A Week in the Life of a Bank Threat Intelligence Analyst

It comes as no surprise, but the financial services and banking industry is the most-targeted industry by cybercriminals. The amount of user and account data available across the Dark Web has allowed cybercriminals to run large-scale fraud attacks and more successful phishing campaigns across a wide variety of attack vectors. As a result, cyber security and threat intelligence teams face a growing challenge of identifying and taking down these threats before they exploit the company or its customers.

Based on research we collected for our Financial Services Threat Landscape Report (July 2018), here’s a look into some of the threats financial services security teams must deal with week in and week out. For the most up-to-date info on the state of the financial services cyber threat landscape, download the most recent report.

Weekly Bank Threat Intelligence Statistics

As part of our monitoring and threat intelligence process, we collect data on attack indications, leaked credentials, leaked credit cards and the creation of fake social network profiles, among other threat types as well. For our report, we analyzed data collected on the top 50 banks and financial services organizations in the US and Europe.

Here’s how an average week breaks down in terms of new threats targeting financial organizations.


Threat Types Explained

While these numbers might not shock you, keep in mind that these are incidents happening each week on a per bank basis. When you extrapolate these numbers across all banks over the course of a year, that amounts to a huge number of threats that banks need to fend off. All it takes is for one of these threats to go unnoticed or un-remediated for an attack to be successful.

If banks and financial organizations don’t have a comprehensive threat intelligence program in place, it’s incredibly difficult for threat and fraud teams to find AND mitigate these threats every week. Furthermore, threat teams typically deal with a mountain of generic alerts and IOCs, so they need intelligence that will help them identify the specific threats that directly target their organization and customers.

Let’s dive a bit deeper into each one of these threat types and what they mean for banking and financial services organizations.

20.0 Direct Attack Indications
Direct attack indications do not refer to general alerts or IOCs, but rather are specific indicators that the company is being directly targeted. For example, this might include dark web chatter mentioning the company specifically, the appearance of company assets (IP ranges, domains, emails, and employee data) in target lists or campaigns, and malware or malware code targeting these companies.

3.8 Instances of Bank Data Offered for Sale
Financial information, bank account logins, IP addresses, domain names and other financial records are considered valuable details that can be used for many types of attacks. Most people and/or organizations would be alarmed if this happened just once, but in reality, this is happening nearly 4 times each week per bank.

Traditionally, the top products sold on dark web black markets are drugs, prescription medicines, stolen credit cards, personal information, and carding “cash-out” tutorials. But during the last two to three years, the IntSights research team has seen a growing trend of trading bank accounts logins. Black markets are full of vendors that offer “high balance bank accounts logins” at major banks within the USA, Europe and Asia.

If banks can identify these leaked account details before they are used for fraud, they can reduce their fraud costs significantly.

3.6 Corporate Emails on Target List
Phishing emails are a common and simple attack for hackers of all abilities to perform. A lot still needs to "go right" for the hacker to launch a successful phishing campaign, but this finding shows that there's no slowdown in attempts. There's an ongoing trend of higher-skilled hackers selling programs to more novice hackers, which has lowered the “hacker barrier to entry”. This means someone with minimal hacking experience can run their very own phishing campaign targeting a bank's employees.

Note: This statistic refers to the number of times emails were found on phishing target lists, but not the number of emails. In many cases, multiple emails are found on phishing target lists, so the number of emails targeted is actually more than what this statistic indicates.

1.8 Corporate Credentials Posted Online
Attackers love credentials to financial systems because it makes for easy data theft and fraud. Leaked credentials enable a whole lot more than simple theft. Gaining access to customer-facing or corporate systems can help hackers understand the inner-workings of those systems, which can be used to facilitate a bigger and wider breach of data or money. Gaining access to employee credentials (especially those of senior management or IT staff) can compromise a trove of data that can later be used for further malicious behavior and schemes.

Locking down leaked credentials is key to protecting against fraud and further hacker reconnaissance.

3.1 Stolen Credit Card Info Posted Online
While banks are usually not at fault for stolen credit card info (it could be a from a breached retailer or phished from a customer), banks are typically on the hook to pay for these fraud costs. The lowered "hacker barrier to entry" (discussed in Phishing Target List section above) has caused a surge in credit card information for sale across black markets, and banks are the ones paying the cost.

Once credit card info is stolen, hackers typically sell the info to other buyers, either individually or in batches. The more stolen credit cards you can identify and shut down, the lower your fraud costs will be.

Note: Just like with Phishing Target List stat above, this statistic refers to the number of times new credit card info was posted online, but not the number of individual credit cards. Hackers usually post large batches of credit card info at once, so the number of stolen credit cards is actually more than what this statistic indicates.

1.8 Malicious Social Media Profiles Created
Social media has become a popular tool for hackers because many users assume profiles and pages are legitimate. Fake social media profiles, apps, and accounts can be used in a variety of malicious ways. Quickly identifying and taking down malicious social media profiles and fake mobile applications is critical to prevent hackers from leveraging your brand to phish your customers.

Considering nearly two new fake social media accounts are created weekly for each bank, this can be a difficult task to manage without using a tool that can identify and takedown fake social media profiles.


Banking and financial services companies deal with tons of threats each and every day, with no sign of it slowing down. All it takes is for one of these threats to go unnoticed or un-mitigated for hackers to steal data or commit fraud. Without a formal threat intelligence solution and program in place, it’s impossible for financial companies to keep up with the ever-growing threat landscape and new attack vectors that target them and their customers.

Want to learn more about how the threat landscape for financial organizations is evolving?

Download our Banking & Financial Services Cyber Threat Landscape Report (April 2019)

Learn More

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.