Positive Technologies identifies key cyberthreats for financial companies in 2025–2026

Positive Technologies has outlined  the major cyberthreats that the financial sector may face in the coming years. These include ransomware attacks, malicious use of QR codes, exploitation of API  vulnerabilities, DDoS campaigns, and attacks targeting suppliers and partners. These conclusions are based on the company’s analysis of security incidents and publicly available data concerning threats to banks and other financial institutions.

The financial sector remains one of the top five most targeted industries by cybercriminals, according to Positive Technologies data for the period from 2024 to Q1 2025. In 67% of successful cyberattacks, attackers stole data and used it to blackmail victims by threatening to delete or expose the information. Another 26% of incidents caused operational disruptions, while 5% resulted in financial theft.

Social engineering was used in 57% of successful cyberattacks on financial organizations in 2024. Positive Technologies analysts predict that such incidents will continue to rise as cybercriminals leverage the generative capabilities of artificial intelligence (AI) to craft convincing phishing emails. On the defensive side, security teams are also expected to use AI to detect AI-generated malicious content.

The growing use of application programming interfaces (APIs) poses significant risks. Without adequate security measures, APIs could become an entry point for cybercriminals. This risk is exacerbated by the proliferation of shadow  APIs, which often lack proper protection, and the widespread adoption of AI in the financial sector. According to a report by Wallarm, the number of vulnerable AI-enabled APIs increased tenfold in 2024.

Another key cyberthreat in 2025–2026 will be the growing number of attacks on contractors and suppliers. Cybercriminals are likely to target less secure partners to gain access to larger financial organizations. Small and medium-sized businesses may also be affected, especially if attackers fail to reach their main targets.

Roman Reznikov, Cybersecurity Research Analyst at Positive Technologies, says: “Cybercriminals continue to exploit legitimate and widely used tools in fraudulent schemes. For example, attacks involving QR codes have become more frequent. Hackers replace legitimate QR codes with malicious ones in public spaces and bypass email security by taking advantage of the difficulty in detecting QR codes within messages. In the future, we may see malware capable of altering QR codes directly on device screens during payment.

That’s why it’s important to be careful with QR codes and avoid scanning ones from unknown or suspicious sources. At the same time, defensive measures are evolving too. For instance, a company can protect itself from emails containing malicious QR codes by using PT Sandbox, which identifies QR codes in email images and attachments, extracts the embedded links, and checks them for malicious activity.”

The access-as-a-service market presents another serious challenge. Positive Technologies reports that nearly 9% of dark web listings for access sales are related to the financial sector. This market is expected to grow as new technologies lower the barriers to entry into cybercrime. Inexperienced attackers may sell discovered access points to more skilled cybercriminals.

Ransomware attacks are also projected to increase. Cybercriminals have begun demanding ransoms lower than the potential fines for data breaches. Analysts anticipate this tactic will become more common in countries with turnover-based fines such as Russia, Brazil, and China.

DDoS campaigns will continue to pose a significant threat to the financial sector in 2025. Hackers are expected to create massive botnets of compromised IoT devices and use AI to launch adaptive attacks that respond to victims’ countermeasures.

To protect against these evolving threats, financial organizations must adopt a comprehensive cybersecurity strategy built on advanced tools, including: next-generation firewalls (NGFWs) like PT NGFW to prevent cyberattacks and enforce security policies; web application firewalls (WAFs) such as PT Application Firewall for detecting and blocking attacks, including threats from the OWASP Top 10 list; SIEM systems, including tools like MaxPatrol SIEM, to identify malicious activity across infrastructure and endpoints, integrated with EDR solutions like MaxPatrol EDR.

In addition, sandboxes (such as PT Sandbox) and NTA or NDR systems (like PT NAD) should be used to protect against malware and detect hacker movement within the network.