Knowing banks have some of the highest cybersecurity and compliance standards of any sector, cybercriminals turn to a perennial security weak spot: people. Adversaries prey on the psychological and operational habits of employees, using techniques that blend into normal business processes to get around automated detection. Social engineering is highly effective, with the "human element" playing a part in 60% of all breaches. These attacks are only becoming more sophisticated with the use of AI.

Phishing

An attacker can use phishing tactics, such as posing as an executive, to steal funds or gain access. A common scenario is the "vendor payment change" request. The attacker identifies a legitimate vendor through public data or a compromised inbox. They then interject into an ongoing conversation, sending a PDF invoice that appears identical to previous documents but contains new banking instructions. 

This technique leans on creating a sense of urgency, using terms like "quarter-end close" or "overdue penalties" to pressure employees into acting against their training. The FBI’s Internet Crime Complaint Center (IC3) reported $2.77 billion in losses across more than 21,000 BEC incidents in 2024. BEC is a crucial aspect of cybersecurity basics for finance professionals.

Business email compromise

The financial sector is particularly vulnerable to (BEC), a broad form of cyberattack where an adversary compromises an employee's email, then uses that email to do things like create inbox rules, acquire information, or send out mass emails posing as that trusted employee to do things like convince them to wire money to a different bank account. 

Credential theft

In this type of phishing, an attacker sends an email that mimics a routine business request, such as a password reset for Microsoft 365. The user clicks on a link that sends them to a fake login screen, where attackers capture their username and password. To get around MFA requirements, they add a second technique: session hijacking.

A "session token" is the digital key that keeps a user logged in on their browser. To steal this token, hackers often use an adversary-in-the-middle (AiTM) attack. In this scenario, the spoofed website forwards the user’s login to the real site. This sends an MFA prompt to their phone. When approved, the real site issues a session token, which the attacker copies before letting it reach you. They can then log in on their own browser.

Malware

Cyber threats are always evolving, but the foundations of cyber risk awareness stay the same: vigilance in communication, rigorous verification protocols, and secure digital hygiene.

Communication

Safe communication hinges on the ability to stop and think about an incoming message before acting. Common email red flags include:

• Mismatched identity: The "display name" says it’s from the CFO, but the actual email address is a generic Gmail or an unfamiliar domain.

• Abnormal channels: An urgent request for a wire transfer arrives via email from an executive who typically communicates through internal chat or phone.   

• The urgency trap: Any message that demands immediate action to avoid a "crisis" or "penalty" is likely a sign of social engineering.

• Suspicious document alterations: Checking the PDF metadata or noticing slight formatting changes in a "standard" invoice can reveal a fake.

The best way to guard against BEC is "out-of-band verification." If an unusual request comes in, follow up using a different communication channel. Never use the contact information provided in the suspicious email. 

Digital hygiene

Good digital hygiene is essential for finance professionals.

• Advanced authentication: Multi-factor authentication (MFA) is non-negotiable but not foolproof. Professionals must be trained to recognize "MFA fatigue" attacks, where an attacker triggers hundreds of prompts on a user's phone in the hope that they will click "Approve" just to silence the notifications.

• Password strategy: Teamsmust use unique, complex passwords for every financial portal. Password managers (e.g., 1Password, Bitwarden) can help limit the risk of "credential stuffing," where a password stolen from a personal site is used to breach a corporate banking system.

• Secure documentation: Sensitive financial data should never be stored on personal devices or sent via unencrypted email. Organizations must enforce strict data classification and utilize secure, encrypted file-sharing methods for transmitting reconciliation files or audit documents.  

Financial services cybersecurity training should not be treated as an annual compliance checklist item. Numerous studies have shown that learning in longer, less frequent blocks leads to a “forgetting curve.” Instead, use bite-sized, ongoing lessons to boost retention.

Developing the ability to spot phishing attempts is one of the most impactful skills financial professionals can learn. Phishing simulations provide teams with practical experience without the stakes of a real-life incident. When a staff member clicks a malicious link, they receive immediate feedback that explains what signs they missed. Studies show that ongoing phishing simulations can cut an organization's click rate in half within six months.   

Training should also establish a clear escalation path. Finance professionals must know exactly who to contact the moment something feels "off." Institute a no-blame reporting rule and set up dedicated support channels to triage potential fraud cases.

Huntress Managed SAT provides engaging cybersecurity awareness training for finance professionals, with threat simulations, gamification, and animation by Emmy Award-winning creators. See measurable results with no added hassle.