‹ Back to beginning of report

Mobile threats affecting financial services by the numbers

To understand this sector’s exposure to cyber threats, we analyzed six months of security data from 225 of our Financial Services customers that, collectively, have 50,000 devices under management. There were 4.7 million events across these devices, averaging around 21,000 events per customer, on mobile alone.

“The threat of cyber security may very well be the biggest threat to the US financial system”

Jamie Dimon, CEO, JPMorgan Chase


It’s unsurprising to see that Financial Services companies are more of a phishing target than other types of companies, with 57.33% financial services companies experiencing phishing attacks relative to 42.2% cross-industry.

A report by the ACCA – Cyber and the CFO – suggests 69% of FS companies recognize phishing and spear phishing attacks as an applicable threat against their organization.

According to another study, financial services employees are most likely to click on a phishing email, with 29% admitting to clicking on a phishing email at work, relative to the cross-industry average of 11%.

Phishing attacks are a daily threat for Financial Services companies and employees need regular training to help identify phishing attacks—not only via email, but also through social media and other messaging platforms. However, given the growing sophistication of phishing campaigns, FS companies can’t rely on awareness training as the only layer of defense. A multi-level approach needs to be adopted at the endpoint and in the network to offer comprehensive protection against phishing.


Despite all of the scaremongering around malware, it’s not as big an attack vector as people typically think, with less than 1% of companies having experienced malware attacks. However, they do occur and cybercriminal groups are becoming highly targeted in their approach. For example, a Whatsapp vulnerability that enabled spyware to be installed on targeted devices was by no means a wide-scale attack, but the potential impact was substantial.


On average, 18.6% of companies have experienced mobile cryptojacking attacks. This came in slightly higher for Financial Services firms at 26.67%. Financial Services users appear to use devices more responsibly than users in other industries, so the overall device impact is less notable than that of some other threat vectors like phishing.

Man-in-the-middle attacks

Financial Services employees have seen a high number of incidents associated with man-in-the-middle attacks and risky hotspots (35.56%) compared to cross-industry figures (24.05%). Of the risky hotspots, 59.67% in the Financial Services sector were travel-related, indicating that FS employees who travel need greater protection.

Mobile risks affecting financial services

Out-of-date operating system

Despite the BYOD trend discussed earlier, more users in Financial Services maintain their devices with the latest operating system and security patches. This may be reflective of well-documented policies and firm management strategies within FS mobile work programs.

Lock screen disabled

One of the most basic security measures is using a lock screen, so it’s surprising that for every 20 employees, there is one with their lock screen disabled. This has huge ramifications if a device without a lock screen is lost or stolen.

Jailbroken or rooted devices

This data is reflective of rooting and jailbreaking being less common among users in general. App stores are fairly open and smartphones are already customizable enough. Users don’t want to bother doing more with an unstable and potentially non-performant phone.

Sideloaded apps installed

Within the Financial Services sector, 2.88% of iOS devices have sideloaded apps and 3.76% of Android devices have sideloaded apps. Sideloaded apps can be an indicator of users exhibiting riskier mobile behavior.

Password leaks

Password leaks are not uncommon, but they only impact about 1% of mobile devices. Larger organizations and those that tend to have more liberal usage policies are more likely to encounter password leaks, as they are less stringent with their policies governing application usage and acceptable web content.