--- url: 'https://www.corbado.com/faq/phishing-banking-sector-issues' title: 'Why is phishing such an issue in the banking sector?' description: 'Phishing is a major issue in banking, as attackers trick users into revealing credentials. Non-phishable authentication like passkeys can help.' lang: 'en' keywords: 'phishing in banking, banking security threats, banking fraud,' --- # Why is phishing such an issue in the banking sector? ## Why is phishing such an issue in the banking sector? [Phishing](https://www.corbado.com/glossary/phishing) remains one of the biggest security threats in the **banking sector**, as cybercriminals continuously [exploit](https://www.corbado.com/glossary/exploit) human trust to steal credentials, financial data, and access to accounts. Despite advancements in security technologies, **traditional authentication methods like passwords, PINs, and SMS one-time passwords (OTPs) are still vulnerable to phishing attacks**. ### How Phishing Works in Banking [Phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed) typically follow these steps: 1. **Impersonation** – Attackers send fake emails, SMS, or create fake [banking](https://www.corbado.com/passkeys-for-banking) websites that appear legitimate. 2. **Deception** – The user is tricked into believing they are interacting with their real bank. 3. **Credential Theft** – Victims enter their login details, PINs, or OTPs, unknowingly handing them over to attackers. 4. **Account Takeover** – Fraudsters use stolen credentials to perform unauthorized transactions, steal funds, or commit [identity fraud](https://www.corbado.com/blog/digital-identity-verification). A **real-world example** of this occurred with **Deutsche Bank**, where attackers cloned the bank’s website, tricking users into entering their [banking](https://www.corbado.com/passkeys-for-banking) credentials and SMS OTPs in real-time. This highlights the **weakness of phishable authentication factors**. ### Why is Banking a Prime Target for Phishing? - **Financial motivation** – Cybercriminals directly profit by stealing funds or selling stolen data. - **High attack success rates** – Users often reuse passwords or fall for well-crafted [phishing](https://www.corbado.com/glossary/phishing) schemes. - **Trust exploitation** – Fake messages from “banks” easily create urgency and fear, making users act quickly. - **Outdated authentication methods** – Traditional MFA methods like **passwords and SMS OTPs** are still widely used and are susceptible to [phishing](https://www.corbado.com/glossary/phishing). ### How Can Phishing Be Prevented? To combat phishing, banks must move away from **phishable authentication** and adopt **phishing-resistant methods**, such as: - **Passkeys (WebAuthn, FIDO2)** – These cryptographic authentication methods eliminate shared secrets and cannot be intercepted. - **Hardware-based security keys** – Devices like [YubiKeys](https://www.corbado.com/glossary/yubikey) provide an additional non-phishable security factor. - **Fraud detection and risk-based authentication** – Monitoring unusual login behavior can prevent unauthorized access. - **Customer education** – Awareness campaigns help users recognize phishing attempts. ## Passkeys as a Solution **Passkeys are a game-changer for banking security**. Unlike passwords or SMS OTPs, **passkeys rely on cryptographic authentication and device-bound credentials**, meaning: - Users **never enter credentials manually**, eliminating phishing risks. - Passkeys are **bound to a specific domain**, making it impossible for attackers to trick users into using them on fraudulent sites. - Banks can meet **Strong Customer Authentication (SCA) under PSD2** requirements while **eliminating the most common phishing attack vector**. By adopting **phishing-resistant authentication**, the [banking](https://www.corbado.com/passkeys-for-banking) sector can significantly reduce fraud, protect customer accounts, and ensure compliance with security regulations like **PSD2 and SCA**. ## Read the full article