By Mick Leach
Financial institutions are facing growing risks from email-based threats which exploit trust, supply chains, and collaboration tools. To compound this issue, defences are fragmented and analysts are struggling to keep up. With regulatory demands requiring organisations to improve the speed and clarity of defences, a truly resilient approach to security requires behavioural analytics, and automation. This is vital to empower teams to counter evolving attacker tactics and protect financial stability and reputation.
Few financial organizations are under any illusions about the challenges of securing the sector. Most institutions are grappling with fragmented payment systems and sprawling cloud estates that need to deliver constant uptime and are deeply vulnerable to threat actors seeking to steal funds and data or leave disruption in their wake.
But the day-to-day battle for security often begins somewhere far less complex: the employee inbox. A single malicious email can be enough to trigger financial fraud, leak sensitive data, or knock critical services offline. Email offers the perfect blend of low cost and high impact, exploiting trust between banks, clients, and suppliers.
With so many other attack channels to defend, email often gets overlooked. However, with attackers exploring AI, automation, and new tactics to evade traditional defenses, no financial organization can afford to neglect email security.
Staying resilient means keeping ahead of the forces reshaping the threat.
The supply chain is the new frontline
Business email compromise (BEC) attacks targeting senior executives are often considered some of the more advanced email tactics, but many attackers are already pursuing new maneuvers to get around defenses.
Rather than attempting to fool executive targets with domain spoofing, attackers are now compromising legitimate supplier accounts and exploiting their established trust. This often involves extended monitoring of conversations to allow for the insertion of a fraudulent invoice at a precise moment, aligning with genuine billing cycles.
It’s an insidious tactic that leaves few tells—the sender is genuine and the messages are typically crafted to fit into existing relationships naturally. For banks, this risk extends far beyond a single lost payment. In a sector built on trust, one manipulated email thread can ripple into reputational damage and systemic risk.
Defending against these attacks requires behavioral analytics that can establish a reliable baseline for everyday activity, and zero in on anything unusual, even if elements like the sender identity are correct.
Collaboration tools expose new weak links
Alongside supply chain compromise, we’re also seeing more phishing attacks exploiting legitimate sharing and collaboration tools. Invitations to view a file in Microsoft Teams, or sign a file in Docusign, can look entirely legitimate, yet direct employees to carefully crafted credential-harvesting sites. Once credentials are captured, criminals can hijack their identity to infiltrate the network, launch internal phishing campaigns, and access other critical resources.
It’s yet another tactic that weaponizes trust, this time undermining and exploiting the platforms that have become an integral part of many modern operations.
Because the links themselves are typically genuine, they can pass most traditional detection tests. As with supply chain attacks, the key to defense is behavioral rather than technical. If a new tenant invitation comes in from an unknown external account outside of business hours and addresses multiple recipients, that’s a huge red flag.
Tool sprawl undermines resilience
In response to escalating threats, many banks have layered multiple defenses on top of each other—legacy secure email gateways, cloud filters, phishing plugins, in-house rule sets, and more. While firms will feel secure after investing in so many solutions, tool sprawl can often end up being detrimental instead. With each tool generating its own alerts, security analysts can quickly be tied up by conflicting signals, complicating and slowing investigations. The most dangerous malicious messages can slip quietly through the noise.
From a leadership perspective, this approach delivers the worst of both worlds: higher cost and higher risk. Rather than adding more tools to the stack, the answer is to start streamlining security controls. Creating a single comprehensive inventory of all security tools will highlight where capabilities overlap and can either be combined or cut down.
Analyst fatigue is a business risk
Bloated security stacks are also a significant contributing factor to another pressing challenge: analyst fatigue. Security operations center (SOC) analysts in financial institutions are tasked with stitching together evidence across a patchwork of tools, often spending more time reconciling alerts than hunting genuine threats.
This leads to burnout and high turnover, with a revolving recruitment door in a field where available talent is scarce. The ongoing cyber skills shortage makes it difficult and expensive to increase headcount.
Automation is therefore essential. By merging duplicate alerts, auto-closing benign triggers, and pre-populating investigation steps, routine triage can be handled at machine speed. This allows human analysts to concentrate on the sophisticated, high-value attacks that truly threaten financial stability.
Compliance deadlines demand clarity
The case for automation grows stronger still when viewed through the lens of regulation, where every minute counts and manual processes quickly become untenable.
Under the Digital Operational Resilience Act (DORA), for example, banks must notify regulators of a material cyber incident within 24 hours. Exporting logs from multiple systems or reconciling alerts manually is not a viable strategy when the clock is ticking.
To remain compliant, institutions need audit-ready records that capture every user action, security decision and verdict in one place. A unified view of email activity is essential for accelerating incident reporting, but it also provides an efficient way of quickly meeting regulatory scrutiny.
Resilience relies on getting ahead of the attackers
Email is a central communication tool for financial institutions. It’s also a strategic vulnerability, leaving the door open to cyberattacks that can be hugely damaging to a firm’s trust and reputation, on top of the cost of fraud and data theft.
As the trends discussed here show, the attackers are continuously investigating new tools and tactics to bypass defenses. These threats cannot be addressed with incremental fixes or yet another layer to the security stack. By streamlining defenses and empowering security teams to find the most subtle signs of malicious activity, financial institutions can get ahead of even the most devious tactics.
