FS-ISAC report warns of rising fraud and supply chain risks

A report released Monday by a major cybersecurity cooperative for banks underscores the persistent and evolving cyber threats facing the U.S. financial sector.

The annual threat report from the Financial Services Information Sharing and Analysis Center (FS-ISAC) identifies key risks driven by geopolitical shifts, emerging technologies and changing criminal tactics.

“The report’s findings underscore the complexity and unpredictability of today’s threat landscape,” said Steve Silberstein, CEO of the FS-ISAC, in a press release. “The global financial sector’s interconnectedness with the supply chain and its ongoing incorporation of emerging technologies add to the challenges. Cross-border collaboration and proactive intelligence sharing are essential to safeguarding the global financial system.”

The report is sourced from FS-ISAC’s more than 5,000 financial firm members in 75 countries, which regularly report incoming cybersecurity threats to the organization, and further augmented by analysis by the consortium’s intelligence staff. The analysis examined data from January 2024 until January 2025.

Overall threat level low despite specific concerns

The report found that stability and continuity of the global financial system remain under constant threat from lone hackers, organized criminal gangs and nation-state actors. However, the overall threat level globally, including for the Americas specifically, is at the lowest of the four levels FS-ISAC has in its Cyber Threat Level (CTL).

The CTL for each region is an industry barometer of cyber risk set by regional Threat Intelligence Committees (TICs) made up of experts from FS-ISAC member firms. “The relative stability of the CTLs reflects the sector’s ability to manage the changing threat landscape,” the FS-ISAC report reads.

“The overall ratings in each region were more stable than they have been in years past,” the report notes. Regardless, TICs have raised concerns about specific elements of the threat environment, which the consortium highlighted in the annual report.

For a period of roughly two weeks in May 2024, the cyber threat level in the Americas region increased one level due to ongoing activity by Scattered Spider, the threat actor that compromised MGM Resorts and Caesars Entertainment in 2023. The report called the threat actor “credible” and “sophisticated,” adding it is believed to be based in the U.S., U.K. and Canada.

FS-ISAC members voted to return the threat level from “elevated” back to “guarded” later in the month.

Supply chain risks remain a top priority

Supply chain risk continues to be a primary worry for the financial sector worldwide, according to FS-ISAC.

The industry’s significant reliance on third-party vendors increases exposure to disruptions that can have widespread impact. Recent incidents involving software vulnerabilities in common tools like XZ Utils — an open-source data compression software package widely used in almost all Linux distributions — and Managed File Transfer (MFT) products such as Cleo and MoveIt highlight this risk.

In March 2024, security researchers discovered that malicious code had been deliberately inserted into the XZ libraries. The implanted backdoor would have allowed unauthorized remote access to a victim’s entire system. Researchers discovered the backdoor in development versions of the software, which had not been widely distributed to production systems.

While this flaw in the XZ Utils was an example of a supply chain attack targeting open source software, there have also been examples of threat actors targeting proprietary supply chain software. Last year, it was Cleo; the year before, it was MoveIt.

This trend of targeting supply chains is expected to continue, according to the report. While suppliers are likely to increase cybersecurity investments due to pressure from financial clients, firms seeking diversification with smaller vendors could face increased risk if those vendors are less cyber mature.

Fraud surges with aid of new technology

Fraud is surging across multiple sectors, targeting firms, customers and employees, according to the FS-ISAC report.

“Real-time payments infrastructure, cryptocurrencies, and decentralized finance mechanisms make it virtually impossible to retrieve stolen funds,” reads the report.

Notably, North Korean threat actors stole $2.2 billion USD from cryptocurrency platforms in 2024, highlighting the scale of theft facilitated by these methods.

Threat actors increasingly operate with the structure of legitimate businesses, utilizing scams-as-a-service and scam compounds. Scams-as-a-service operations have become more structured, efficient and effective in recent years, according to FS-ISAC. Scam compounds, where human trafficking victims are forced to conduct cybercrimes, scaled up in 2024, increasing the potential for sophisticated social engineering frauds.

Generative AI is giving threat actors powerful new tools for more effective fraud campaigns, as well. Attackers are using LLMs to increase the volume and sophistication of attacks, particularly social engineering campaigns like phishing, making them more convincing and enabling them in multiple languages.

Similarly, threat actors are using deepfakes for more sophisticated C-suite impersonation and social engineering scams, sometimes powered by easily accessible and inexpensive tools. FS-ISAC predicted impersonation attacks would increase, potentially targeting a broader range of employees beyond executives.

Ransomware adapts and shifts tactics

“Ransomware continues to be a serious and pervasive threat to business continuity, reputation, and profitability across sectors,” reads the FS-ISAC report.

While the number of reported ransomware attacks went down, the amounts threat actors demanded increased, according to the report.

This increasing profitability of ransomware is being driven by the availability of GenAI, open-source code and ransomware-as-a-service that make it easier to launch such attacks, regardless of the threat actors’ level of expertise, according to Teresa Walsh, FS-ISAC’s chief intelligence officer.

“On top of this, ransomware operators have shown their ability to adapt their tactics, reorganize, and re-brand with more agility, all of which contribute to the growing effectiveness of ‘big game hunting’ in ransomware,” Walsh said.

The financial and insurance sector accounted for about 8% of identified data leaks from ransomware groups in 2024, according to FS-ISAC, making it the fourth most affected sector. Threat actors are demanding larger payouts, leading to 2024 being one of the highest-grossing years for ransomware operators despite a decrease in reported attacks.

Third-party service providers, particularly in the professional, scientific and technical services sector, are frequent victims, highlighting the financial sector’s increased exposure via supply chain incidents.

Ransomware groups continue to use double and triple-extortion tactics, sometimes including Distributed Denial of Service (DDoS) attacks. Ransomware groups are expected to continue evolving, leveraging new tools and shifting to data extortion if law enforcement targets high-profile encryption operators.

DDoS attacks persist and evolve

DDoS attacks, which had a renaissance in the early 2000s, returned last year, targeting the financial services sector as a primary objective.

Content delivery network and security provider Akamai reported last year that financial services was the most frequently targeted sector for DDoS attacks in 2024, accounting for 34% of attacks. These attacks aim to disrupt operations and undermine trust by impacting the availability of customer-facing systems.

Geopolitically-driven events were key catalysts for hacktivist DDoS campaigns, often targeting organizations peripheral to the conflicts, according to FS-ISAC’s report. Attackers are becoming more agile, using reconnaissance and multi-vector attacks, and may increasingly target critical API endpoints.

Geopolitics drives cyber activity

Ongoing hostilities and new tensions present opportunities for threat actors, with nation-states increasingly targeting providers crucial to business operations, according to FS-ISAC.

Actors associated with the People’s Republic of China (PRC) are among the most sophisticated globally, often targeting the financial sector’s key providers like technology and telecoms operators, according to the report. These groups may pre-position on networks for disruptive attacks and could conduct espionage related to sanctions or trade disputes.

“Cybercrime poses a significant threat to the financial services sector as it tries to cause widespread disruption and serious economic damage,” said Steve Winterfeld, Advisory CISO at Akamai.

Relatedly, Russian state-sponsored activities have focused on the conflict in Ukraine, but state-affiliated cybercriminals also target the financial sector with noisy attacks like denial of service or intrusion campaigns, according to FS-ISAC.

FS-ISAC expects threat actors from sanctioned nations, such as North Korea, to attempt more financially motivated crimes to fund government activities. Government-sponsored Threat actors in the country are highly proficient in social engineering and supply chain attacks, targeting companies dealing with cryptocurrency to steal funds.

The report also notes that North Korean remote workers posing as IT professionals have been hired in U.S. companies, including banks and other financial service providers, to misappropriate data, steal money and conduct espionage. For example, in a search warrant related to one such case last year, prosecutors named Capital One and Wells Fargo as potential targets of one such scheme.