Financial cyberthreats in 2025 and the outlook for 2026

Kaspersky's 2025 financial threat landscape report highlights a significant shift in cybercriminal operations. While traditional PC banking malware prevalence declined, infostealers emerged as the central driver of financial cybercrime, fueling a dark web economy trade in stolen credentials. Phishing campaigns evolved beyond traditional banking lures, increasingly targeting e-commerce, digital services, and online gaming platforms with regionally tailored social engineering. Mobile banking malware continues to grow despite PC malware reductions. Attackers prioritize credential access and indirect fraud over complex Trojan deployment. Regional analysis shows distinct targeting preferences, such as online stores in the Middle East and banks in Africa. This maturation of phishing operations and reliance on credential aggregation poses a high risk to global financial security. Organizations must enhance credential monitoring and user awareness training to mitigate these adaptive threats effectively.

In this report, Kaspersky experts share their insights into the 2025 financial threat landscape, including regional statistics and trends in phishing, PC malware, and infostealers.

Kaspersky's 2025 financial threat landscape report highlights a significant shift in cybercriminal operations. While traditional PC banking malware prevalence declined, infostealers emerged as the central driver of financial cybercrime, fueling a dark web economy trade in stolen credentials. Phishing campaigns evolved beyond traditional banking lures, increasingly targeting e-commerce, digital services, and online gaming platforms with regionally tailored social engineering. Mobile banking malware continues to grow despite PC malware reductions. Attackers prioritize credential access and indirect fraud over complex Trojan deployment. Regional analysis shows distinct targeting preferences, such as online stores in the Middle East and banks in Africa. This maturation of phishing operations and reliance on credential aggregation poses a high risk to global financial security. Organizations must enhance credential monitoring and user awareness training to mitigate these adaptive threats effectively. In this report, Kaspersky experts share their insights into the 2025 financial threat landscape, including regional statistics and trends in phishing, PC malware, and infostealers. In 2025, the financial cyberthreat landscape continued to evolve. While traditional PC banking malware declined in relative prevalence, this shift was offset by the rapid growth of credential theft by infostealers. Attackers increasingly relied on aggregation and reuse of stolen data, rather than developing entirely new malware capabilities. To describe the financial threat landscape in 2025, we analyzed anonymized data on malicious activities detected on the devices of Kaspersky security product users and consensually provided to us through the Kaspersky Security Network (KSN), along with publicly available data and data on the dark web. We analyzed the data for financial phishing, banking malware, infostealers and the dark web. Key findings Phishing Phishing activity in 2025 shifted toward e-commerce (14.17%) and digital services (16.15%), with attackers increasingly tailoring campaigns to regional trends and user behavior, making social engineering more targeted despite reduced focus on traditional banking lures. Banking malware Financial PC malware declined in prevalence but remained a persistent threat, with established families continuing to operate, while attackers increasingly prioritize credential access and indirect fraud over deploying complex banking Trojans. To the contrary, mobile banking malware continues growing, as we wrote in detail in our mobile malware report . Infostealers and the dark web Infostealers became a central driver of financial cybercrime, fueling a growing dark web economy where stolen credentials, payment data, and full identity profiles are traded at scale, enabling widespread and destructive fraud operations. Financial phishing In 2025, online fraudsters continued to lure users to phishing and scam pages that mimicked the websites of popular brands and financial organizations. Attackers leveraged increasingly convincing social engineering techniques and brand impersonation to exploit user trust. Rather than relying solely on volume, campaigns showed greater targeting and contextual adaptation, reflecting a maturation of phishing operations. The distribution of top phishing categories in 2025 shows a clear shift toward digital platforms that aggregate multiple user activities, with web services (16.15%), online games (14.58%), and online stores (14.17%) leading globally. Compared to 2024, the rise of online games and the decline of social networks and banks indicate that attackers are increasingly targeting environments where users are more likely to take a risk or engage impulsively. Categories such as instant messaging apps and global internet portals remain significant phishing targets, reflecting their role as communication and access hubs that can be exploited for credential harvesting. TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices, 2025 ( download ) Regional patterns further reinforce the adaptive nature of phishing campaigns, showing that attackers closely align category targeting with local digital habits. For example, online stores dominate heavily in the Middle East. TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in the Middle East, 2025 ( download ) Online games and instant messaging platforms feature more prominently in the CIS, suggesting a focus on younger or highly connected user bases. TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in the CIS, 2025 ( download ) APAC demonstrates almost equal shares of online games and banks which signifies a combined approach targeting different users. TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’...