By Matt Lindley, COO and CISO at NINJIO
Financial technology is one of the world’s fastest-growing industries. Many aspects of our lives have become digitized, but one of the most marked digital transformations has taken place in the financial sector. Consumers want the freedom to manage their money on demand with mobile banking, accessible digital investment platforms, and payments apps that give them greater control over their finances. However, as fintech usage rates have surged, cybercriminals are exploiting the sector.
The financial industry is one of the top targets for cyberattacks, and the rapid growth of fintech adoption has drastically increased the size of the attack surface. This has significant cybersecurity implications for these companies, which must focus on securing their networks and operations at multiple levels. For example, fintech companies need to understand how cybercriminals use social engineering to infiltrate their systems and what can be done to stop these attacks. While there must be robust security measures in place for end users, it’s also vital to build cybersecurity awareness among employees across the entire organization.
Fintech platforms have made services far more accessible to consumers, but this makes them easier and more lucrative targets for cybercriminals. This is why security leaders at fintech companies have a responsibility to prioritize cybersecurity as growth continues to accelerate.
A rapidly growing industry confronts new cyber risks
Despite the already-explosive growth of the fintech industry, Boston Consulting Group expects this growth to increase fivefold by the end of the decade. Consumers aren’t just looking for more effective and convenient ways to manage their money — there are still 1.4 billion unbanked adults around the world, and many more who lack access to essential financial services. This presents a huge growth opportunity for fintech companies, but it also highlights the daunting cybersecurity challenges the industry faces.
According to IBM’s 2024 Cost of a Data Breach report, the average cost of data breaches in the financial sector is higher than any other industry besides healthcare. The average breach costs financial companies over $6 million, compared to $4.88 million across all companies. Cybercriminals are particularly focused on fintech because the platforms facilitate so many financial transactions every day and provide a direct line to customers’ money. Fintech companies also have troves of extremely sensitive customer data, including bank account and Social Security numbers, tax information, and biometrics.
Cybercriminals are developing increasingly sophisticated ways to manipulate employees and end users to gain access to fintech accounts and data. As fintech platforms expand their services and manage more transactions, the number of attack vectors in the industry will continue to rise. This is why it has never been more critical to establish comprehensive and adaptive cybersecurity protocols capable of addressing these vulnerabilities.
How cybercriminals are targeting fintechs
Fintechs navigate unique cybersecurity obstacles. While they are under constant pressure to increase the pace of digital innovation and adoption, this is one of the factors that makes the industry especially susceptible to fraud. The top four challenges cited by industry leaders are fraud, compliance and regulatory requirements, data sensitivity, and the speed of the digital transformation. This is why security leaders in the industry need to focus on the most urgent cyberthreats they face, and social engineering is at the top of the list.
Social engineering is one of the most powerful cybercriminal tactics. IBM reports that phishing ranks among the most common and financially destructive initial attack vectors, and phishing attacks are becoming far more effective thanks to AI tools like large language models and deepfakes. Stolen or compromised credentials are used to launch cyberattacks more than any other method, and these credentials are often obtained through social engineering. Verizon has consistently found that the human element is a major component of data breaches — its latest research finds that 68 percent of breaches involved a human’s mistake at some point.
The financial services industry is no exception. Verizon reports that finance suffered more cyber incidents than almost any other industry over the preceding year — including a rise in social engineering attacks. There was also a significant spike in system intrusion, which often relies on ransomware and stolen credentials. Researchers observe that cybercriminals frequently use social engineering attacks like phishing to acquire these credentials, which underscores the importance of cybersecurity awareness training.
Building stronger fintech cyber defenses
The financial services industry has undergone a sweeping digital transformation. Seventy-one percent of consumers prefer to manage their bank accounts through an app or a computer, and the use of mobile banking as the primary form of account access increased more than three-fold from 2017 to 2023. It’s no wonder that IT spending on anti-fraud measures is growing rapidly — a trend consistent with increases in cybersecurity spending more broadly. Fintech security leaders are responsible for allocating these resources toward the most effective solutions, such as cybersecurity awareness efforts for both employees and customers.
According to IBM, employee training reduces the average cost of data breaches more than any other factor. Cybersecurity awareness is particularly crucial as AI enables cybercriminals to launch more effective social engineering attacks on a larger scale than ever before. For example, Microsoft reports that AI will usher in a “new era of phishing schemes.” Cybercriminals can use AI-powered tools like LLMs to produce targeted and error-free phishing messages to steal account credentials from fintech employees and customers. They can make these attacks even more sophisticated with deepfakes that impersonate financial services professionals, IRS agents, regulators, third-party software providers, and other individuals who could coerce employees and consumers into disclosing sensitive information.
McKinsey reports that 70 percent of financial services companies believe they’re under-investing in cybersecurity, while 57 percent are concerned that they aren’t “keeping pace with emerging technologies, specifically with respect to their cybersecurity expenditures.” One pervasive concern, noted by two-thirds of companies, is a lack of “appropriately skilled cybersecurity talent.” While well-trained IT and security teams are important, companies can’t overlook the value of cybersecurity awareness at every level of the organization. With the profusion of attack vectors in the fintech sector, it is necessary to have distributed defenses that can address the full range of vulnerabilities that companies face.
The evolution of fintech will continue to gain momentum in the coming years, enabled by revolutionary technology like AI and the demand for more accessible and powerful digital financial services. By investing in cybersecurity awareness today, fintech companies will position themselves for continued growth that won’t be tainted by the operational disruptions and loss of consumer trust that cyberattacks can cause.
About the author
Matt Lindley is the COO and CISO of NINJIO, and he has more than a decade and a half of experience in the cybersecurity space. Prior to NINJIO, Matt was the CEO of REIN Cybersecurity, LLC., the senior technology manager and director of security services at Cal Net Technology Group, and the virtual CIO at Convergence Networks. He has held many other leadership positions in the industry, and he’s an authority on IT, security, and a range of other issues.