In 2025, the financial threat landscape saw notable transformations. Traditional PC banking malware declined in relative prevalence, but a sharp rise in credential theft by infostealers more than compensated. Attackers focused on aggregating and reusing stolen data rather than developing new malware. This analysis, based on Kaspersky Security Network data and dark web intelligence, reveals three key areas: phishing, banking malware, and infostealers. Below, we address the most pressing questions about these developments.
- What were the major shifts in financial cyberthreats in 2025?
- How did phishing evolve in 2025?
- What is the state of banking malware in 2025?
- Why did infostealers become a central driver of financial cybercrime?
- What were the top phishing categories in 2025 and how did they change?
- How did attackers adapt their social engineering techniques?
What were the major shifts in financial cyberthreats in 2025?
The most significant shift was the decline of traditional PC banking malware in favor of infostealers and credential theft. Instead of developing complex banking Trojans, attackers increasingly relied on stealing login credentials and other sensitive data, then aggregating and reusing this information across multiple platforms. This approach proved highly efficient, as stolen credentials could be sold or used in automated fraud campaigns. Another major change was the evolution of phishing: campaigns became more targeted and context-aware, moving away from generic banking lures to impersonating e-commerce sites, digital services, and online games. Mobile banking malware continued to grow, reflecting users' shift to mobile devices for financial transactions. Overall, the threat landscape became less about new malware and more about exploiting stolen data at scale.
How did phishing evolve in 2025?
Phishing in 2025 became more adaptive and regionally targeted. Attackers moved beyond mass-email blasts to carefully crafted campaigns that mimicked popular brands and digital platforms. Social engineering techniques became more convincing, often leveraging current events or user-specific behaviors. The top mimicked categories shifted: web services (16.15%), online games (14.58%), and online stores (14.17%) led globally. This marks a departure from 2024, when banks and social networks were more heavily targeted. Attackers are now focusing on environments where users tend to act impulsively—like gaming or shopping—making it easier to harvest credentials. Regional patterns also emerged, with attackers tailoring lures to local trends and languages, further increasing the effectiveness of their campaigns.
What is the state of banking malware in 2025?
While PC-based banking malware declined in prevalence, it remained a persistent threat. Established malware families continued to operate, but attackers shifted focus from deploying complex banking Trojans to prioritizing credential access and indirect fraud methods. For example, instead of using a Trojan to intercept online banking sessions, they might steal credentials via phishing or infostealers and then log in directly. However, mobile banking malware continued to grow, reflecting the increasing reliance on smartphones for payments and banking. This dual trend—declining PC malware but rising mobile threats—means financial institutions must secure both platforms. The overall decline in PC malware prevalence should not be mistaken for reduced risk, as attackers simply redirected efforts toward more efficient techniques.
Why did infostealers become a central driver of financial cybercrime?
Infostealers became a central driver because they enable a scalable, anonymous economy on the dark web. These tools capture credentials, payment data, browser cookies, and even full identity profiles from infected devices. Cybercriminals then trade this stolen data in underground markets, where it is used for account takeover, fraud, and ransomware attacks. The aggregation and reuse of stolen information means that a single infostealer infection can compromise dozens of online accounts. In 2025, the dark web economy around stolen credentials flourished, with prices dropping due to high supply, making fraud accessible to lower-skilled actors. This ecosystem fuels widespread financial crime, as attackers no longer need to develop their own malware – they simply purchase or steal what they need.
What were the top phishing categories in 2025 and how did they change?
In 2025, the top phishing categories by share of blocked attacks were: web services (16.15%), online games (14.58%), online stores (14.17%), followed by instant messaging apps, global internet portals, and social networks. Compared to 2024, the most notable changes were the rise of online games and a decline in social networks and banks as phishing targets. This shift indicates that attackers are now focusing on platforms where users are more likely to let their guard down, such as gaming platforms that encourage impulsive actions or shopping sites that require immediate logins. Web services—like cloud storage or email—remain popular because they act as central hubs for many other accounts. The data highlights how attackers adapt to user behavior rather than relying on static lures.
How did attackers adapt their social engineering techniques?
Attackers in 2025 moved away from generic, high-volume phishing to targeted and context-aware social engineering. They invested in brand impersonation with high-quality replicas of legitimate websites and emails. Campaigns were tailored to regional trends, user preferences, and even current events, making the lures more believable. Instead of sending millions of identical messages, they used data from previous breaches or infostealer logs to personalize attacks. For example, a phishing email might reference a recipient’s recent purchase from a specific online store. This maturation of phishing operations means users must be more vigilant: even a well-known brand's email could be a threat. The trend toward targeting digital platforms—where users are already engaged—makes it easier to harvest credentials without raising suspicion.