To be attributed to Tim Chang, Vice President Application Security Products at Thales
In the digital economy, Application Programming Interfaces (APIs) are key to nearly every functionality offered by mobile and Web applications. In the financial services sector, APIs enable the seamless exchange of data that make mobile banking apps and real-time payment authorisation possible.
In the first half of 2025, we’ve noticed cybercriminals have shifted their focus. Once considered obscure, backend infrastructure, APIs have risen to prominence as an attack vector as awareness of the amount of sensitive login, payment and identity data they handle has grown.
Thales’s latest API Threat Report, based on over 4,000 monitored environments, recorded more than 40,000 API-related security incidents across all industries in the first half of 2025 alone. That’s an average of over 220 incidents per day, with projections suggesting the number could exceed 80,000 by year-end.
Why APIs Have Become the Weak Link
While APIs represent just 14% of the digital attack surface, they now attract 44% of advanced bot traffic. That disparity reflects their unique role in the digital economy: APIs aren’t just technical infrastructure, they’re the business logic that keeps transactions, authorisations and customer experiences flowing. When attackers disrupt APIs, the financial impact is immediate – freezing payments, delaying transfers, or locking customers out of essential services.
The report highlights a particularly striking single case: a record-breaking 15 million requests-per-second application-layer DDoS attack targeting a financial services API. Unlike traditional network floods, this was designed to overwhelm the application layer itself. By mimicking legitimate traffic through headless browsers and botnets, attackers make it far harder to distinguish fraud from genuine customer requests.
Financial services accounted for 27% of all API-focused DDoS traffic in H1 2025, underscoring the sector’s reliance on APIs for real-time operations such as balance checks, transfers, and payment authorisations. The implications are clear: APIs are no longer just backend tools – they are mission-critical assets that require robust, adaptive protection.
The Changing Nature of API Threats
The Thales report shows APIs are being probed and exploited in multiple ways:
- Data access APIs (37%) and checkout/payment endpoints (32%) top the target list, reflecting their direct revenue potential.
- Credential-stuffing attacks on APIs without adaptive MFA rose by 40% on APIs without adaptive MFA.
- Data scraping now accounts for 31% of malicious API traffic, often aimed at harvesting personal and financial details.
- Shadow APIs, or undocumented endpoints, remain a critical blind spot, typically making up 10–20% of active APIs than they are aware of.
For financial services firms, the risk is compounded by scale. APIs are the nervous system of real-time banking and trading, and any weakness can ripple quickly into lost revenue, reputational damage, or regulatory exposure.
What this Means for Financial Services
For executives in banking, insurance, and trading, the findings point to a simple reality: API security is business security. Criminals don’t need to develop new malware when they can exploit existing business logic, such as approving fraudulent payments, scraping sensitive records, or exploiting discount loops to drain value from financial ecosystems.
The challenge is not just one of defence, but of visibility. Many firms still lack a complete inventory of the APIs in use across their systems. As the Thales report makes clear, discovering every live endpoint and understanding its business role is the foundation of any defence strategy.
Looking Ahead
The second half of 2025 is unlikely to bring relief. If current trends hold, we could see over 80,000 API incidents by year’s end. With regulators sharpening their focus on operational resilience and data protection, the pressure is on for financial institutions to treat API security not as an IT issue, but as a board-level priority.
APIs are the connective tissue of the digital economy. For the financial sector, protecting them means protecting the flow of capital itself. The cost of inaction is not just downtime – it’s trust, compliance, and competitive edge.
