling the secure sharing of protected consumer financial data among organizations.

Though there are concerns about the impact of fintechs, the U.S. recently rolled out its rules designed to regulate open banking. The Consumer Financial Protection Bureau (CFPB) announced it would activate Section 1033 of the Dodd-Frank Act, which is designed to give consumers the freedom to control their own data and switch between financial institutions with ease.

The new laws also require financial institutions to implement stronger data security protocols and beef up their recordkeeping processes.

An Original Concern

There will certainly be growing pains as organizations seek to comply with the various regimes that are being established worldwide. However, there is largely agreement among all players in the industry that a stronger regulatory framework is necessary to prevent events like the Synapse collapse, and to protect organizations from the increasing number of fraud attacks they face. Until that system is in place, challenges will persist.

“The big takeaway is that compliance is becoming more of a technology concern,” said James Wester, Co-Head of Payments at Javelin Strategy & Research, in an earlier conversation with PaymentsJournal. “That’s a two-fold issue. For the technologists that are tasked with making the open banking environment work, compliance now needs to be one of the original concerns when building out anything that’s going to be dealing with consumer data.”

“The other part of it is that compliance teams often still don’t understand a lot of the technical considerations and concerns,” he said.

The post The Ramifications of the EU’s DORA Regulations Go Far Beyond Cybersecurity appeared first on PaymentsJournal.

The chief information security officer at cybersecurity company Fortiguard has raised concerns after encountering a new type of “no-phish” phishing threat using legitimate PayPal mechanisms.

In a blog post, Carl Windsor reported receiving an email that appeared to be from PayPal, complete with a valid sender address. The email requested money through the platform’s money request feature. While both the email and URL were legitimate, the only anomaly was that the “to:” address field in the email was not addressed to him; instead, it was addressed to a free Microsoft 365 test domain.

If a user responded to the email, they were directed to the PayPal site, where everything appeared to be a valid money request from that point onward.

“The PayPal phish-free phishing attack shows just how crafty cybercriminals have become with social engineering scams,” said Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research. “Closely following advice given to consumers from FIs, fintechs, and other major financial industry leaders allows these scammers to circumvent the usual red flags consumers are told to look for when determining the legitimacy of a transaction request. Consumers are primarily the first line of defense when it comes to scams, so when everything seemingly checks out and looks legitimate, it’s an easy decision to move forward with the transaction.”

Mimicking Tactics

It’s a common tactic for criminals to send phishing communications that mimic those used by major corporations like PayPal. However, most impersonation scams direct the target to either click on a link to a false website or call a fraudulent number.

What makes the PayPal “no-phish” scam unique is that it directs users to the legitimate PayPal site, but exploits a vulnerability in the platform. Windsor reported that the payment request was for $2,185.96, an amount small enough that it might not raise suspicion in many corporations.

A Human Firewall

Phishing attacks have become more common and increasingly sophisticated. Criminals are leveraging more convincing technology, including AI, to create scams that are harder to identify. To combat this, Windsor wrote that the best solution to complex fraud attacks is the “human firewall”—meaning that the recipient has been trained to disregard or double-check any email that hasn’t been specifically requested.

However, most user education focuses on detecting emails from suspicious sources. The fact that the phishing attempt against Windsor used the genuine PayPal site means the threat is much harder to detect.

“This is, once again, a prime example of never clicking on a link in an email, even if it appears to be legitimate,” Sando said. “The best advice FIs and customer-facing financial services organizations can give to their customers is to bypass clicking on any links in an email or text message, and log into their account to directly address any transaction requests, fraud alerts, etc.”

The post Cybersecurity Exec Sounds Alarm About PayPal “No-Phish” Phishing Scam appeared first on PaymentsJournal.

One topic has dominated every technology discussion across the financial services and insurance industries for well over a year—and it is going to be even more prevalent in 2025.

Mass investment in AI integration is now moving well beyond the pilot phase, and the impact of its proliferation will start tangibly reshaping FSI in the coming year—for both good and ill. Here are a few snapshots of what AI will be driving in 2025:

Retail Banking, Including Lending and Payments

AI-driven personalization will raise privacy concerns and regulatory scrutiny. By the end of next year, retail banks will leverage AI to offer hyper-personalized products and services. However, the extensive use of customer data will trigger heightened privacy concerns, prompting regulators to impose stricter data usage and consent laws.

Real-time fraud detection will also become a competitive necessity amid rising cyber threats. Banks adopting advanced AI for instant fraud detection in payments will gain a significant edge, and institutions lagging in AI integration will face increased cyber attacks, leading to financial losses and reputational damage. The sophistication of AI-driven cyber threats will compel banks to significantly increase their cybersecurity budgets, focusing on AI-based defense mechanisms and robust data protection protocols.

Expect to see mandatory explainable AI in lending decisions as regulators will require banks to use explainable AI models to prevent biases in lending. This will force banks to overhaul their AI systems to ensure transparency and fairness, impacting their data management strategies.

Wealth and Asset Management

The proliferation of AI-driven robo-advisors is set to disrupt the wealth management industry, forcing firms to reassess their human capital and value proposition amid clients’ growing trust in automated services. This shift will coincide with enhanced regulatory oversight of AI algorithms. Regulators are expected to implement stringent audits of AI algorithms used in asset management to ensure compliance and prevent market manipulation, increasing the complexity and cost of data management.

At the same time, wealth management firms  will face heightened cybersecurity threats, mirroring trends across the financial services sector. These companies will become prime targets for cybercriminals, with any significant breach resulting in loss of client trust, legal penalties, and a push for more robust cybersecurity frameworks.

Efforts to monetize client data through analytics will also face challenges. Privacy concerns are likely to spark backlash, resulting in stricter regulations and potential legal challenges. Despite these obstacles, a shift towards sustainable investing via AI analytics is emerging. AI will enable a more precise analysis of ESG factors, leading to a significant shift in investment strategies towards sustainable assets. However, it will also raise questions about data reliability and standardization.

Property and Casualty Insurance

Insurers adopting AI for real-time data analysis in underwriting will outperform competitors, but may encounter regulatory concerns regarding data privacy and algorithmic bias. At the same time, the rise of sophisticated, AI-driven insurance fraud will force companies to invest in equally advanced AI detection systems, straining budgets and requiring new data management approaches.

Cyber insurance is emerging a dominant market segment and due to increasing cyber threats, driven by escalating cyber threats. While demand for cyber insurance is expected to grow, insurers will struggle with underwriting risks in an area lacking historical data, complicating data management.

Regulators will also mandate the inclusion of climate data in risk assessment models as regulators will require P&C insurers to incorporate climate change projections into their risk models. This will significantly increase data management burdens and drive the adoption of advanced AI analytics to handle these complex requirements.

Additionally, stricter privacy regulations will impact claims processing efficiency. Enhanced privacy laws will restrict the use of personal data in claims processing, forcing insurers to find a balance between efficient service and compliance, potentially leading to slower settlement times.

Private Equity and Private Credit

In 2025, firms utilizing AI for rapid due diligence will have a competitive advantage yet may face regulatory scrutiny over data sources and the potential for overlooking nuanced risks. Investors are intensively evaluating the cybersecurity posture of target companies, as the acceleration of AI-driven threats means that poor data protection measures could result in deal cancellations or reduced valuations.

What’s more, regulatory bodies are intensifying their focus on AI-based credit scoring. Regulators will demand transparency in AI credit models to combat discriminatory lending practices, compelling firms to adjust their data management and AI systems accordingly. That said, heavy reliance on AI for investment decisions may result in biased outcomes, leading to legal disputes and harming the firm’s reputation among investors and the public.

Adding to these challenges, stricter data privacy regulations are reducing the availability of alternative data for AI models. This will push private equity and credit firms to seek new ways to gain insights without violating laws.

A Year of Challenges

In 2025, the finance sector will broadly start displaying many of the amazing operational efficiencies and capability gains well-implemented AI really can deliver. But it will also be a year where its rapid integration into financial services will have real consequences.

AI use in financial services has already outpaced the speed at which regulations are developed, leading to a complex landscape where institutions will struggle to stay compliant amid evolving legal requirements and potential penalties.

As regulatory bodies catch up, they will begin enforcing strict transparency and explainability standards for AI algorithms in financial decision-making, as well as regional and global data privacy regulations that will significantly restrict how financial institutions collect, store, and use customer data. Firms must be prepared to overhaul their data management practices to ensure AI models are interpretable, fair, and free from bias. Existing AI models reliant on extensive datasets will be challenged, pushing firms to adopt new methods like synthetic data generation and federated learning. Such eventualities will impact operational efficiency.

All the while, the industry will face a new wave of sophisticated cyberattacks, driven by AI and targeting vulnerabilities in financial systems. This will force companies to invest heavily in advanced cybersecurity measures — ironically including AI-based defense mechanisms and AI-driven comprehensive data protection protocols.

There is no putting this genie back in the bottle. In 2025, AI use in financial services won’t be a differentiator. It will be a requirement for survival in a landscape that it has already irreversibly altered.

The post How AI Will Reshape the Financial Services Sector in 2025 appeared first on PaymentsJournal.

Thousands of credit card readers at gas stations and supermarkets in Israel experienced issues this past weekend, potentially linked to a suspected cyberattack.

According to The Jerusalem Post, this incident is the latest in a series of point-of-sale (POS) threats. The challenges and disruptions caused by these attacks arise partly from the unpredictability of which consumers’ data might be affected and the varying levels of security among the small businesses impacted.

POS malware extracts credit card and other transaction-related data from payment systems and card skimmers. Hyp Credit Guard, which monitors payment system cybersecurity in Israel, said the attack targeted the communication services relied upon by many retailers. Fortunately, the issue was mitigated in just over an hour.

Given that gas stations process hundreds of credit card transactions daily, a successful cyberattack can compromise sensitive financial data on a large scale, often without consumers realizing their data has been breached. The effectiveness of a POS attack largely depends on the security measures in place at the targeted business.

A Worldwide Problem

Some experts suspect that Iranian-linked hackers may have been involved in the cyberattack. Just last month, a major Israeli payment company, Sheba, was hit by a similar attack, which caused delays in processing debit card transactions.

The U.S. has also experienced several large-scale POS attacks. In 2014, POS malware allowed criminals to gain access to millions of credit and debit card account numbers of customers at Target stores across the country.

More recently, NCR reported that a POS attack had impacted its Aloha restaurant payment system. Although NCR did not disclose how many customers were impacted, it did acknowledge that more than 100,000 restaurants use its payments platform. Like gas stations, individual restaurants may be more vulnerable to such attacks due to a lack of cybersecurity preparation.

“If you don’t have strong cybersecurity policies in place, POS attacks, like any other cyberattack, are much more likely to be successful,” said Suzanne Sando, Senior Analyst in Fraud and Security at Javelin Strategy & Research. “If you don’t encrypt data, if you aren’t complying with PCI DSS standards, if you aren’t monitoring for suspicious activity—all of these are steps organizations can take to reduce the likelihood of a successful POS attack. It’s all about finding those vulnerabilities and locking them down.”

The post Credit Card Reader Cyberattack Exposes Point-of-Sale Risks in Israel appeared first on PaymentsJournal.

Consumers are increasingly concerned about privacy amid the rising tide of fraud and data breaches. While privacy protections are an essential way for financial institutions to gain consumer confidence, several other factors contribute to establishing cyber trust with consumers.

In her latest report, Cyber Trust in Banking: Digital Path to Maturity, Tracy Kitten, Director of Fraud and Security at Javelin Strategy & Research, relays the findings of her latest industry scorecard and details the progress financial institutions have made—and the areas they can improve on—with cyber trust.

Privacy Priority

Privacy is still the most important, overarching issue to consumers, and the Javelin scorecard found that top-tier financial institutions have updated their privacy disclosure policies on a regular basis. That is a shift from just a few years ago, when privacy policies were harder to locate, and many hadn’t been updated in over a year.

“Now, surprisingly, the disclosures are easy to find, and they are typically posted in multiple places on the organizations’ sites,” Kitten said. “A customer can go to a wealth management page for advice and often find privacy disclosures there. Disclosures are also commonly available when consumers search for cybersecurity or fraud prevention information. It means financial institutions understand their customers are concerned about privacy.”

In addition, many financial institutions have gone beyond general privacy disclosures and created specific disclosures for minors. The scorecard also found that privacy disclosures were updated at a regular cadence, including many that were updated as recently as the last 30 days.

While those are significant improvements, there is still room to strengthen privacy programs. For instance, financial institutions should ensure their privacy disclosures avoid legal jargon and are easy to understand.

In addition, many banks have invested substantial time and money enhancing the usability and interfaces in their mobile banking platform, but they haven’t extended the functionality to their online banking platform. Even though more customers are adopting mobile banking, it doesn’t mean they are leaving online banking behind entirely.

“There should be more parity with privacy disclosures across both channels,” Kitten said. “If a consumer wants to do more intensive activities like reviewing past mortgage statements or responding to fraudulent activity alerts, they are more apt to do so via online browser-based banking on a laptop or desktop than they are on their mobile device. That includes reviewing privacy policies.”

Skin in the Game

Another aspect of cyber trust is authentication. Strong authentication protocols let consumers know that their data is protected and important. Most consumers are aware that basic usernames and passwords are not the most effective authentication methods, but they don’t often have an alternative.

Financial institutions can strengthen authentication methods on mobile banking apps by implementing biometric verification using facial recognition or fingerprint scanning, which are often already tied into the mobile device’s operating system.

Those avenues haven’t typically been integrated into online banking platforms, but they can be. Though financial institutions might be concerned about creating friction in the customer experience, consumers have proven they are open to biometric authentication because it is simple to use and makes interactions more secure.

“On the other hand, one-time passcodes are now just unnecessary friction because they are easily circumvented,” Kitten said. “Financial institutions should move to physical biometrics, and even look at behavioral biometrics that take place on the back end. When consumers have skin in the game, literally, they feel more connected to their bank and it takes some pressure off the institution.”

Directing the Conversation

Another way to engage customers is to build better consumer education programs. Alerts are an important—and often underutilized—way for financial institutions to direct the conversation with their customers.

“Financial institutions should encourage consumers to sign up for alerts when there are transactions that exceed defined thresholds or when there are changes to the account, such as when a new account holder is added,” Kitten said. “Customers should also know that if they suspect a transaction is fraudulent, the sooner they notify their financial institution, the better.”

Consumers should also receive alerts through multiple channels, including through mobile app notifications, text alerts, and email messages. Continued engagement through alerts can make consumers aware that their financial institution takes their relationship seriously.

However, banks and credit unions should ensure that they are sending useful information that is interactive when applicable. For example, instead of providing a written notification about a new scam when a customer logs into their account, an institution could offer a podcast or another interactive way to educate their customers.

A Message That Resonates

Financial institutions have made significant steps forward in beefing up their privacy programs and making them more relevant and available to their customers. There is still the opportunity to make disclosures equally prevalent on mobile and online banking platforms.

Banks should also implement stronger biometric authentication methods on mobile and online banking platforms and move away from one-time passcodes. Finally, an organization should educate and empower its consumers.

“I hope that financial institutions take these recommendations seriously and implement changes before the next scorecard, and also that their engagement with their customers doesn’t fall short,” Kitten said. “Don’t take the easy way out, try to personalize education interaction everywhere you can. A little bit of personalization goes a long way, and the more targeted your message is, the more it’s going to resonate.”

The post How Financial Institutions Can Cultivate Cyber Trust with Consumers appeared first on PaymentsJournal.

CrowdStrike has notified its customers that cybercriminals have launched spear phishing attacks on German users following the global internet outage caused by the cybersecurity company’s software update.

The criminals tricked users into downloading a phony CrowdStrike Crash Reporter. Once installed, the malicious software pretended to be a legitimate update while hackers conducted illicit activities in the background.

“Companies impacted by the flawed CrowdStrike content update for Windows devices must take additional measures to educate staff and support IT teams to ensure that everyone is informed about how CrowdStrike is addressing the issue,” said Tracy Kitten, Director of Fraud and Security at Javelin Strategy & Research. “Updates are being administered via manual updates at the terminal or machine level, not through automated updates that are sent via email.”

Targeted Attacks

CrowdStrike is highly confident that the attacks were specifically targeted at certain users because the victims were required to enter a password that is likely known only to them. Additionally, the attacks were executed through a spear phishing website that focused solely on German-speaking CrowdStrike customers affected by the software update.

The cybercriminals had strong understanding of operational security practices, according to CrowdStrike. So far, the hackers have successfully thwarted the company’s efforts to identify them, which is not uncommon in phishing attacks.

Cybercriminals use advanced methods to impersonate company communications. Once a victim provides their credentials, the attackers often engage in fraudulent activities such as unauthorized credit card transactions, sending peer-to-peer payments through platforms like PayPal or Venmo, or modifying account information to confirm fund transfers.

Educating Consumers

CrowdStrike has advised its customers to only accept updates and technical support through official CrowdStrike channels. Users should also verify the legitimacy of sources before downloading any software. What’s more, the company recommends using download protection tools that can alert users to potentially harmful websites or downloads.

The global internet outage caused by CrowdStrike’s software update has revealed weaknesses in systems across nearly every industry. Unfortunately, many bad actors are ready to exploit these vulnerabilities.

“Cybercriminals will always take advantage of an opportunity to capitalize on a good phishing hook, and the CrowdStrike incident is no different,” Kitten said. “The same advice we would offer in the wake of any global noteworthy event holds true here. Think before you click, as with any malicious phishing campaign.”

The post Cybercriminals Exploit CrowdStrike Incident in Spear Phishing Attacks appeared first on PaymentsJournal.

The European Central Bank released the results of its first stress test of EU banks’ cybersecurity measures, revealing that many banks would struggle to recover from a hack.

The ECB asked 109 banks to detail their emergency plans in the case of a cyberattack, including both their response to the breach and their strategy for restoring normal operations for their customers. After reviewing the banks’ procedures, the ECB gave feedback on the areas where each bank could improve their response, like enhancing backup systems or strengthening controls on third-party partners

“The results of the stress test are insightful and showed that while banks do have high-level response and recovery frameworks in place, there is still room for improvement,” ECB supervisor Anneli Tuominen noted in a blog post.

Rectifying Shortcomings

An additional 28 banks were chosen to participate in a more intense exercise that included on-site inspections and cyberattack simulations. According to the ECB, many of the banks have already rectified some of the shortcomings revealed in the stress test.

The central bank was careful not to release any details about the specific weaknesses it uncovered or the individual banks it tested, as it didn’t want to give cybercriminals any data they could use against the institutions. The ECB said it would decide whether to pursue further stress tests by the end of the year.

Top of Mind

Cybersecurity continues to be  a top priority, particularly after the global internet outage that recently rocked many businesses, including banks. While that incident was tied to an update from cybersecurity provider CrowdStrike and not a cyberattack, it still exposed weaknesses in financial institutions’ responses to cyber incidents.

One of the most important considerations for banks is their dependence on third-party providers to manage critical aspects of their business. As a result, EU banks’ relationships with third-party providers were a central focus of the ECB’s stress test.

The central bank reported that cyber incidents were on the rise in its 113 banks in the latter part of last year, partially due to the war in Ukraine. The powerful technology that is now in the hands of hackers, including deepfake AI, makes it critical for financial institutions to have actionable strategies in the event of a hack.

The post ECB’s Cybersecurity Stress Test Reveals Challenges for EU Banks appeared first on PaymentsJournal.

Consumers are increasingly turning to mobile banking applications as their preferred channels for financial interaction, in part because of the convenience and enhanced security such platforms offer. A mobile banking channel also provides financial institutions with a chance to improve engagement with consumers, especially for cybersecurity awareness and outreach.

A new report from Javelin Strategy & Research, Cyber Lessons for Mobile Banking: Connecting with Consumers, Framing Cyber Awareness, offers lessons from top-tier banks that set an example for community banks and credit unions to follow. Javelin Director of Fraud and Security Tracy Kitten, the author of the study, spoke about two important emerging trends in mobile cybersecurity that the report covers: biometrics and push notifications.

New Phases for Biometrics

Many modern consumers struggle with usernames, passwords, passcodes, and the other measures of authentication required to keep our financial data safe. Biometrics such as fingerprint and facial recognition have become less intrusive ways of authenticating your identity, with nothing for the user to remember.

But Kitten reports that behavioral biometrics could soon surpass physical biometrics in terms of ease of use for consumers and additional security for the institution.  Behavioral biometrics encompass such things as how you hold your phone, or the cadence you use when you enter a number.

These recognition factors are not installed automatically. When you receive a new iPhone, you first have to agree to allow facial recognition or finger biometrics by signing a waiver that says you will share that information. After completing the approval process, you can use touch ID for any app that’s connected to the mobile device.

There are even more data sources that could be pulled in. “If I’m trying to make an in-app purchase, that particular payment platform could be pulling in anonymized data sources from multiple places,” said Kitten. “Is this a merchant that I typically shop? Is this the type of product I usually buy? They can pull in all these various bits of data that can be used to help authenticate me and verify me at the transaction.”

Banks can use some of those additional data signals or data sources in the background for authentication without the consumer even being aware it’s going on.

“If I’m sitting at home on my Wi-Fi connection using the same IP address I use every day, the same device that I’m logged into typically Monday through Friday from 8:00 am to 6:00 pm, and I’m conducting a transaction at a site I’ve been to many times before, and made purchases during this time of day on this device, on this IP address, then it should readily authenticate me,” Kitten said. “If I’m out of the country and the device is recognized but the IP address is different, the connection is different, and it’s a different time zone, then at that point, maybe I do need to have a one-time passcode sent to my phone to verify that this is me.”

Push Notifications

Another development that Kitten sees great potential for is push notifications, delivered through a bank’s mobile app. The communications are secure because the consumer knows that it’s coming from their financial institution. An email alert or an SMS text message might call into question whether it’s really coming from the bank or from someone spoofing it.

“The customer will not receive push notifications if they don’t ask to have them,” Kitten said. “That’s why it’s such a strong builder of loyalty and trust.

“What I would really like to see is that all notifications only come through the mobile app. We’re pushing communications about cybersecurity or potential fraud, so everything should come through the app. I would go further and say it should be a default setting, so the consumer is automatically enrolled in the alerts through the app and they would have to opt out of them. Get rid of email and text, because we’re trying to tell consumers think before you click.”

One reason for this is that the institution can benefit from the wealth of information available through mobile and online banking platforms. They can pull data and analytics—and make use of AI—on the back end to determine what kind of education or alerts they should be pushing.

Most consumers under the age of 65 do not need push notifications about education related to the latest elder scam. But if the institution knows that they have a parent or grandparent living with them, then it would make sense for their bank to deliver that kind of alert.

Looking to the Future

What’s coming up next in this field? There could be some good news for all those consumers who constantly have to click on the “Forgot Password” button. According to Kitten, the advances in mobile app security could lead to a turning point in security issues, where institutions no longer ask the consumer to create and remember passwords or usernames. We as consumers create security issues by reusing passwords and usernames, or by writing them down, or by sharing information with people we shouldn’t. 

“The consumer is the weakest link,” said Kitten. “The more you can take the consumer out of the authentication process, the better. Because of facial recognition, behavioral biometrics and physical biometrics, I think we’re finally at a tipping point.”

The post The Next Phase of Cybersecurity on Mobile Banking Apps appeared first on PaymentsJournal.