Cyber attacks in financial services haven’t necessarily become new – but they’ve become faster, more convincing, and far harder to detect, with some attackers sitting and waiting for months before acting.

Three shifts stand out:

• Identity is now the main attack surface – attackers increasingly prefer to log in rather than break in, using techniques like phishing or social engineering to obtain credentials. By exploiting trust and accessing accounts legitimately, they can operate more quietly – making their activity much harder to detect and allowing it to go unnoticed for longer.
• AI is improving the quality and scale of attacks – especially phishing and impersonation tactics, such as video or audio (or in other terms: deepfakes).
• Trust-based workflows (suppliers, approvals, email) – workflows are actively being exploited as attackers insert themselves into routine processes, using familiarity and urgency to bypass scrutiny and get malicious requests approved.

For financial firms, where high-value transactions rely on speed and trust, this combination is perfect for attackers.

In fact:

• Phishing remains the most common cyber attack, impacting 85% of businesses that experience breaches
• And social engineering attacks like business email compromise continue to account for a major share of financial losses.

---

3 Common Cyber Attacks within the Finance Industry

1) Phishing & impersonation:

What’s changed?

Phishing used to be easy to spot – with typos, a lack of company knowledge, and bad email structure. But now, it is not so easy. Phishing emails have become highly convincing with impersonation.

Attackers are combining:

• Lookalike domains (not spoofed, but visually similar, for example take a look at the a: fca.org.uk vs fcɑ.org.uk)
• Supplier or executive impersonation
• AI-written emails that sound natural and context-aware

AI-generated phishing is now widespread, with some estimates suggesting over 80% of phishing content is AI-assisted.

Why it’s working:

• Emails are passing basic checks
• Messages sound normal, removing traditional red flags
• Targets are contextualised (based on role, supplier relationships, or recent activity)

This is especially effective in finance teams, where users are processing payments quickly, managing a vast variety of supplier relationships and working under time pressure.

What it could like in real life: Urgent transfer

• A supplier requests updated bank details
• A client “resends” payment instructions
• A senior manager asks for an urgent transfer

Nothing looks unusual, until the money has moved and it’s too late.

Another example: Inbox rule abuse

Once attackers gain access to credentials (through phishing, social engineering tactics etc), they often:

• Set rules to forward finance-related emails externally
• Delete or hide warning messages
• Monitor payment conversations in real time

Microsoft themselves have highlighted that inbox rules are commonly used by attackers to forward sensitive emails, move or delete messages to hide activity and maintain persistence inside compromised accounts.

How can my firm protect itself against this?

Unfortunately it’s inevitable for some kind of malicious email to slip through the net at some point, even with high level email security in place and DMARC configured. And so it is imperative you also focus on other areas of cyber security, such as continuous user awareness and 24/7 monitoring and management. Not only does this help prevent the above, but also the next attacks too…

---

2) Ransomware: more targeted, harder to contain

What’s changed?

Ransomware, unfortunately, has not disappeared – but majorly evolved, again with the influence of AI.

Modern ransomware attacks are now:

• More targeted, focusing on high-value industries like finance and healthcare
• Faster, with reduced time between compromise and impact
• More strategic, using data theft alongside encryption

Attackers are also shifting to “Data-only” extortion (threatening to leak data without encrypting it) and also becoming more independent smaller groups rather than a few large well known groups due to the expansion in technology knowledge.

Why financial firms are prime targets for ransomware:

• High-value, sensitive data
• Regulatory pressure to recover quickly
• Operational reliance on systems staying online

And with the cost of incidents often running into the millions per breach, it’s clear why the financial sector is facing increasing regulatory scrutiny and tighter compliance requirements from governments.

What it could look like in real life:

• Attackers gain initial access (often via phishing or social engineering)
• They then move laterally across systems to exfiltrate sensitive data
• Trigger encryption or extortion

And by the time it’s visible, or someone suspects something suspicious, the damage is already done.

💡If you needed to check right now for any suspicious activity or unauthorised access in your systems, would you – or your current IT provider – know how to identify it?

Ransomware needs to be ‘re branded’. It’s no longer just about downtime, or spending millions, but also about the consequences of data exposure, client trust and regulatory fines.

---

3) Supply chain & third-party compromise: the “trusted route in”

What’s changed?

Attackers are increasingly bypassing secure environments by targeting trusted partners instead.

Instead of breaking in directly, they:

• Exploit suppliers
• Compromise integrations
• Abuse trusted communication channels

Supply chain attacks have increased significantly in recent years, as attackers leverage interconnected systems to gain access.

Why it’s working:

Modern financial firms depend on:

• External platforms and SaaS tools
• Third-party providers
• Integrated systems and APIs

These connections create expanded attack surfaces, implicit trust and reduced visibility outside of your organisations’ environment.

What it could look like in real life:

• A compromised supplier sends legitimate-looking invoices with changed payment details
• A trusted integration becomes an entry point
• Credentials from a partner are used to access systems

But from the user’s perspective, everything looks to be normal.

Reality check

If one of your suppliers are compromised:

• Your controls may still be bypassed
• Your users may trust malicious communication
• Your detection may be too late

---

What this means for financial firms:

Across all three threats above, the pattern is consistent:

• In 2026, attacks are exploiting trust, speed, and identity
• They target real workflows, not just systems
• And they often succeed without triggering obvious alerts

At the same time:

• Cyber incidents remain widespread across UK organisations
• And phishing continues to act as the primary entry point for wider attacks

---

What “good” cyber security looks like in 2026

1. Strengthen prevention (but don’t rely on it)

• Anti-phishing policies with impersonation protection
• Continuous cyber security user awareness training
• Proper email authentication (SPF, DKIM, DMARC)
• Role-based protection for finance and senior users

---

2. Improve detection (this is where most gaps are)

• Alerts for mailbox rule creation and auto-forwarding
• Monitoring for unusual logins or identity behaviour
• Visibility across supplier and third-party interactions

---

3. Focus on response (where risk becomes a financial loss)

• Rapid account lockdown and session revocation
• Mailbox auditing (rules, forwarding, hidden activity)
• Verification steps before releasing payments
• Follow your organisations’ Incident Response Plan (get our template here)

Ideally your firm should have:

✅ strong authentication in place (ideally phishing‑resistant)
✅ clear client money controls (Business Email Compromise accounted for)
✅ evidence-backed baseline security measures
✅ a tested incident response plan (not just data backups)
✅ continuous monitoring of identity activity

---

Use this tomorrow: a 60‑second diagnostic

Have a think about and ask these three questions internally (or with suppliers):

1. Do you know if auto-forwarding is enabled anywhere in your estate?
2. Would you be alerted if a finance mailbox created a rule today?
3. Do you monitor for impersonation of key suppliers and executives?

If the answer to any of these is “not sure”, you’ve just found a vulnerability.