Banking trojans are among the most insidious threats to both cybersecurity and personal financial security—and attacks are becoming more common. In 2020, the FBI warned that banking trojan attacks were likely to surge as more people began banking online amid the pandemic.
So, what are banking trojans? Simply put, they’re malicious backdoor programs designed to steal financial information or money from online banking apps and other fintech platforms. Unfortunately for the average person, banking trojans are extremely sophisticated and frequently switch up their strategies. They can attack online banking institutions, and even drain money from personal or business bank accounts—before the account owner knows they’ve been targeted.
How do banking trojans work?
Banking trojans stealthily infect a PC, computer network, or Android app, then wait for the unsuspecting user to log in to an online bank account. Once this occurs, the banking trojan captures the user’s password and gains unauthorized access to the account.
Cybercriminals can trick users into granting account access to the banking trojans in a number of different ways:
- Phishing. This occurs when a malicious actor sends an email under the guise of a seemingly legitimate sender, such as a bank or online retailer. The email either infects the recipient once opened, or contains a link directing the recipient to insert their username and password into a malicious site disguised as a legitimate banking site.
- Malvertising. Banking trojans can hide in malicious code injected into advertisements displayed on legitimate sites. Once clicked, those infected ads direct the user to a malicious site.
- Exploit kits. Exploit kits get embedded in websites, where they scan users for vulnerabilities to exploit and gain entry into your PC or network.
So, what are banking trojans? They are an absolute nightmare to deal with. To help avoid getting infected by one, here are a few tips on how to keep these malicious actors from wreaking havoc:
- Exercise caution. Be careful when clicking links and downloading files sent over email. If you’re a banking organization, train your employees to recognize phishing emails and have them participate in phishing tests.
- Pay attention to small details. Take notice of small changes before logging into a banking website. Are there any design changes? Additional login fields? Glaring flaws in text or design? These are clues it’s a malicious site disguised as a legitimate one.
- Be proactive. As the old saying goes: the best defense is a good offense. Investing in cybersecurity tools such as malware scanners, antivirus software, and web application firewalls can help safeguard your system.