THE State of Cybersecurity in the Finance Sector highlights how credential-driven intrusion is intensifying, with phishing remaining the leading initial access vector and techniques like AiTM and QR code phishing surging.
In the first half of 2025, Darktrace observed 2.4 million phishing emails in financial sector deployments, with almost 30% aimed at VIP users, while data loss prevention remains a persistent risk, evidenced by October 2025 findings of over 214,000 emails with unfamiliar attachments sent to suspected personal addresses and more than 351,000 to freemail accounts.
Ransomware is evolving toward data theft and extortion, with groups such as Cl0p and RansomHub exploiting trusted file-transfer platforms to exfiltrate data before encryption. Attackers are also exploiting edge devices pre-disclosure, targeting VPNs, firewalls and remote access gateways to blend into trusted traffic and enable lateral movement.
DPRK-linked groups affiliated with Lazarus are active across cryptocurrency and fintech, using tools including Beavertail and EtherRAT and targeting organisations in multiple countries. The report stresses cloud complexity and AI governance gaps as systemic risks, calling for a behaviour-based security posture to detect threats that operate ahead of public disclosure.