Cyber fraud presents a unique threat to small and mid-sized financial institutions, which often lack the resources or expertise that major banks possess to fend off account takeovers and other cyberattacks. However, they face the same risks from hackers as any larger institution.

In a PaymentsJournal podcast, Mike Kosak, Senior Principal Intelligence Analyst at LastPass, spoke with Tracy (Kitten) Goldberg, Director of Fraud and Security at Javelin Strategy & Research about the evolving threat landscape confronting smaller financial organizations. Their discussion covered the emergence of nation-states as threats, the rise of deepfakes, and why information-sharing may be the most effective defense.

The biggest threat currently facing FIs is financially motivated cybercriminals. Their attacks typically focus on finding other ways to access legitimate accounts, as well as infiltrating the institutions themselves. Their goal is to either steal money directly or collect data to use as ransomware.

These institutions are also facing threats from so-called hacktivists aiming to cause reputational damage. Such actors seek to acquire data that can embarrass either the institutions or their customers.

While these infiltrators are often assumed to be rogue operators or members of hacker gangs, there’s also the possibility that they’re sponsored by nation-states, such as Russia, Iran, or China.

“One of the things that smaller financial institutions need to keep in mind is that it’s not just the data, it’s not just the money, and it’s not just ransomware gangs,” said Kosak. “It may be their connections to other organizations. A lot of nation-states are increasingly targeting FIs based on their connections to other organizations, to get their foot in the door within that larger sector.”

In the fight against cyberattacks, humans are always the weakest link. The same techniques used to socially engineer consumers into falling for scams can also be waged against bank employees or contact center staff. These employees may then be coerced into divulging sensitive information, such as intellectual property or details about customer accounts.

One tactic that has grown in popularity in recent years involves performing reconnaissance on LinkedIn or other social media platforms to figure out the right individuals to target. Once a criminal successfully impersonates an employee, they call the IT help desk to try and reset a password, which also gives them access to protected information.

“These attacks are getting much more targeted,” Goldberg said. “They could include everything from stealing from consumers to roping them into money mule activity that’s being used to launder funds. This could be used to support some kind of terroristic financing. You might assume it would be larger institutions that would be more concerned about that, but it can trickle down to the smaller institutions as well.”

One of the most dangerous threats to smaller banks comes from infostealers, a type of malware designed to collect information from targeted computer systems. Over the past five to seven years, industry specialists have seen these attacks grow by more than 200%.

Initial access brokers leveraging infostealers are quick, efficient, and they’ve got plenty of buyers for the data they pilfer. From a supply-and-demand perspective, this creates strong incentives for others to move into this space. Even when law enforcement disrupts the work of a significant infostealer, there are still plenty of opportunities for initial access brokers to fill the resulting void.

When institutions share the threats they encounter and their analysis of the situation, everyone gains from the collective insights. However, when banks choose not to share that information, the only ones who benefit are the threat actors themselves.

Smaller, resource-constrained financial institutions may find it challenging and time-consuming to determine not only how they’re being targeted but also who is behind the attacks. Yet, this information is key.

“If you can understand not just how they’re targeting you, but who’s targeting you, you get a much broader picture of the sort of tactics, techniques and procedures you need to defend against,” said Kosak. “If you’re just focusing on activity, you’ve already seen, you can block against those efforts, but you don’t know what’s next.”

The democratization of deepfake technology has advanced rapidly, leaving every financial institution vulnerable to its threats. Technology has progressed to the point where criminals can now create deep fakes on their phones, with just a few seconds of an audio clip.

Increasingly, deep fakes are being used to call into customer service centers and impersonate legitimate customers. This creates a problem for voice recognition technology as an authentication factor, intensifying the arms race between institutions trying to verify customer identifies and criminals attempting to bypass those efforts.

While the number of deep fake calls has gone up substantially over the last two years, the long-term concern is around video deep fakes. Perhaps the scariest part of this threat is that it’s only the beginning of how far it can go.

A related threat comes from synthetic identities. Criminals steal personally identifiable information (PII) to create new personas that can open accounts and infiltrate supposedly secure systems. These identities can be very difficult to detect since they do not involve using the identity of an actual customer.

So, what should smaller FIs be doing to protect themselves from these threats? The enforcement of basic multi-factor authentication, for both customers and employees, remains absolutely critical. Moving toward passkeys as a technology, which are more phishing-resistant, is also important.

Beyond that, a right-sized threat intelligence program can be beneficial for any financial organization. A program that includes external engagement can help facilitate information sharing, allowing even small institutions to make critical connections.

Consumers have come to rely on financial institutions or other entities to let them know if their identities have been breached in some way. That makes educating both customers and employees a key part of any strategy.

People interacting with cybercriminals will always be the weak spot in the defense against them. Identity and Access Management (IAM) programs, which manage user identities and control who can access certain resources, are a way to automate a critical part of the process. Kosak and Goldberg advocate automating as much of the defense as possible.

“The more you can take the human out of the authentication process, the better off you’re going to be,” Goldberg said.