By Evelyn Karathanasopoulou, Threat Intelligence Analyst, Obrela
The global financial services industry is facing a new breed of cyber adversary that is stealthy, adaptive and increasingly embedded within the systems designed to uphold trust. According to Obrela’s latest Digital Universe Report, which analysed 16.8 petabytes of telemetry across more than 500,000 endpoints, financial institutions accounted for nearly one in five recorded cyberattacks worldwide, second only to the retail sector.
But it’s not just the volume of attacks that’s alarming, it’s their precision. Threat actors are moving beyond brute-force attacks and are now deploying highly tailored techniques that exploit those systems that are supposed to be safeguarding financial integrity. These intrusions are able to blend in seamlessly with legitimate activity, adapt quickly to new detection tools, and will often leave next to no digital footprints.
Attackers aren’t just probing defences speculatively: they are studying them, learning from them, and carefully adapting their methods in real time.
Industry specific and insider threats on the rise
One of the report’s most striking findings is the rise of industry-specific attacks, which now represent 32% of all incidents in the financial services sector. Rather than generic hacks, they target transactional systems, trading workflows, and payment infrastructure. This means every part of the financial supply chain is at risk, from transaction approvals and settlement systems to client account management.
Internal compromise is also growing, with suspicious activity linked to 26% of attacks. Credential theft, insider collusion, and account misuse are becoming increasingly common. In other words, adversaries are not just breaching the perimeter; instead, they are operating from within it. Even what might appear to be routine employee actions have the potential to give attackers long-term access to sensitive systems.
This combination of external precision and internal manipulation is shaping the 2025 threat landscape in the financial sector. While ransomware is still a concern, these quieter campaigns focused on data integrity, market manipulation and fraud enablement are increasingly dominating. These are long-term, stealthy operations that are designed to erode confidence, extract value, or disrupt operations without being detected.
According to the Obrela report, the use of direct malware payloads dropped to 0% in trending alerts. Instead, attackers are exploiting legitimate system tools to run malicious code in memory, leaving almost no trace. Fileless attacks and in-memory exploits are now standard practice among sophisticated threat actors.
Groups long associated with financial breaches, such as FIN7, TA505 and the Cobalt Group, have adapted quickly. They now rely on phishing and credential theft to maintain persistent, undetected access rather than noisy ransomware campaigns. State-backed actors, including Russia’s APT29 and the Middle Eastern group Molerats, are also targeting financial networks—not just for money, but for intelligence and strategic advantage. The line between cybercrime and espionage is increasingly blurred, making attribution and response even more challenging.
Financial sector-wide threats
The threat isn’t limited to financial services or any single type of financial institution. Obrela’s data shows that insurers, asset managers, investment firms and fintechs are all at risk. Insurance providers report that 37% of threats are linked to insider misuse and 33% to industry-specific attacks. Asset management and investment firms report 25% and 24% respectively. This means any organisation handling identity or financial data is now a potential target.
Regionally, Southeastern Europe (35%) and Northern Europe (31%) are the most targeted. These areas are home to dense clusters of financial institutions, including banks, insurers, investment firms and payment platforms. Their role as financial and trading hubs, combined with high transaction volumes and cross-border connectivity, makes them particularly attractive to attackers. Across the region, these institutions handle millions of transactions and vast amounts of sensitive data daily, providing ample opportunities for sophisticated threats to exploit even minor anomalies in system behaviour.
Trust under siege
What makes these threats particularly dangerous is their impact on trust, which is the financial sector’s most valuable asset. Traditional cybersecurity models assume that authenticated users are legitimate; however, attackers are able to exploit this assumption. As examples, unauthorised access to trading platforms, anomalous data queries, and subtle record manipulation, are all potentially being mistaken for routine business activity. Even small discrepancies in transaction logs or client data, if undetected, can lead to significant financial or reputational losses.
For business leaders, this means a shift in approach. Investment in prevention must be matched by investment in intent detection. This means continuous behavioural analytics, integrated threat intelligence and a culture where cybersecurity is treated as a strategic business function, not just a compliance checkbox.
Financial institutions operate under some of the world’s strictest regulations such as the EU’s Digital Operational Resilience Act (DORA), the SEC’s cybersecurity disclosure rules, NIST’s CSF 2.0 framework and the UK’s FCA and PRA guidelines. But Obrela’s findings are clear: compliance does not mean resilience.
Attackers exploit operational gaps, not regulatory ones. Fileless attacks and credential abuse can bypass policy controls entirely, leaving firms compliant on paper but exposed in practice. Boardroom conversations have to shift from asking “Are we compliant?” to “Are we continuously aware and resilient?” Compliance alone will not stop an insider from misusing a privileged account or an advanced persistent threat from quietly exfiltrating sensitive data.
Every human as an endpoint
Insider risk isn’t always malicious; it does, however, often become such as a result of social engineering, account takeover, or authentication fatigue. This makes every employee and credential a potential attack vector, so education, simplified security workflows and adaptive access controls must be front-line defences.
Cybersecurity in finance is no longer just about keeping attackers out: it’s about detecting them before they can inflict harm. That means embedding monitoring into every transaction, integrating threat intelligence into business decisions, and maintaining continuous awareness of system behaviour.
In 2025, trust in financial institutions depends as much on this situational awareness as it does on capital reserves. Even the most respected institutions risk reputational damage if they fail to detect or respond to evolving threats. And those who treat cybersecurity as a strategic function rather than a regulatory checkbox will be best positioned to protect their clients, their data, and their reputation.
