The Financial Industry Regulatory Authority (FINRA) recently released the 2025 FINRA Annual Regulatory Oversight Report, which observed an increase in the variety, frequency, and sophistication of insider threats by threat groups.
The threat posed by insider threats, incidents where a firm's employees, purposefully or inadvertently, use their access to its' systems and data to cause harm to firms, was covered in depth by Trustwave SpiderLabs in its Financial Services Deep Dive: Insider Threat, a complementary report to 2024 Trustwave Risk Radar Report: Financial Services Sector.
Using an insider threat is a tried-and-true attack methodology employed by threat actors looking to gain entry to a target through vulnerabilities, employing phishing campaigns, or other technical means.
This is done because once an insider threat is identified, the attacker can exploit their position to gain authorized access to sensitive systems and data.
Trustwave SpiderLabs points out the financial services sector is particularly vulnerable, creating an environment where malicious insiders have become a significant concern. Unlike external attackers who must breach defenses, insiders already possess the "keys to the castle," simplifying their ability to bypass traditional security measures.
Let's start this on a positive note, kind of, and note that not all insider threats are malicious. Often, a person makes a mistake and lets in a bad guy.
Negligent insider threats generally take place through an employee's carelessness, such as ignoring messages to install patches or by accident when one mistypes an email address or unknowingly opens a phishing email.
On the other hand, many factors drive an individual to become a malicious insider, the most common being financial gain, as insiders may be tempted to sell sensitive information or facilitate breaches for profit.
Next up are personal grievances. Most organizations have dissatisfied workers. For instance, a disgruntled employee might delete critical databases to disrupt operations as revenge against the company, or they may feel driven to sell login or other information to a threat actor.
The danger of extortion and coercion cannot be underplayed. Malicious actors are exceedingly good at finding dirt on people through social media or other sources and using it to blackmail insiders to do their bidding.
Additionally, in today's heavily divided world, ideological beliefs, such as political or social agendas, can motivate insiders to act maliciously. The allure of easy money and the perceived low risk of getting caught can encourage someone to attempt to further their belief or cause by passing along information.
Cybercriminals understand the value of having an inside source and actively seek out people who fit the above descriptions, recognizing their ability to combine insider knowledge with the willingness to conduct malicious capabilities.
Trustwave SpiderLabs has found Telegram channels that feature requests for connections with malicious insiders, highlighting the growing demand for their services. This collaboration amplifies the threat, leading to substantial financial losses and long-term reputational damage for financial institutions.
The connection of data taken or given from insiders in banks and other sectors can pose a significant threat to end users, not to mention the organizations themselves.
For example, if a threat group has an insider at a bank and another at a telecommunications company, the combined intelligence can be used to devastating effect.
The bank insider can provide sensitive financial information, while the telecom insider can offer access to personal communication data. This synergy can enable malicious actors to execute highly sophisticated attacks, such as identity theft, unauthorized transactions, and comprehensive surveillance.
Recruitment methods vary by region. In the United States, recruitment often involves tapping into two sensitive topics for most people: financial difficulties or personal grievances.
Cybercriminals might target employees through social engineering, offering substantial financial incentives, or leveraging blackmail. In Russia, the recruitment process may involve a mix of coercion and enticement, with patriotic or political motivations playing a role.
Malicious recruiters often use online forums, Dark Web marketplaces, and closed communication channels as common platforms for these efforts. Trustwave SpiderLabs has seen recruitment advertisements on Russian Dark Web forums that target local services and representatives from global corporations like Google, Yahoo, Telegram, and WhatsApp. This shift indicates an attempt to broaden their operational scope and enhance their reach.
The consequences of insider threats in the financial sector can be dire.
Unauthorized access to customer data, intellectual property theft, significant financial losses, regulatory penalties, and loss of customer trust are just a few of the potential outcomes. If sophisticated threat actors leverage malicious insiders, catastrophic breaches could undermine global financial stability.
To combat these threats, financial institutions must adopt proactive and comprehensive insider threat management strategies.
As insider threats evolve in sophistication and frequency, financial institutions must remain vigilant, adopting proactive strategies to mitigate risks from both negligent and malicious actors. By combining robust security measures with continuous monitoring and employee education, organizations can better protect themselves against the potentially devastating consequences of insider-driven cyberattacks.
Here are Trustwave SpiderLabs' most recent research primary and complementary reports:
To dive into earlier Trustwave SpiderLabs vertical sector research, click here.