The financial services sector in Asia Pacific and Japan (APJ) continues to be one of the most attacked industries in the world, experiencing a growth of web application and API attacks by 36% to over 3.7 billion attacks in the second quarter of 2023 compared to the same period of 2022.
According to a new State of the Internet report from Akamai Technologies, Local File Inclusion (LFI) remains the top attack vector.
Also, 92.3% of attacks against APJ’s finance sector were targeted at banks, posing a huge threat to both financial institutions and their customers.
Financial services firms in APJ were also found to be using more third-party scripts as they develop more channels and better customer experiences, with 40% of the scripts being third party in nature.
These data points show that organisations, especially banks and consumer-centric institutions, are at severe risk as they expand their digital footprint to reach more customers and gain a competitive edge.
Reuben Koh, Akamai’s security technology and strategy director in APJ, said the region’s financial services sector is one of the most innovative and competitive in the world, where financial institutions are increasingly turning to third-party scripts to quickly add new offerings, features, and interactive experiences for customers.
“However, businesses usually have limited visibility into the authenticity and potential vulnerabilities of these scripts, introducing yet another layer of risk to the business,” said Koh. “Due to this limited visibility of risky third-party scripts, threat actors now have yet another vector to launch attacks against banks and their customers.”
Further, Akamai found that malicious bot traffic in APJ jumped 128% from 2022, which underscores the continued assault against financial services customers and their data. Cyber criminals use bots to amplify the scale, efficiency, and effectiveness of attacks.
APJ is the second most-targeted region in the world for malicious bot requests against financial services, accounting for 39.7% of all malicious bot requests worldwide.
Use cases include website scraping to impersonate the websites of financial services brands for phishing scams, and credential stuffing via automated injections of stolen usernames and passwords for account takeovers.
This highlights that threat actors are constantly evolving their techniques and have started to focus their attacks on financial service consumers to get the most return on investment.
The report also found that web application and APIs remain attack vectors of choice in APJ, with the finance sector accounting for 50 percent of attacks of this category, followed by commerce (20%) and social media (8.3%).
Global financial hubs Australia, Singapore, and Japan were named the top three most targeted countries in APJ — together accounting for more than three-quarters of all web application and API attacks.
Businesses in the financial services sector in APJ must continue to keep a lookout for additional regulatory oversight and new reporting obligations. New regulations may be increasingly enforced, and businesses must ensure they take these new compliance requirements into account or risk fines or reputational damage.
“Financial institutions must focus on securing new digital offerings, continuously educating customers on cyber hygiene best practices, and investing in frictionless security measures for users,” said Koh.
As regulators enforce policies to strengthen cybersecurity standards, it is also important for financial services organizations to understand and account for new compliance requirements while strengthening their security posture and cyber resilience against modern cyber threats,” he added.