Financial services firms are the most phished sector on the planet. According to the FBI's 2024 Internet Crime Complaint Center (IC3) report, financial institutions absorbed 18.3% of all phishing attacks that year, and the sector's average data breach cost ranks as the second highest of any industry. The appeal is obvious: money lives there. But the threat profile for finance goes well beyond opportunistic phishing. Business Email Compromise (BEC), synthetic identity fraud, and ransomware now operate at industrial scale against banks, credit unions, insurance companies, and investment firms. IC3 tallied nearly $8.5 billion in BEC losses across all sectors between 2022 and 2024, and financial services companies are disproportionately targeted because wiring instructions and payment approvals move through email by design. That design assumption is a gift to attackers who know how to impersonate a CFO convincingly.

The 2024 IC3 report recorded $2.77 billion in BEC losses in a single year, and phishing and spoofing accounted for $70 million in directly attributed losses across all complaint categories. Ransomware added pressure from a different direction: five ransomware variants (Akira, LockBit, RansomHub, FOG, and PLAY) dominated the attack landscape in 2024, and financial services firms faced encryption-based extortion alongside the newer tactic of data-theft-only attacks, where adversaries skip the encryption entirely and simply threaten to publish sensitive customer and transaction records. For regulated institutions, a data publication event is arguably worse than a ransomware outage, because regulatory fines and customer trust erosion compound on top of the breach response cost. The average breach in financial services costs approximately $5 million, reflecting the complexity of forensic investigation, regulatory notification, and remediation in a highly audited industry.

Financial firms that have reduced their breach exposure share a disciplined approach to a few fundamentals: phishing-resistant multi-factor authentication (such as FIDO2 hardware keys or passkeys) on all externally accessible systems, rigorous vendor risk assessments, and an out-of-band communication protocol for any payment instruction changes. Regulators have noticed: the SEC's updated cybersecurity disclosure rules require public companies to report material cyber incidents within four business days of determining materiality, adding a new timeline pressure that makes incident response planning a financial and legal necessity rather than a best practice. Firms that treat their security posture as a competitive differentiator, something customers and institutional partners can evaluate, are increasingly winning business from those that treat it as a back-office cost center.

Sources: FBI IC3 2024 Annual Report, TRM Labs: Key Findings from the FBI's 2024 IC3 Report, Secureframe: FBI Internet Crime Report 2024