Financial services organizations faced a significant increase in cyberattacks during 2025, with threat actors increasingly bypassing traditional password-based defenses through sophisticated social engineering and token theft techniques, according to multiple cybersecurity reports released in May 2026.

CrowdStrike's Financial Services Threat Landscape Report identified a group called Mutant Spider as the most active threat to the financial sector over the past 12 months. The group's primary method involved voice phishing calls over Microsoft Teams, where attackers impersonated internal IT support staff to convince employees to reset their multi-factor authentication credentials. Once successful, the attackers registered their own devices on corporate networks, gaining persistent access without triggering additional security alerts.

The Federal Bureau of Investigation separately issued a public service announcement warning about Kali365, a phishing-as-a-service platform available for as little as $250 per month on Telegram. The platform exploits Microsoft's OAuth 2.0 device authorization system, originally designed for devices like smart TVs that cannot support interactive login. When victims authenticate through legitimate Microsoft verification pages, the multi-factor authentication fires on their device while the access token is delivered to the attacker's system.

The shift in attack methods reflects broader changes in the threat landscape. Verizon's 2026 Data Breach Investigations Report found that vulnerability exploitation now accounts for 31% of initial breach access vectors, surpassing credential theft, which dropped to 13%. The report analyzed more than 22,000 confirmed breaches across 145 countries and found that median patching times increased to 43 days, while organizations patched only 26% of critical vulnerabilities in the government's Known Exploited Vulnerabilities catalog.

Financial services ranked as the fourth most targeted sector by the first quarter of 2026, accounting for 12% of all observed adversary activity. Globally, financial institutions experienced 43% more hands-on-keyboard intrusions in 2025 compared to two years earlier, with North American institutions seeing a 48% increase. Ransomware operators named 423 financial services entities on their leak sites during the reporting period, representing a 27% increase from the previous year.

State-sponsored groups also intensified their focus on financial targets. North Korean-linked adversaries stole $2.02 billion in digital assets in 2025, a 51% increase from the prior year, including a single $1.46 billion cryptocurrency theft in February. Chinese-linked groups conducted sustained campaigns against financial institutions across multiple continents, primarily through compromised VPN and firewall appliances. Security experts noted that both criminal and state-sponsored campaigns shared a common approach of initially targeting identity systems, credentials, or trusted access pathways rather than attempting to breach perimeter defenses directly.