Assets Under Attack: Email Threats Targeting Financial Services Jump 25%

Money talks—and cybercriminals are listening. The financial services (FinServ) industry is becoming an increasingly popular target for advanced email attacks, as a single successful breach can unlock millions in assets and compromise the financial security of countless individuals.

As artificial intelligence democratizes sophisticated attack techniques and automation scales criminal operations, the stakes have never been higher.

From credential phishing that opens the door to account takeovers, to business email compromise schemes that can drain corporate accounts in minutes, FinServ organizations are facing unique cybersecurity challenges that traditional tools can’t address.

In May 2024, Evolve Bank & Trust, a financial institution based in Arkansas, disclosed a ransomware attack attributed to the LockBit threat group. The breach was initiated when an employee clicked a malicious link, enabling the attackers to compromise Evolve’s internal systems. As a result, sensitive data belonging to approximately 7.6 million individuals—including full names, Social Security numbers, and bank account information—was exposed. The incident also impacted clients of Evolve’s fintech partners, including Affirm, Mercury, and Wise. Evolve declined to pay the ransom, prompting the threat actors to publish the stolen data online.

Evolve's experience reflects a broader attack pattern, one driven by the fact that the financial services sector presents cybercriminals with opportunities few industries can match.

The susceptibility of FinServ organizations stems from the industry's operational DNA. Financial institutions handle massive volumes of sensitive data, process millions (or billions) in transactions daily, and manage vast networks of high-net-worth clients. Every wire transfer, payment authorization, and account modification represents a potential payday that dwarfs traditional cybercrime profits. Few industries offer attackers such a direct pathway to capital.

Add the complexity of vendor relationships and reliance on email as a primary communication channel for everything from wire transfers to compliance reporting, and you have conditions that create plenty of openings for impersonation and compromise.

Strict compliance standards and regulatory requirements raise the stakes even more. Operational disruptions can lead to costly penalties, reputational damage, and significant financial loss. Thus, if an employee receives an email purportedly related to a matter that could lead to service interruptions, they may act quickly to contain the issue—choosing to forgo verification in the interest of speed.

Our data shows a 25.2% year-over-year growth in the volume of advanced email attacks targeting the FinServ industry.

One likely contributor to this increase is the accessibility of generative AI tools. Threat actors can now craft emails that perfectly mimic internal communication styles and include context-appropriate industry jargon and regulatory language. What once required extensive manual research can now be automated through AI-powered platforms that analyze public communications, SEC filings, and social media to create convincing impersonations.

The rise in attacks also coincides with the expanded digitization of financial services operations. Remote work, digital-first customer interactions, and automated processing systems have expanded attack surfaces while making verification of communications more challenging. What was once handled through in-person meetings or phone calls now flows through email channels that cybercriminals have learned to exploit.

This growth is particularly concerning given the outsized impact of successful attacks in this industry. Whether it’s fraudulent transactions, account compromise, or data exfiltration, even a single malicious message can have far-reaching consequences.

Phishing remains one of the most popular tactics for attackers, and its impact on FinServ organizations has intensified. Between April 2024 and April 2025, phishing attacks on the industry increased by 17.1%.

Modern phishing emails are polished, personalized, and virtually indistinguishable from legitimate communications—especially when enhanced with generative AI. In attacks targeting financial institutions, messages leverage familiar pressure points like "Client complaint requires immediate attention" or "Wire transfer authorization needed before market close." These scenarios feel authentic because they mirror daily operational realities.

As a result, finance professionals, who regularly receive time-sensitive emails from clients, vendors, and internal stakeholders involving significant sums and tight deadlines, face a progressively greater challenge in distinguishing legitimate urgency from manufactured crisis.

What makes FinServ phishing particularly dangerous is the domino effect of compromised credentials. Financial services credentials can unlock:

• Core banking systems through single sign-on integration

• Customer databases containing personal and financial information

• Wire transfer and payment authorization platforms

• Regulatory reporting systems with sensitive compliance data

• Trading platforms and investment management systems

Interestingly, the volume of business email compromise attacks targeting the financial services industry declined by 8.5% year-over-year. But this drop does not tell the whole story.

Despite the decrease, FinServ organizations still experience a disproportionately high rate of BEC when compared to adjacent industries like professional services and insurance. This suggests that while the total number of attacks may have dipped slightly, the financial services industry remains a primary target for high-value BEC schemes.

The fact that the industry presents ideal conditions for BEC success is the most likely explanation. Financial institutions have well-defined hierarchies that make executive impersonation more credible. A "CFO" requesting a critical wire transfer authorization or a "Chief Compliance Officer" demanding immediate documentation feels authentic within established organizational dynamics.

In addition, FinServ organizations operate with time-sensitive workflows, making "end-of-day wire transfer," "regulatory filing deadline," and "client emergency" requests feel natural in an environment where minutes can mean millions and delays carry severe penalties. Finally, compliance requirements create urgency that can override security protocols. Thus, when cybercriminals impersonate regulators or reference specific compliance failures, targets often prioritize rapid response over verification.

While the 25% surge in advanced email attacks represents a significant escalation in cyber threats, it also signals a fundamental shift in how attackers view and target this sector. The sophistication of modern phishing campaigns, combined with the persistent threat of business email compromise, creates a multi-layered challenge that traditional security measures simply cannot address. Further, as generative AI tools become more accessible and attack automation grows more sophisticated, the volume and quality of threats targeting financial institutions will only intensify.

The path forward requires a fundamental reimagining of email security. Legacy solutions that rely on detecting known indicators of compromise are insufficient against threats that exploit human psychology rather than technical vulnerabilities. Financial services organizations must embrace AI-native security platforms that understand behavioral patterns, detect anomalies in real-time, and automatically remediate threats before employees can engage.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.