Why is phishing such an issue in the banking sector?

Phishing remains one of the biggest security threats in the banking sector, as cybercriminals continuously exploit human trust to steal credentials, financial data, and access to accounts. Despite advancements in security technologies, traditional authentication methods like passwords, PINs, and SMS one-time passwords (OTPs) are still vulnerable to phishing attacks.

Phishing attacks typically follow these steps:

1. Impersonation – Attackers send fake emails, SMS, or create fake banking websites that appear legitimate.
2. Deception – The user is tricked into believing they are interacting with their real bank.
3. Credential Theft – Victims enter their login details, PINs, or OTPs, unknowingly handing them over to attackers.
4. Account Takeover – Fraudsters use stolen credentials to perform unauthorized transactions, steal funds, or commit identity fraud.

A real-world example of this occurred with Deutsche Bank, where attackers cloned the bank’s website, tricking users into entering their banking credentials and SMS OTPs in real-time. This highlights the weakness of phishable authentication factors.

• Financial motivation – Cybercriminals directly profit by stealing funds or selling stolen data.
• High attack success rates – Users often reuse passwords or fall for well-crafted phishing schemes.
• Trust exploitation – Fake messages from “banks” easily create urgency and fear, making users act quickly.
• Outdated authentication methods – Traditional MFA methods like passwords and SMS OTPs are still widely used and are susceptible to phishing.

To combat phishing, banks must move away from phishable authentication and adopt phishing-resistant methods, such as:

• Passkeys (WebAuthn, FIDO2) – These cryptographic authentication methods eliminate shared secrets and cannot be intercepted.
• Hardware-based security keys – Devices like YubiKeys provide an additional non-phishable security factor.
• Fraud detection and risk-based authentication – Monitoring unusual login behavior can prevent unauthorized access.
• Customer education – Awareness campaigns help users recognize phishing attempts.

Passkeys are a game-changer for banking security. Unlike passwords or SMS OTPs, passkeys rely on cryptographic authentication and device-bound credentials, meaning:

• Users never enter credentials manually, eliminating phishing risks.
• Passkeys are bound to a specific domain, making it impossible for attackers to trick users into using them on fraudulent sites.
• Banks can meet Strong Customer Authentication (SCA) under PSD2 requirements while eliminating the most common phishing attack vector.

By adopting phishing-resistant authentication, the banking sector can significantly reduce fraud, protect customer accounts, and ensure compliance with security regulations like PSD2 and SCA.