Breaking the bank: How email scams target financial institutions

Picture the scene. You’re running a financial organisation that is, for all intents and purposes, the digital equivalent of a Fort Knox. Your cyber defences are formidable, your staff well-trained, and your compliance paperwork, well, compliant.

Then you get hit by a simple-looking email that results in millions of dollars going walkabout, sensitive data leaked, and a regulatory finger-wagging of epic proportions.

No ransomware. Just one clever piece of business email compromise (BEC).

BEC attacks: What you need to know

BEC is essentially a simple but devastating deception. A threat actor leverages email to trick targets into transferring funds, sensitive data, or both.

As highlighted in the Arctic Wolf 2025 Threat Report, the current state of BEC is a concern because:

  • BEC makes up 27% of all incident response cases, making it the second-biggest source of security incidents.
  • Human error is behind 99.2% of BEC root causes, with phishing accounting for 73.5%.
  • The finance and insurance industry makes up 26.5% of all BEC cases—nearly double the next highest sector—and it’s the only industry where BEC has surpassed ransomware.

Why are BEC numbers so high? Simply put, because it works. And the strategy behind it is straightforward: using BEC, attackers target organisations that handle large sums of money and rely on email communication.

Common BEC tactics include:

  • Phishing emails that steal your login details.
  • Pretending to be a trusted contact, like your CEO or a supplier (or both).
  • Taking advantage of already hacked accounts.
  • Using AI-generated traps that look just like real messages.

The days of spotting a phishing email by its poor spelling are over. Today’s attackers craft messages with more precision than many corporate communications teams..

The critical change in status for financial institutions

Banks, super funds, insurers, and credit unions have been officially classified as ‘critical infrastructure’ under the 2022 Security Legislation Amendment (Critical Infrastructure Protection) Act (SLACIP). This emphasises just how important it is to keep this industry secure and protected.

But why is the financial services industry such a popular BEC victim?

  1. Big money, big target: Financial institutions deal with large sums of money daily, making them an attractive option for attackers looking for big payouts.
  2. Access to sensitive data: These institutions store confidential information about wealthy individuals and businesses, which attackers can use for more fraud.
  3. Relying on trust: Employees often need to quickly process wire transfers and invoices to keep customers happy, which creates opportunities for social engineering attacks.
  4. Complex vendor networks: Financial firms depend on various third-party vendors, increasing the risk of compromised communications and fake payment requests.
  5. Advanced impersonation tactics: Attackers use tricks like spoofing and malware to pose as trusted contacts, slipping past basic cybersecurity measures.

Growing regulatory pressure and rising fines

Adding fuel to the fire is evidence that legal enforcement is no longer an empty threat. In fact, the Australian Securities and Investments Commission (ASIC) is very obviously cracking down.

Recent lawsuits, like the one against FIIG Securities for “systemic and prolonged cybersecurity failures”, are a clear warning.

ASIC’s enforcement, only the second of its kind, flags inadequate cybersecurity as grounds for civil penalties, highlighting the fact that financial institutions can’t afford to drag their feet when it comes to following regulations anymore..

Guidelines for taking back control

To tackle cybersecurity challenges in the industry, most financial organisations are required to follow the Australian Prudential Regulation Authority (APRA) CPS 234 Information Security Standard.

The CPS 234 standard is, in many ways, the playbook for safeguarding information and operational resilience. Finserv companies are required to:

  • Set clear roles: The board plays a big role in information security, setting expectations and ensuring proper oversight.
  • Stay cyber-strong: Companies need solid security systems that match their size and risks, doing regular checks on potential threats and keeping them in check.
  • Monitor vendors: Keep a close eye on third-party providers, checking their security regularly and managing any risks they pose.
  • Implement solid policies: Have a clear set of cybersecurity rules everyone knows and follows, from employees to vendors.
  • Organise information: Rank data based on how critical or sensitive it is. Know what’s at stake if something goes wrong.
  • Test often: Regularly check if security systems are working, and fix any issues fast.
  • Report issues: Serious security problems? APRA wants to know within set timeframes.

7 ways to make a stand against BEC

If you now feel like you’re sitting under the Sword of Damocles, you’re not wrong. But all is not lost.

Here are some direct, tangible steps that teams at every level can take to cut down on risk:

  1. Ongoing phishing training. Teach staff to question every out-of-character email—even if it appears to be from their own CEO.
  2. Strong access controls. Implement biometric or possession-based multi-factor authentication.
  3. Credential management. Monitor for compromised credentials appearing on the dark web.
  4. Asset inventory. Know your systems, regularly update them, and close any open doors.
  5. Continuous monitoring and logging. Trust, but verify. Actually, don’t trust; just verify.
  6. Third-party risk management. Vendors’ security policies should be as solid as your own, or you could risk exposure despite your best intentions.
  7. Schedule and action regular security audits and penetration tests. If you can’t remember your last test, assume it never happened.

Is your business continuity and cybersecurity planning up to scratch?

BEC is here to stay, skilfully exploiting simple human error and complex organisational blind spots alike. The era of blaming bad luck or rogue emails is behind us. Regulators are watching, fines are increasing, and customers are ready to walk away at the first sign of weakness.

No one expects financial institutions to become Fort Knox overnight. But with the right mix of continuous education, robust controls, and a healthy dose of cyber-paranoia, you can be the hardest target on the block.

Because hope is not a strategy, and ignorance is expensive.

You might also like
Report reveals: A surprising number of organizations still tethered to outdated backup practices
Not all data and organisational security is created equal

Get in touch for a Free, No‑Obligation Consultation

Arrange a chat with our experienced team to discuss your data protection, disaster recovery, cloud or security requirements.

  • Arrange an introductory chat about your requirements
  • Gain a proposal and quote for our services
  • View an interactive demo of our service features

Prefer to call now?
Sales and Support
1300 88 38 25

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is hidden when viewing the form
This field is for validation purposes and should be left unchanged.

© 2021 Global Storage. All rights reserved. Privacy Policy Terms of Service

The Global Storage website is accessible.

Download
Best Practices For Backing Up Microsoft 365

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is for validation purposes and should be left unchanged.

Download
5 Myths About Backing Up Microsoft 365 Debunked

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is for validation purposes and should be left unchanged.