Cybersecurity in financial institutions 2016 — and what 2017 holds

As our research shows, the actual costs of a cybersecurity incident to a financial institution in the United States can add up to as much as $1,165,000.


We are digital natives, and with each passing day we put more of our lives online. We no longer stand and wait in lines; we connect to the Web for instant gratification. Convenient? You bet, but the move to the digital realm has also made us all targets for cybercriminals.

As society operates more and more online, traditional brick-and-mortar establishments have to do the same, and none more so than banks. People want everything at their fingertips, but especially their hard-earned cash.

A recent study conducted by Kaspersky Lab and B2B International of more than 800 representatives from financial institutions around the globe looked at trends cybercriminals exploit to steal money and data, as well as how the institutions plan to protect their customers from cyberthreats in the coming year.

After all, in this digital era, it’s all about credentials and payment information. In the United States, the top concerns for financial services included phishing/social engineering of customers (53%), attacks on local/branch offices (33%) and on digital/online banking services (31%), along with attacks on core transactional/back-office systems (23%) and on point-of-sale (POS) systems (20%).

2016 Global Trends


  • In 2016, the share of financial phishing increased 13.14 percentage points to 47.48% of all phishing detections. This figure is an all-time high according to Kaspersky Lab statistics for financial phishing caught on Windows-based machines.
  • The share of financial phishing encountered by Mac users accounted for 31.38%.

Banking malware

  • In 2016, the number of users attacked with banking Trojans increased by 30.55% to reach 1,088,900.
  • Users in Russia, Germany, Japan, India, Vietnam, and the United States are the ones most often attacked by banking malware.

Android banking malware

  • In 2016, the number of users who encountered Android malware increased 430% to reach 305,000 worldwide. This is mostly attributable to one Trojan that has been exploiting a single security flaw in a popular mobile browser for months.
  • Just three banking malware families accounted for attacks on the vast majority of users (81%).


Given that banks deal in real money, they are constant targets. The threats cost both institutions and users. Based on the institutions surveyed, the actual costs of a cybersecurity incident to a financial institution in the United States can be as much as $1,165,000. Business customers of these institutions see averages losses of $20,625; consumers who have fallen victim typically see losses of about $2,062.

The study also showed that two-thirds of the banks surveyed stated that they had been the victim of some type of financial fraud.

Looking to the future

When it comes to the security of online transactions, the stakes are high for everyone, so it is only natural to see financial institutions invest in increasing their cybersecurity.

Top 11 reasons for companies to increase investments in cyberprotection

10 trends emerged regarding what financial institutions will be focusing on in 2017 to increase security for their customers.

  1. Targeted attacks take advantage of easy marks as an entry point. Targeted attacks are a major global trend, and these threats to financial organizations are likely to be conducted through third parties, or contractors, that have financial relationships with them (office suppliers, cleaners, etc.). These service providers typically have weak or no protection at all and can be used as an entry point. For example, they might contact the finance department of target organizations with e-mails that are very likely to be opened — and that can contain malware or be a phishing attempt.
  2. Less-sophisticated threats are on the rise. The age of sophisticated malware has passed. Cybercriminals launch mass strikes and benefit from the scale. Why bother crafting something clever when a simple TeamViewer RAT works just as well? Indeed, why use malware infections when you can use social engineering or phishing with the same result? A leading bank pointed out that of the fraudulent incidents they face, 75% are social engineering and only 17% malware. Such attacks require less effort and cost less; even with lower odds of success they are still very profitable.
  3. Compliance isn’t enough. Compliance is often cited as the main reason for investing more in cybersecurity, and budgets are therefore usually allocated in favor of it. However, real protection lies beyond just meeting regulatory requirements. Strengthening security and introducing new protection technologies requires a more balanced approach to the allocation of resources.
  4. Regular penetration testing is key. Unseen vulnerabilities are real, and sometimes uncovering them means extra work for IT security personnel. With the implementation of sophisticated detection tools or penetration testing, vulnerabilities and incidents will emerge. If systems are hackable; the only question is who will do it first? Cybercriminals or trusted professionals can spotlight weaknesses.
  5. Insider operatives can be a uniquely tough threat. Employees at any level can be exploited by criminals. Sometimes third parties actually hire insiders to become a company’s employee with a hidden agenda. There are still marketplaces on the darknet where anyone can sell access to a company they work for — and this is the easiest way for hackers to get inside the network of large corporations. An efficient security strategy should go beyond protection of the perimeter to include techniques that can detect suspicious activity inside it.
  6. There’s always a new freshman class. Remember that there are more cybercriminals to come; entering the business has never been easier. With ready-made tools, affiliate networks and friendly fraudsters are more than willing to expand their business and target people looking for easy money. Even worse, new generations seem to have blurred moral borders and see little or no difference between “gray” cybercrime, such as hacking Steam accounts, and “black” cybercrime such as banking malware. How often do we see teenagers appearing in news articles about hacking and DDoS attacks?
  7. Risks may be multidimensional. People often don’t take threats seriously until it’s too late. An organization might not have had any incidents over the previous year, but that in no way means that the risks are not there. Banks can see that there is a lot of talk about the threat of mobile malware, for example, but they are not feeling the impact yet. In this case, part of our advice is, do not wait until a problem emerges: Take action now to ensure protection.
  8. Money is just one type of loss. Don’t see security as merely controlling monetary losses. Some banks are willing to pay extra to cover losses instead of increasing the efficiency of their security systems. Being an easy target will eventually result in more incidents and more costs in covering losses — as well as loss of reputation.
  9. Security is a shared responsibility. Many risks are very closely connected and require concerted actions. For example, if attackers plan to infect an ATM with a virus, to ensure maximum profit, they may purchase an ATM cash collection schedule from an insider. Combatting this threat requires actions from the department responsible for the ATM service, information security, and internal security. Such collaboration is required all the time; security challenges are growing more and more complex.
  10. New technologies require extra care. Digital financial technologies are growing fast, and the security solutions implemented in financial organizations need to be able to keep up with their development. Financial organizations should pay more attention to security considerations while investing in blockchain or IoT technologies. That way, only the organization and its customers, not cybercriminals, will benefit from innovations.