Financial Cyberthreats in 2025: Key Trends and What to Expect in 2026

The financial cyberthreat landscape in 2025 underwent significant shifts. Traditional PC banking malware declined in prevalence, but this was offset by a surge in credential theft via infostealers. Phishing campaigns became more targeted, focusing on e-commerce and digital services rather than directly mimicking banks. Meanwhile, the dark web economy for stolen credentials and identity profiles expanded. This Q&A explores the key findings from Kaspersky's analysis and offers an outlook for 2026.

1. What were the overarching trends in financial cyberthreats during 2025?

In 2025, the financial cyberthreat landscape continued to evolve in response to both technological advancements and attacker ingenuity. The most notable trend was the decline in traditional PC banking malware, which was offset by a rapid growth in credential theft by infostealers. Attackers increasingly relied on aggregating and reusing stolen data instead of developing entirely new malware capabilities. Phishing campaigns also matured, becoming more targeted and context-aware, with a shift away from direct bank impersonation toward e-commerce (14.17% of phishing pages) and digital services (16.15%). The dark web economy flourished, with stolen credentials, payment data, and full identity profiles traded at scale. Mobile banking malware continued its upward trajectory, as detailed in separate mobile malware reports. Overall, the threat landscape became more diversified, with attackers focusing on credential access and indirect fraud over complex banking Trojans.

2. How did phishing tactics change, and which categories were most impersonated?

Phishing in 2025 saw a clear shift toward platforms that aggregate multiple user activities. Instead of relying solely on volume, campaigns became more targeted and contextually adapted, reflecting a maturation of phishing operations. The top categories mimicked by phishing and scam pages included web services (16.15%), online games (14.58%), and online stores (14.17%). Compared to 2024, the rise of online games and the decline of social networks and banks indicate that attackers are targeting environments where users are more likely to act impulsively. Instant messaging apps and global internet portals remained significant, serving as communication and access hubs for credential harvesting. Regional patterns further reinforced the adaptive nature of these campaigns, with attackers tailoring lures to local trends and user behavior.

3. Why did PC banking malware decline, yet remain a threat?

Financial PC malware declined in relative prevalence during 2025, but it did not disappear. Established malware families continued to operate, albeit with less emphasis on complex banking Trojans. Instead, attackers prioritized credential access and indirect fraud—such as using stolen login data to hijack accounts or conduct social engineering attacks. The decline is partly due to the effectiveness of infostealers, which offer a simpler, more scalable method for obtaining credentials without needing to develop sophisticated malware. However, PC banking malware remains a persistent threat because it can still execute targeted attacks, especially against organizations with weak security postures. The shift does not reduce risk but rather changes the nature of the threat, making credential hygiene and multifactor authentication even more critical.

4. What drove the rise of infostealers and their impact on the dark web?

Infostealers became a central driver of financial cybercrime in 2025. These malware variants are designed to harvest credentials, cookies, and other sensitive data from infected devices. Their rise is fueled by several factors: they are easier to deploy than traditional banking Trojans, they can collect data from multiple sources (browsers, email clients, etc.), and they feed a thriving dark web economy. On the dark web, stolen credentials, payment card details, and full identity profiles are traded at scale, enabling widespread and destructive fraud operations. Attackers no longer need to develop custom malware; they can purchase ready-made infostealer tools and then sell the stolen data to downstream criminals. This ecosystem lowers the barrier to entry for cybercrime and amplifies the impact of each infection. The result is a more efficient, commoditized criminal marketplace that targets individuals and businesses alike.

5. How did mobile banking malware evolve in 2025?

While PC banking malware declined, mobile banking malware continued to grow in both volume and sophistication. Attackers increasingly targeted mobile devices due to their ubiquity and the sensitive data they hold (banking apps, payment services, SMS-based authentication codes). In 2025, mobile malware campaigns leveraged advanced techniques such as overlay attacks, accessibility service abuse, and fake login screens to steal credentials and intercept one-time passwords. The trend aligns with the broader shift toward mobile-first financial services. Kaspersky's separate mobile malware report provides detailed analysis, but it's clear that mobile platforms are now a prime vector for financial cybercrime. Users are advised to download apps only from official stores, avoid granting unnecessary permissions, and use security solutions that offer real-time protection against malicious apps.

6. What is the outlook for financial cyberthreats heading into 2026?

Looking ahead to 2026, the financial cyberthreat landscape is expected to become even more fragmented and specialized. Infostealers will likely remain the dominant threat, with attackers refining data aggregation techniques and targeting cloud-based credentials. Phishing will continue to evolve, with deeper personalization using AI and stolen data from infostealers. The dark web market for stolen identities will expand, enabling large-scale fraud, including account takeovers and synthetic identity creation. Mobile banking malware will grow further, especially as more financial services adopt mobile-first strategies. On a positive note, security awareness and technology are also advancing: organizations are investing in zero-trust architectures, phishing-resistant authentication, and real-time threat intelligence. The key for individuals and businesses is to stay proactive—use strong, unique passwords, enable multifactor authentication, and deploy comprehensive security tools.