WP Why Attackers Target the Financial Services Industry | Imperva

Why Attackers Target the Financial Services Industry

Why Attackers Target the Financial Services Industry

This is Part 1 of a new monthly series from Imperva Threat Research exploring attackers’ motivations to target specific industries. Stay tuned for next months’ exploration of the healthcare industry!

Key Takeaways

  • Financial services sites are the most targeted , and it’s important to stay ahead of attackers.
  • 30% of all API traffic goes to shadow APIs, an 89% increase from 2021.
  • DDoS is a common attack, either to ransom or cover other malicious activities, growing 121% in recent years.
  • Over 50% of all traffic to sites in the financial services industry comes from bots, and they experience the highest share of account takeover (ATO) attacks at 38%. 
  • Popular months for online purchasing activity (August and December) are also peak times for ATO attacks.


The financial services industry is consistently the most targeted industry across the board. It accounts for 28% of all the attack attempts Imperva tracks, by far the largest percentage. By comparison, the next largest industry is the business sector, at 14%. As cybercrime grows, the financial services industry will continue to be a lucrative target. 

Attackers target this sector for a multitude of reasons, but the potential for large payouts and valuable data for use or resale are the most common. Any unsecured banking data, crypto wallets, passwords, or weak points into internal systems offer attackers the access point they need to drain accounts and transfer information. Alternatively, attackers can ransom sites and hope that the company will pay up rather than risk the reputational damage. Many financial services sites require high-value personal information (e.g. social security numbers, credit cards, or other data) to create or access account information. Unless it’s properly secured, attackers can easily access, use, or sell this data.

API Security

The industry relies on APIs to connect applications and systems, and enable things like banking widgets and other digital services on your phone. Although APIs make things easier for customers and developers, they introduce a whole new world of threats. Because they’re designed to be accessible, APIs are by nature open and easy to use, making an API a ripe opportunity for attackers to access backend databases. 

A common API-related security threat we track is API violations, which are calls that don’t align with the intended definition of the API. We determine API definitions either by customers providing them, or by observing the API traffic and learning the definitions over time. From there, we can detect API calls that don’t comply with the intended definitions and define those as attacks.

Unsurprisingly, the majority of attacks on API sites were API violations, or other security violations like suspicious calls, incorrect data types, etc. Remote code execution came in second place, at almost 9%.

FSI_Types of API Attacks_2022

Shadow APIs are APIs that are undocumented and not maintained by normal IT management and security processes. APIs can become shadow APIs when they are deprecated but not removed. Additionally, it can be the result of a developer publishing an API without documentation or inventory, or when developers inadvertently make changes to existing hidden APIs and they become exposed.

A shadow API presents a massive security risk when they’re not maintained, and offer attackers a vector to access the rest of the network. In 2022, 30% of all API sessions in the financial services industry were connected to shadow APIs, up from 2% in 2021. Open banking, a practice that enables third-party access to financial data through APIs, is changing the banking industry. It’s been five years since the open banking requirement was introduced in the UK, and shadow APIs have multiplied since then. As more APIs are pushed into production, there is increased risk of forgetting the API or letting it turn into a shadow API.

FSI_Types of APIs_2022

DDoS Attacks

Apart from denial of service, attackers can also use DDoS to distract from other, more intrusive attack methods, or to disrupt security updates. DDoS can also be used to conduct extortion and ransom financial institutions into paying the attacker to restore functionality. If an attacker is able to disrupt the functionality of a large financial institution and impact their ability to serve customers, they may be willing to pay large amounts of money to restore service. 

DDoS attacks on this industry trended upwards throughout 2022, and will likely increase in 2023. Overall, the volume of DDoS targeting financial services in 2022 was 121% higher than in 2021. In November, application layer DDoS hit a maximum RPS of over 1.5 million in a single attack. On average, DDoS attacks targeting financial services in 2022 lasted about 7.5 minutes, and the longest attack we monitored was almost 12.5 hours.

FSI_Max RPS_2022

Since financial services is considered to be critical civilian infrastructure, any disruption to their operation can have serious impact. For example, at the beginning of the Russia-Ukraine conflict, Ukrainian banks were hit with DDoS attacks that affected the country’s ability to conduct critical services.

Bad Bots

Bad bots pose another huge threat to the financial services industry. In fact, 27% of all traffic to financial sites comes from bad bots, and the automation has a multitude of methods to conduct malicious activities. Account takeover (ATO) attacks — when bots try to gain access to a user’s account by brute force or using stolen credentials — are common in the financial services industry. Imperva has previously mitigated large ATO attacks against the financial industry. Other bot-related attacks include credit card fraud, data scraping, or targeting financial sites at the API level.

Over 50% of all traffic to financial sites come from bots, of which half are malicious requests.

FSI_Requests by Client_2022

Account takeover attacks, in particular, are a huge threat for this industry. Attackers attempt to log into existing accounts via a number of methods, and access the data the account contains. Most ATO attacks are recognized due to pre-recognized bot signatures or several different types of brute force attempts. Financial sites account for the highest percentage of ATO attacks, at 38%. 


The financial services industry can’t change that it’s a tempting target for attackers, but steps can be taken to make it harder for attackers to be successful. Create a cybersecurity plan and stay up-to-date on security updates. Invest in DDoS protection to ensure continued availability, and ensure APIs are maintained properly.

Learn how Imperva products and solutions can protect the financial services industry.