DefenseStorm

Every insider incident we observed in H1 2026 involved privilege misuse.

In one case, data was exfiltrated to a third party over Zoom. Most institutions have invested in email DLP, USB restrictions, and cloud upload controls. Screen sharing and file transfer over video conferencing platforms often fall completely outside those controls. Data leaves in plain sight, during what looks like a normal business meeting, and nothing fires.

The numbers from the broader industry: $20.68M average annual insider threat cost in financial services. 123% rise since 2018. Incidents contained in under 31 days cost $10.6M on average. Slow detection adds a 76% premium.

And the profile isn't what most people assume — 75% of insider incidents are non-malicious. But when they are malicious, financial services insiders have direct access to the thing they're after.

A passing access review doesn't mean access is right-sized. It means someone signed off that a list matched a role. The gap between authorized access and necessary access is where insider risk lives — and where examiners are increasingly looking.

Our H1 2026 threat report: https://ow.ly/e3oN50Z4Pe0

$3.05 billion in reported losses. ~$123,000 per incident on average. 86% transmitted by wire or ACH — fast and usually unrecoverable.

That's BEC in 2025, per the FBI's IC3 Annual Report. And vendor email compromise — where an attacker uses a real, trusted vendor's mailbox to send fraudulent payment instructions — now drives more than 60% of it. Sender reputation checks pass. The email is from a real account at a real company you already do business with.

AI is making it worse. Deepfake audio in callback verification. AI-generated email threads that spoof prior conversations. The verification step many institutions rely on is becoming less reliable.

For a bank or credit union, BEC isn't an email problem. It's a fraud problem with a cyber entry point — and FFIEC expects those two programs to be connected, not parallel.

The institutions catching it early treat upstream cyber telemetry (auth failures, mailbox rule changes) and downstream fraud signals (payment pattern deviations, beneficiary changes) as one workflow.

Our H1 2026 threat report from DefenseStorm CTS Ops: https://ow.ly/HwFO50Z4P7H

In late April, our Security Operations team analyzed a new ClickFix variant on a monitored endpoint.

Not a single commercial antivirus engine flagged either of the two malicious files.

ClickFix doesn't exploit a vulnerability. There's no attachment to scan. No link to block. The user is tricked into pasting a command into their own machine — usually via a fake CAPTCHA or "verify you are human" prompt — and becomes the ex*****on engine themselves.

In H1 2025 these attacks surged 517%. By 2026 it's the dominant initial access vector across our monitored client base, used by financially motivated actors, ransomware affiliates, and nation-states alike.

For a bank or credit union, the next-hop targets are the wire room, ACH origination, and the core processor. Same technique. Categorically worse outcome.

Our full H1 2026 threat report — what we're seeing, what's working, and what to do about it: https://ow.ly/6kBN50Z4P2l

In observance of Memorial Day, we are out of office. Today, we honor and remember the brave men and women who gave their lives in service to our country. Our Security Operations team is proactively monitoring cybersecurity threats 24x7x365.

We will be back in the office tomorrow morning!

If your exam-readiness plan is “we’ll pull that report when they ask”… that’s the risk.

This blog breaks down the 2026 cyber priorities examiners are zeroing in on — and how to prep now. https://defensestorm.com/insights/what-credit-union-examiners-are-prioritizing-in-2026-cyber-edition/

If your bank’s exam readiness plan is “we’ll pull it together when they ask,” that’s a risk.

This breaks down the cyber priorities bank examiners are pressing on in 2026—and what to have ready now.

Read → https://defensestorm.com/insights/what-bank-examiners-are-prioritizing-in-2026-cyber-edition/

Your MDR provider monitors for known threat signatures.

But does it know what normal looks like at your bank?

When a deepfake impersonation succeeds and someone authorizes an unusual transaction, the attack creates downstream signals:

- After-hours access through credentials obtained via impersonation
- Wire transfer patterns that deviate from your institution's established workflows
- Service account activity that does not match behavioral baselines
- Credential usage from unfamiliar locations or devices

A generic MDR vendor sees these as isolated alerts. A Collaborative SOC built for banking sees them as a pattern: something changed in how your environment normally operates.

That distinction matters because AI-powered social engineering is not going away. Detection speed for post-compromise activity is what separates an incident from a material loss.

Ask your MDR provider: do your analysts know what a normal wire transfer workflow looks like at our institution?

If the answer is no, your detection layer has a blind spot exactly where attackers are aiming.

Read more here: https://defensestorm.com/insights/when-the-voice-on-the-phone-isnt-human-how-banks-and-credit-unions-can-detect-ai-powered-social-engineering-before-it-becomes-a-wire-transfer/

2026 exams: cyber findings won’t come from what you *say* you do — they’ll come from what you can *show.*

Here are the top areas examiners are pressing on (Cyber Edition) https://defensestorm.com/insights/what-credit-union-examiners-are-prioritizing-in-2026-cyber-edition/

Bank exam prep in 2026 = show your cyber program works (not just that it exists).

Top examiner focus areas (Cyber Edition) https://defensestorm.com/insights/what-bank-examiners-are-prioritizing-in-2026-cyber-edition/

Deepfake-as-a-Service can clone a voice from 3 seconds of audio.

AI-enhanced social engineering jumped 16 percentage points to become the #1 cybersecurity concern for financial institutions in 2026.

Here is the part that keeps ISOs up at night: you cannot train your way out of this. When the deepfake voice is indistinguishable from your CEO, even well-trained staff can be deceived under pressure.

The uncomfortable truth: some of these attacks will succeed.

The better question: what happens NEXT?

Every successful social engineering attack must eventually translate into system-level actions. Anomalous after-hours access. Atypical wire transfer patterns. Credential deviations. Behavioral outliers.

Those downstream signals are detectable, but only if your SOC understands what normal looks like at YOUR institution.

A generic MDR provider monitors for universal threat indicators. A banking-trained Collaborative SOC monitors for the behavioral anomalies that follow when a deepfake call actually works.

The prevention conversation is important. The detection conversation is where your institution's real protection lives.

Read more here https://defensestorm.com/insights/when-the-voice-on-the-phone-isnt-human-how-banks-and-credit-unions-can-detect-ai-powered-social-engineering-before-it-becomes-a-wire-transfer/