Industries · Financial services

The phish your finance team is already getting.

Financial services teams sit on top of payment authority, customer credentials, and movement of money. Attackers know it. RiskSense generates the wire-fraud, payroll-diversion, and vendor-invoice phish your team is actually facing — and produces the compliance reports your auditor and insurer expect.

Protect your team for freeTalk to us

Why Financial services keeps getting hit

Finance is where the money is. Attackers prioritise this sector because a single successful phish can move six- or seven-figure sums in minutes, and the regulatory framing means the breach has to be disclosed and forensically investigated — adding cost on top of the loss. Email-driven business email compromise (BEC) is consistently the largest single dollar-value attack vector in finance.

Wire fraud via CFO or supplier impersonation (typically the biggest single-event losses)
Payroll diversion (fake banking detail updates from real employee identities)
Account takeover of finance staff with payment authority
Vendor invoice spoofing — same supplier, different bank account
Credential theft for online banking and corporate card portals
Tax-office and regulator impersonation (IRD, ATO, HMRC, IRS phishing)

Compliance frameworks that touch SAT

These are the regulations and standards in Financial services where ongoing security awareness training is either required or strongly expected.

PCI-DSS

Global

v4.0 explicitly requires ongoing security awareness training for all staff with access to cardholder data (Req. 12.6), with documented annual programme.

FCA / SYSC

UK

Senior Management Arrangements, Systems and Controls (SYSC) requires firms to implement training appropriate to the operational risk, including phishing and social engineering.

FMA / FMC Act

NZ

Financial Markets Authority guidance on cyber resilience explicitly calls out staff awareness programmes as part of the basic baseline.

APRA CPS 234

AU

Mandates ongoing awareness training as part of the information security capability for all APRA-regulated entities.

ASIC RG 255

AU

Cyber resilience regulatory guidance specifies staff training as a fundamental control for AFS licensees.

FFIEC IT Handbook

US

Information Security booklet requires institutions to maintain a security awareness and training programme proportionate to the institution's complexity.

GLBA Safeguards Rule

US

Updated rule (2023) requires written information security programme including a documented awareness training component for all employees.

SOX 404

US

Public-company controls over financial reporting include user-access controls and training; auditors increasingly want SAT evidence as part of the control narrative.

Phish your financial services staff are actually getting

Patterns we see most often. RiskSense generates these automatically from your tenant context, not from a template library.

Pattern 1

CFO 'urgent wire' to a new supplier

Email appears to come from the CFO, sent late afternoon. Asks the accounts payable lead to push a wire through to a new supplier for an in-flight deal, before close of business.

What tips Glitch off
  • Sender domain is one character off the real one (yourco → yorco)
  • Real CFO would Slack first, not email about a wire
  • Urgency framing — 'before EOD' — designed to bypass dual approval
  • New supplier, new bank account, no purchase order
Pattern 2

Payroll banking detail change

Email from a staff member to payroll, asking to update their banking details before the next pay run. Tone is casual, name matches a real employee.

What tips Glitch off
  • Email originates from a personal-looking domain, not the company tenant
  • No follow-up call or in-person confirmation
  • Timing — right before payroll cutoff — pressures the operator
  • Bank account is at a different institution than the staff member historically used
Pattern 3

Vendor invoice with new bank details

Invoice arrives from an existing supplier you've been paying for years. The PDF looks right. The bank account on the remittance slip is new.

What tips Glitch off
  • Reply-to address differs from the sender (classic supplier-spoof tell)
  • Bank details changed without prior written notice from the supplier
  • The PDF was generated yesterday; previous invoices weren't
  • Invoice number does not follow the supplier's normal sequence
Pattern 4

Tax-office password reset

Email purporting to be from IRD / ATO / HMRC / IRS warning that your business tax account requires verification before a deadline.

What tips Glitch off
  • Real tax offices never send password-reset links by email
  • Domain is similar but not the official one (ird-govt.co.nz vs ird.govt.nz)
  • Deadline pressure designed to short-circuit verification
  • Asks for credentials or banking info on a third-party form

Cyber insurance angle

Cyber insurance for financial services has hardened more than any other sector. Insurers now treat SAT not as a nice-to-have but as a baseline condition of coverage. Without a documented ongoing programme, expect either a meaningful premium uplift, tighter sub-limits on BEC and social engineering, or in some cases an outright decline. With a documented programme, your broker has something to work with.

Read the full cyber insurance breakdown →

Questions financial services teams ask

How often do finance staff need to be trained?

Most frameworks require ongoing training rather than one-off — typically at least quarterly for phishing simulations and annually for policy attestation. Auditors increasingly want to see month-over-month data, not just an annual tick-the-box video.

What about contractors and temp staff?

PCI-DSS, FCA SYSC, GLBA and APRA CPS 234 all explicitly cover contractors and third parties with access to in-scope systems. RiskSense covers all users on the connected tenant by default, so contractors with email accounts are included automatically.

Will our auditor accept the RiskSense reports?

Yes. Reports include per-employee training records, time-stamped phishing simulation events, coaching completion, and aggregate trend data — the evidence pattern auditors want. Reports are exportable and have been used in SOC 2, ISO 27001, PCI-DSS and APRA audits.

We're a small accounting practice — is this overkill?

No. SMB accounting practices are a top target because they hold client banking details and tax records but typically have weaker controls than the banks themselves. Insurance insurers know this, which is why they've started underwriting accounting practices with similar baselines to mid-size firms.

How does the AI know about NZ banks vs UK banks vs US banks?

The brands engine generates phishing content from the real banks, suppliers, tax offices and tools your staff actually deal with, based on the country and industry of the tenant. NZ staff see Westpac NZ, ANZ, IRD. UK staff see Barclays, HSBC, HMRC. US staff see Chase, Bank of America, IRS. No manual configuration.

Do you cover wealth management / fund administration / fintech specifically?

Yes — all of those sit under the financial services umbrella. The AI picks up the specific terminology and supplier ecosystem from the tenant (investment platforms, fund admins, custodians, etc.) and shapes phish accordingly.

Get a financial services-aware programme running today.

60 seconds to set up. No credit card. Reports your auditor and your broker will actually accept.

Protect your team for freeSee other industries