Fewer Hits, Greater Risk: Financial Firms Face Targeted Attacks

Cyberattacks on financial firms fell in the first five months of 2026, but attackers focused on higher-value targets, logging 132,378 attempted hits per firewall and longer intrusions.

Cybersecurity firm SonicWall reported that cyberattacks against financial services declined in the first five months of 2026, while attackers became more selective and patient. SonicWall recorded 132,378 attempted hits per firewall in the sector during that period.

The firm reported 39,341 malware hits per firewall and 62.8 million malware incidents in financial services, the highest totals among the industries it tracks. SonicWall described a sector-wide drop in overall attack volume as threat actors shifted from mass scanning to more precise operations.

The report noted that intruders often remain inside systems for months to monitor transactions and wait for larger transfers. Michael Brice, president of BW Cyber, described attackers who bypass smaller payments while awaiting seven-figure transfers and added, “These are very patient people.”

SonicWall highlighted legacy systems and unpatched software as key drivers of risk. The firm said a Telnet-related vulnerability affected 42 million firms; when exploited, the vulnerability can expose usernames and passwords in plain text and can allow an intruder full remote control of a machine. SonicWall noted that affected legacy servers frequently sit next to systems that process payments and store transaction records.

Patching delays lengthen exposure windows. A companion SonicWall Cyber Protect report found 77% of organizations take more than a week to deploy patches enterprise-wide and 14% need more than four weeks. In financial services, the average time to patch a high-severity vulnerability was 102 days.

Michael Crean, senior vice president of managed services at SonicWall, used an analogy to describe limits of security tools and stressed the need for continuous monitoring: “You put the strongest deadbolt on your house, but what happens when you’re not there? Tools could be screaming at you to tell you there’s a problem, but what about if nobody is there to hear it?”

SonicWall recommended adopting zero-trust policies to limit the impact of credential theft, conducting frequent system check-ins and upgrades, deploying managed detection and response, and tightening controls around privileged access.

Advisors and small firms described practical measures they use to reduce exposure. Jeff Judge, an advisor at Chesapeake Financial Planners, described maintaining written cybersecurity and branch-security policies, reviewing a business continuity plan at least annually, using managed services for daily technical monitoring, and requiring multistep verification for money movement. He added, “Firewalls get breached. What’s harder to breach is a firm where people are trained to slow down before money moves.”

SonicWall characterized the pattern observed in the data as a shift from volume-based attacks to targeted, high-payoff campaigns that exploit slow patching and legacy systems, producing higher per-firewall hit rates and longer dwell times in networks.

Articles by this author