By Murtaza Bhatia, Sales Director, Cyber-security, NTT Ltd. in India
The BFSI (banking, financial services, and insurance) sector in India has undergone significant digital transformation in recent years, driven by factors such as increasing customer demand for digital services, the proliferation of mobile devices and internet connectivity, and the need to reduce costs and improve efficiency. As organizations in this sector seek to improve customer experience and stay competitive in an increasingly digital environment, the security threats have also accelerated in a similar proportion. We take a look at some of the biggest security threats for the BFSI sector in 2023:
India at the forefront of innovative phishing attacks: Phishing has been an all-time favorite of hackers, and hackers are constantly innovating to improve the efficiency of their attacks. In November 2022, Trend Micro researchers discovered a big uptick in the number of phishing attacks targeting banking customers in India. The most common method is sending an SMS with a phishing link and luring a potential customer to fill in their personally identifiable information to get reward points or refunds. The target – subscribers of seven popular banks with millions of customers. Similarly, security firm, CloudSEK’s Threat Research & Information Analytics Division (TRIAD), discovered unique phishing methods used by hackers to target the Indian banking industry. This include using Zoho forms to gain access to sensitive personal information, or Cloudfare pages to launch phishing campaigns or using Hostinger’s preview domains feature to host phishing sites and evade detection. In 2023, we expect this trend to accelerate in a big way.
Rise of customized malware for Indian BFSI firms: In 2023, we will see a rise in the number of malware that has been created specifically for targeting firms in the Indian BFSI sector. A case in point is an Android malware called ‘Drinik’ that has been created to target Indian taxpayers to steal personal information and banking credentials by impersonating the Income Tax department’s official tax assistance app. The latest version targets 18 specific Indian banks and targets only those users with legitimate income tax site accounts. This app is a sign of the times to come where cybercriminals create customized malware targeting India’s fast growing and lucrative BFSI sector.
Data breaches set to increase rapidly: India continues to lead the world in terms of real-time digital payments. The Boston Consulting Groupfor example, predicts that India’s digital payments market will expand more than thrice from the existing $3 trillion to $10 trillion by the year 2026. As more Indians pay using digitally, the number of data breaches will increase substantially. In August 2022, the Indian Government informed the parliament that Indian banks reported 248 successful data breaches by cybercriminals in the period between June 2018 and March 2022. Most data breaches pertained to data related to card details leakage and theft of business and non-business information. In 2023, as more organizations get digitally enabled, we can expect data breaches to increase substantially.
Ransomware continues to remain a big threat for BFSI firms: With its ambitious digital aspirations, India continues to remain in the crosshairs of international hackers. In 2022, CERT-In reported that ransomware attacks jumped 51% in the first half of this year. With the relatively easier availability of ransomware as a service kits that enables even lesser skilled hackers to carry out attacks, ransomware will remain a huge threat for Indian banks and financial services firms in 2023. As more hackers start attacking organizations, we expect hackers to transition to bigger and larger organizations, in their quest for a larger prize.
BFSI firms will struggle to protect personal data of customers: As competition intensifies in the lucrative BFSI sector, we can expect competitors to go to unprecedented lengths to acquire customers. BFSI firms hence will be extremely challenged to protect the data of their customers. This is validated by a customer survey done by LocalCircles, a Delhi-based consumer research company, which found out that 34% of people with bank accounts were approached with offers to open similar bank accounts. The survey also revealed that more than 50% of Indian consumers suffered a personal data breach that leaked their contact details to the public. The result — they were flooded with unwanted offers like loans and insurance. In 2023, we expect this trend to accelerate as more firms vie for the same base of customers.
Recommended best practices
To address many of the above mentioned issues, we recommend some of the following best practices
- Take an architectural approach to security. In this approach, Zero Trust should be the building block, where the first step must be to ‘trust no one and verify first’
- Improve awareness by providing education to the customers in terms of how to use and how to verify the messages from banks or financial services organizations
- Build in capabilities in end user apps to detect malicious attempts. Verify and prevent such communications (all communication from the bank must happen via apps and not on other channels as primary controls)
- Build better integration and stronger authentication with Fintech solutions for ensuring secure digital payments
- Create full stack visibility to capture malicious intent or transactions which are out of normal behavioral patterns