COVID-19: Exploiting Finserv Vulnerabilities

Pandemic: A Natural Selection for Offline Retailers

The pandemic had led to a turnover drop across industries. The retail behemoths such as Zara and Primark reported their first losses during COVID19 with the pandemic affecting how consumers shop.

A recent Statista study on the projected impact of COVID-19 on brick-and-mortar sales in Europe between March 9, 2020, and April 21, 2020, reveals that retailers are expected to face a loss of 3.26 billion British pounds due to disruptions caused by the current outbreak.

Source: COVID-19 Commerce Insight, an Emarsys Initiative in Cooperation With Gooddata

According to Forbes, consumers already started creating and reinforcing new online buying behaviors and habits post-COVID. Consumers carried many retail transactions online; in many households, online grocery, apparel, and entertainment shopping are expected to permanently replace store and mall visits until a vaccine is available. WTO recently reported that due to social distancing and stay-at-home requirements, e-commerce in services that can be delivered electronically has flourished, with demand rising sharply. The pandemic also shaped the digital (and mobile) banking adoption trajectory: there is a visible shift towards FinTech products across continents. The Mastercard survey dated April 2020 shows that consumers are using contactless and other digital payments at record levels worldwide. Nearly eight in 10 consumers globally are expected to shift towards contactless payment use permanently.

COVID led to a change in consumer perception, which became an open call for digitalization. For many companies, online growth helped to mitigate revenue losses. The crisis reaffirmed the importance of digitalization from public health, accessibility, and economic point of view.

Even though the pandemic accelerated opportunities for digitalization and agile infrastructures, it’s too early to break out the party hats. The demand boost for e-commerce and internet banking highlighted the vulnerabilities of many prominent corporations’ online presences and led to several major cybersecurity attacks. At the beginning of this year, many domain conferences, including Paris FinTech Forum, Finovate Europe, and Merchant Payments Ecosystem 2020, highlighted that 2020 is the year of RegTech and cybersecurity. Experts stressed the urgency of addressing the KYC, data privacy and optimization, cybersecurity, AML, and CTF issues, to complement and improve FinTech and financial services. Little did we know.

The Biggest Cybersecurity Bait 

Many industries slowed down or ceased their activities during the lockdown, but cybercriminals were busier than ever. The number of phishing and scam e-mails consumers received skyrocketed post-pandemic. According to Interpol, cybercriminals took advantage of the widespread global communications on the coronavirus to mask their activities. Malware, spyware, and Trojans have been found embedded in interactive coronavirus maps and websites. Google revealed that scammers were sending 18 million hoax e-mails about Covid-19 to Gmail users every day, post-pandemic, adding that the virus might be the most significant phishing topic ever.

Crisis and panic create the perfect setup for cybercriminals. Aware of the security gaps, hackers target confused consumers and overwhelmed and understaffed institutions. Banking, retail, and even air and health industry were among the sectors that had their share of the cyber-attacks during the lockdown. In April, WHO has reported an increase in the number of cyber-attacks directed at its staff, and email scams targeting the public at large. EasyJet’s cyber-attack dated May exposed 9m customer’s personal data, along with an additional 2,200 passengers’ credit card details. As for the FinServ, the pandemic has been connected to a 238% surge in cyberattacks against banks, VMware Carbon Black research claims. According to the research, 82% of surveyed financial institutions said cybercriminals have become more sophisticated, leveraging highly targeted social engineering attacks and advanced TTPs for hiding malicious activities. Ransomware attacks against the financial sector have increased by nine times from the beginning of February to the end of April 2020.

“Do as I Say, Not as I Do”

The financial industry is centered around reliability and trust. Unfortunately, most financial service players are not aware of the work around trust. In 2019, BCG highlighted that financial services firms are 300 times as likely as other companies to be targeted by a cyberattack. Despite the growing need to strengthen information security and cyber- resilience, BCG has found that many financial institutions are underequipped and do not have the infrastructure to respond in time. Some bad examples in the past exploited financial institutions and start-ups as well as central banks and even the European Central Bank (2019).

“America is grappling with a cyberinsurgency, and our financial sector is the number one target… Cybercriminals are evolving in both attack sophistication and organization. We must pay close attention to how we respond to these threat actors and what their ultimate goal is—hijacking digital transformation efforts via island hopping. Trust and confidence in the safety and soundness in the US financial sector is dependent on cybersecurity.” – The Written Testimony of Tom Kellerman, Head of Cybersecurity Strategy at VMware Inc., before the House Subcommittee on National Security, International Development, and Monetary Policy.

Cybersecurity: Not Just Another Item on The Compliance Checklist

Cyber-attacks aim to gather access to personal data, credentials, liquidity. In some cases, the attack doesn’t mean anything more than a simple challenge and system defiance for the hackers and focuses on testing the company’s security system. In other cases, the access gained through the cyber-attack triggers more crime: sometimes ransom, sometimes money laundering and terrorist financing activities. Verizon’s study revealed that 91% of breaches addressed towards financial institutions in 2020 were financially motivated, 3% were motivated by espionage, and another 3% were motivated by a grudge.

Source: The Real Cost of Cybercrime – Raconteur 

The cost of cyberattacks is high. Financial institutions suffering from cyber-attacks have to deal with the interruption of business operations, loss of data and/or funds, in addition to potential fines and damage claims that are likely to follow. Along with its negative economic aspects, cyberattacks are particularly harmful to the organizational DNA, while the recovery process can become destructive for the reputation. Cybersecurity failures harm more than IT and compliance; the aftermath is often closely connected to strategy, branding, and market position.

Battle-Plan Against Cyberinsurgency

Cybercriminals remove the trust in banking, and financial institutions are expected to put their best foot forward to avoid and combat cybercrimes. Preaching is easy, but how can financial institutions better identify red flags? We compiled some strategic initiatives that could aid financial institutions better prepare and prevent:

  • All in all, financial institutions have an obligation to avoid cyberattacks. Nevertheless, installing a sophisticated software wouldn’t just remove the accountability. Anticipation precedes prevention; for long term success, financial institutions should first identify their vulnerabilities. Only after testing and learning the process weaknesses, they will be able to foresee the potential attacks. After all, cybercriminals exploit and punish systemic weaknesses, and financial institutions’ should make discovering these weaknesses before external attackers a priority.
  • Financial institutions should also invest time in “customer definition.” Most financial institutions collect much data but are not aware of how to best use it. Knowing bank customers beyond personal data and understanding customers’ banking behavior will help banks differentiate fraudsters better, preventing avoidable costs and staying on top of their game. This will minimize unnecessary card and account blockings due to suspicious activity, which can become frustrating to the customer in case of wrong alerts.
  • The financial service user communication custom is to send customers transaction data, monthly statements, and feature update e-mails/notifications. The service providers that go above and beyond the tradition and make an effort in educating its users might make headway with fraud prevention. Financial institutions that consider investing in educative customer onboarding and teach customers about the types of possible fraud (fake apps, fake warning messages, and alerts, etc.) and how not to fall victim, the use of secure networks, how to generate unique passwords and how to select legitimate e-commerce providers can make a head start, eliminating many payment and card fraud costs.
  • Remote working and understaffed office hours during COVID 19 have made financial institutions more vulnerable than usual since more and more employees started accessing sensitive data through unsecured networks. This points out the need for remote access, secure databases and the back-ups. The post-COVID new work era should be seen as an open call for all financial service providers to build a secure and reliable infrastructure for working remotely. Investing in a home-office infrastructure will ensure continuity during future force majeure cases, while back-up databases will cover worst-case scenarios and prevent data loss.
  • No matter how sophisticated a cybersecurity mechanism is, cybercriminals will always level up and adopt. In general, fraudsters bring all their resources and modern techniques on board, including advanced machine learning and artificial intelligence, to attack with sophistication on a huge scale (Ekaterina Safonova, The PayTech Book, Wiley). They are dynamic, and so should the financial institutions be. Financial service providers should not leave it at periodical tests to check cyber resilience off the list; there should be continuous examinations and analyses, adapting the prevention mechanisms to the latest tech developments.
  • Cybersecurity expert Ekaterina Safonova highlights the importance of getting into the minds of cybercriminals and fraudsters in the PayTech Book (Wiley, 2020) “KYC is important for building loyal, long-term relationships with customers, how about KYF (Know Your Fraudster)?” Only by analyzing and cracking cybercriminals behavioral patterns, sustainable fraud prevention could be built.
  • Last but not least, cyberattack resilience will be better avoided by communication and collaboration within and across industries. Financial institutions that suffered from cyber-attacks should prepare for sharing the incident data and statistics with other players, which could be crucial for building a collective intelligence in the long run. Besides, the major cyber-attack or data breaches that target widely used social media or retail platforms should be considered as an immediate red flag for financial institutions. FIs should take the time to warn their customers and remind them how to stay securely connected since most cyber criminals use the compromised customer data to reach FI credentials and access. Being aware of data breaches that might affect their customers and sharing guidelines with their users will allow financial institutions to be one step ahead (prevention versus rectification).

Cybersecurity: Luxembourg’s Position

Luxembourg aims to position itself as a leading European location for cybersecurity start-ups, talent, investors, and experts looking for growth opportunities. The ecosystem hosts many up and coming start-ups such as Hacknowledge, Fineksus, Jemmic, Uniken. One of the initiatives created in collaboration with public and private bodies aiming to connect all relevant parties is the PwC cybersecurity Day, which offers a unique opportunity to gain insights from the latest international trends in cybersecurity and privacy.

Applications close on the 30th of June for the next edition of the PwC Cybersecurity Day, which is planned to be held on the 29th of October remotely. Click here for more information.


Author: Sebnem Elif Kocaoglu Ulbrich, Fintech Consultant & Author



The LHoFT Foundation

The LHoFT Foundation is a not-for-profit initiative supported by the public & private sector to drive innovation for, and digitialisation of Luxembourg’s financial services industry. The LHoFT is the national platform and central hub for Fintech, working to connect the domestic and international community to solve challenges and address opportunities that will ensure the Financial Industry’s continued competitiveness.

Share This Story!

White Paper

The AI Revolution In Financial Services

Read More