New Positive Technologies Report Reveals Cybercriminal Tactics Targeting Financial Sector
Positive Technologies has released a new report detailing the major cyberthreats poised to challenge the financial sector in the coming years. Their analysis of security incidents and public data on banks and other financial institutions reveals key areas of concern: ransomware attacks, malicious QR code exploitation, API vulnerabilities, DDoS campaigns, and attacks targeting suppliers and partners.
According to Positive Technologies data from 2024 to Q1 2025, the financial sector remains one of the top five most targeted industries by cybercriminals. In 67% of successful cyberattacks, data was stolen and used for blackmail, threatening exposure or deletion. Another 26% of incidents caused operational disruptions, while 5% resulted in direct financial theft.
Social engineering was a primary tactic, used in 57% of successful cyberattacks on financial organizations in 2024. Positive Technologies analysts anticipate a rise in such incidents as cybercriminals leverage generative Artificial Intelligence (AI) to craft more convincing phishing emails. On the flip side, security teams are also expected to utilize AI to detect these AI-generated malicious contents.
The increasing use of Application Programming Interfaces (APIs) presents significant risks. Without adequate security, APIs can become critical entry points for cybercriminals. This risk is amplified by the proliferation of shadow APIs (undocumented and unmanaged APIs that lack proper protection) and the widespread adoption of AI in financial services. A Wallarm report highlighted a tenfold increase in vulnerable AI-enabled APIs in 2024.
Another significant cyberthreat projected for 2025–2026 is the growing number of attacks on contractors and suppliers. Cybercriminals are likely to target less secure partners to gain access to larger financial organizations. Small and medium-sized businesses may also be affected, particularly if attackers fail to reach their primary targets.
Roman Reznikov, Cybersecurity Research Analyst at Positive Technologies, notes, “Cybercriminals continue to exploit legitimate and widely used tools in fraudulent schemes. For example, attacks involving QR codes have become more frequent. Hackers replace legitimate QR codes with malicious ones in public spaces and bypass email security by taking advantage of the difficulty in detecting QR codes within messages. In the future, we may see malware capable of altering QR codes directly on device screens during payment. That’s why it’s important to be careful with QR codes and avoid scanning ones from unknown or suspicious sources. At the same time, defensive measures are evolving too. For instance, a company can protect itself from emails containing malicious QR codes by using PT Sandbox, which identifies QR codes in email images and attachments, extracts the embedded links, and checks them for malicious activity.”
The access-as-a-service market poses another serious challenge. Positive Technologies reports that nearly 9% of dark web listings for access sales are related to the financial sector. This market is expected to grow as new technologies lower the barriers to entry into cybercrime. Inexperienced attackers may sell discovered access points to more skilled cybercriminals.
Ransomware attacks are also projected to increase. Cybercriminals have begun demanding ransoms lower than the potential fines for data breaches. Analysts anticipate this tactic will become more common in countries with turnover-based fines such as Russia, Brazil, and China. DDoS campaigns will continue to be a significant threat to the financial sector in 2025. Hackers are expected to create massive botnets of compromised IoT devices and use AI to launch adaptive attacks that respond to victims’ countermeasures.
To protect against these evolving threats, financial organizations must adopt a comprehensive cybersecurity strategy built on advanced tools. These include: next-generation firewalls (NGFWs) like PT NGFW to prevent cyberattacks and enforce security policies; web application firewalls (WAFs) such as PT Application Firewall for detecting and blocking attacks, including threats from the OWASP Top 10 list; SIEM systems (e.g., MaxPatrol SIEM) to identify malicious activity across infrastructure and endpoints, integrated with EDR solutions like MaxPatrol EDR. Additionally, sandboxes (such as PT Sandbox) and NTA or NDR systems (like PT NAD) should be used to protect against malware and detect hacker movement within the network.
