Cybersecurity attacks and the human factor

What are the most common cybersecurity attacks in finance involving the human factor?

Cybersecurity attacks have surged in recent years, even more so during the pandemic. As new types of attacks surface and existing attack methods keep evolving, research tries to categorise them. Most academic cybersecurity models include their own cybersecurity threat taxonomy, which classifies threats according to the model’s dimensions. Typically, the classification follows one of the well-known threat taxonomies published by institutions, such as the taxonomy provided by ENISA (European Union Agency for Cybersecurity). The taxonomy is then adapted to fit the model’s purpose.

In the case of the SOTER project, the main objective is to provide cybersecurity training to regular employees in the financial services sector. Thus, we can simply derive the two most important characteristics for our adaptation of the taxonomy: industry (finance) and the human factor.

In a forthcoming publication, we analyse existing cybersecurity threat taxonomies and develop our own, adapted taxonomy. We then identify the top human factor-based cybersecurity threats that have seen a significant rise in incidents in the financial services sector during the past year or so:

      1. Web-based attacks
      2. Malware and Ransomware
      3. Identity theft and Insider threat
      4. Data breach (including phishing)


In a web-based attack, web systems and services are used to deceive the victim. For instance, the user may be provided with a malicious link (URL) to a website compromised by the attacker. The goal is to convince the user to download a malicious script or file (malware) or to enter sensitive information (i.e., formjacking), which is then stolen and used for financial gain or even extortion via ransomware.

  • Security researchers have noted a surge in formjacking attacks targeting user data and banking details. On average, compromised websites remained infected for 45 days.
  • Malvertising is a common delivery method: In 2019, a malvertising campaign using Google Chrome extensions was uncovered, which affected approximately 1,7 million users.


Malware is perhaps the best-known cyberattack next to Phishing emails. It comes in all shapes and sizes, ranging from viruses, worms, spyware to ransomware. The common goals of a malware attack are information or identity theft and service disruption.

  • A 2019 study found that 94% of all malware attacks were delivered by e-mail
  • After the initial delivery, the malware was spread by employees in 71% of cases
  • Almost half of all malware delivered by e-mail was found in Word’s .docx files
  • 67% of malware was delivered via encrypted HTTPS connections


Identity theft or identity fraud describes the misuse of a victim’s personally identifiable information (PII) by an impostor, for instance for financial gains. The increasing prevalence of identity theft is correlated to the increase in data breaches over recent years.

  • In 2019, on average more than three incidents occurred per company
  • The average cost of an incident is approximately €450.000
  • 63% of incidents occur due to the negligence


Insider threats are cybersecurity incidents that result from the actions of an “insider”, i.e., someone working for or affiliated with the potential victim (organisation). The most common insider threat pattern occurs when the attacker collaborates with an inside actor, often providing monetary incentives to convince the insider. However, it is often difficult to distinguish between legitimate, malicious and erroneous actions of insiders

  • Insider threat incidents have increased by 47% since 2018
  • The cost of incidents has risen by more than 30% since 2018
  • 88% of companies recognise insider threats as significant threats to their reputation and finances


In a data breach, sensitive and sometimes confidential information is accessed without proper authorisation, typically by a malicious actor. It is commonly the result of a previously conducted cybersecurity attack, such as a phishing attack. Frequently, data breaches can be attributed to human error.

  • In 2019, 32% of data breaches involved phishing activity
  • 71% of data breaches were financially motivated
  • In many cases, companies are not immediately aware of a data breach. Research suggests that it takes companies approximately 206 days to identify a data breach
  • Comparing 2018 to 2019, the number of reported data breaches increased by 54%


Last but not least, phishing is defined as the fraudulent attempt to steal user data or even money using social engineering techniques. This iconic cybersecurity attack is usually delivered via e-mails that are masked to appear to come from a trusted source. The attacker attempts to lure the victim into opening a malicious attachment or to click on a malicious link. While most phishing attacks are very general in nature and sent to millions of e-mail addresses, “spear phishing” relies on upfront research of the victim to tailor the phishing e-mail, which in turn appears more authentic.

  • Phishing is a major delivery method of other threats such as web-based attacks, malware, insider threats and data breaches
  • Almost half of all malicious attachments were Microsoft Office documents
  • Phishing e-mails surged by 667% during the first month of the COVID-19 pandemic
  • 30% of phishing e-mails were delivered on Mondays
  • More than two-thirds of phishing sites adopted HTTPS

We must keep in mind that all these cybersecurity threats are related to the human factor, targeting the so-called “end-user”. The term encompasses regular employees in the financial services sector, without any specialised cybersecurity tasks or education. In this blog post, we gathered the basics as well as some interesting facts and statistics about each of these attacks. We hope we provide a glimpse of how some of these attacks may play out in real life, and what their impact might be.



Author: Paul Rabel, University of Graz

Sources: ENISA Threat landscape 2020 and corresponding ENISA Threat reports (and studies mentioned therein).

For more information about SOTER visit the project website and follow us on Twitter and LinkedIn.