Learn why Netskope debuted as a leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge

Get the report

Read how innovative customers are successfully navigating today’s changing networking & security landscape through the Netskope One platform.

Get the eBook

Learn about Netskope Partners

Group of diverse young professionals smiling

Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook

Learn about NewEdge

Lighted highway through mountainside switchbacks

Learn how we secure generative AI use

Learn about Zero Trust

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud

Navigating Data Sovereignty
Max Havey chats with Michael Dickerson, CEO of TSC Global and founder of Dickerson Digital, about the critical topic of data sovereignty.

Play the podcast Browse all podcasts

Read how Netskope can enable the Zero Trust and SASE journey through secure access service edge (SASE) capabilities.

Read the blog

Learn how to navigate the latest advancements in SASE and zero trust and explore how these frameworks are adapting to address cybersecurity and infrastructure challenges

Explore sessions

Learn about the future convergence of networking and security tools in today’s cloud dominant business model.

Learn about SASE

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more

Supporting Sustainability Through Data Security

At Netskope, founders and leaders work shoulder-to-shoulder with their colleagues, even the most renowned experts check their egos at the door, and the best ideas win.

Join the team

Go to Customer Solutions

Learn about Training and Certifications

Netskope
Threat Labs Report: Financial Services 2025

The Netskope Threat Labs Report series aims to provide strategic, actionable intelligence on active threats. This report focuses on the financial services sector.

Financial Services
2025

Introduction Personal App Risk Generative AI Risk Social Engineering Risk Individual Sector Highlights

Banking Finance Insurance

Recommendations Netskope Threat Labs About This Report

13 min read

Introduction

Due to the sensitive personal and financial information they manage, financial services organizations are frequently targeted by adversaries. The potential for financial gain, data theft, and organizational damage makes data security a paramount concern in this sector. This report highlights the most significant cybersecurity risks that financial services organizations encounter, particularly:

Personal App Risk – Users uploading regulated data to personal cloud apps is a top data security risk for financial services organizations, with 13% of the user population uploading data to personal apps and 83% of organizations putting controls in place to prevent such uploads.
Generative AI Risk – A growing data security risk in financial services is users sending regulated data, intellectual property, and source code to genAI apps, with 95% of organizations currently using these apps and implementing the controls to reduce the risks.
Social Engineering Risk – Phishing and malware continue to be significant risks in the financial services sector, with 4.7 out of every 1,000 users clicking phishing links and 9.8 out of every 1,000 users clicking other malicious links each month.

test answer

Personal App Risk

Personal apps in the financial services sector pose a substantial data security risk. 92% of financial services workers regularly use personal apps, and 13% upload sensitive data to these apps. Underscoring the severity of this issue, 74% of personal app data policy violations involve uploads of regulated personal and financial data.

Netskope Threat Labs Report - Financial Services 2025 - Data policy violations for personal apps in the financial services sector

The personal apps to which people regularly upload, post, or otherwise send data include social media, cloud storage, webmail, and generative AI apps. The figure below shows the top apps sorted by the percentage of organizations using them for upstream activities.

Netskope Threat Labs Report - Financial Services 2025 - Top apps for upstream activities to personal apps in the financial services sector

While 13% of workers uploading data to personal apps is below the global average of 26%, the nature of the data involved (highly sensitive personal and financial information) underscores the importance of putting controls in place to reduce the data security risks involved with personal apps, including:

Upstream Blocks – 83%
83% of financial services organizations have controls to actively block their users from uploading data to personal apps. This figure includes controls that disallow uploading any data to certain personal apps or accounts (for example, Microsoft OneDrive uploads are allowed to the shared M365 instance but not to personal accounts). It also includes more nuanced controls integrating other technologies, such as data loss prevention (DLP) and real-time user coaching.

Data Loss Prevention (DLP) – 70%
DLP has long been popular for reducing personal app risk in the financial services sector, where it is used by 70% of organizations, ahead of the global average of 66%.

Real-time User Coaching – 40%
Real-time user coaching has long been used by 40% of financial services organizations to mitigate personal app risk. It helps users, who typically understand the data and business content, make informed data security decisions in the moment. For example, a user can decide whether or not to upload data to a personal app. In 75% of cases, real-time user coaching leads users to abandon the attempted action. This demonstrates significant risk reduction, while also recognizing the value of considering data and business context, as 25% of activities that stricter controls might have prevented were allowed to proceed.

Generative AI Risk

Generative AI apps continue to grow in popularity in the financial services sector, where 95% of organizations now use genAI, and organizations use an average of 10 different genAI apps. The number of users actively using genAI apps also continues to climb, with an average of 6% of people regularly using the apps. However, this average masks a much more aggressive adoption in some organizations. Whereas the top 25% of financial services organizations only used eight or more apps in 2024, they now use 19 or more, as shown in the figure below.

Netskope Threat Labs Report - Financial Services 2025 - GenAI users per month median percentage with shaded area showing 1st and 3rd quartiles in the financial services sector

While ChatGPT has remained the most popular genAI app over the past year, its popularity has remained unchanged since October 2024, suggesting its adoption may have plateaued. Meanwhile, Microsoft Copilot experienced rapid growth throughout the year, which also appears to have leveled off. Other general-purpose genAI apps, such as Google Gemini and Anthropic Claude, gained significant traction, as did more specialized applications like the writing assistant Quillbot and the presentation assistant Gamma. Microsoft 365 Copilot adoption also began to take off at the end of 2024 and is poised to continue throughout 2025 at a similar pace to that of Microsoft Copilot in 2024. These trends in financial services mirror broader patterns of genAI adoption. The following figure shows the top 10 genAI apps’ adoption trends in financial services over the past year.

Netskope Threat Labs Report - Financial Services 2025 - Most popular apps by percentage of organizations in the financial services sector

Financial services organizations are still in the process of putting controls in place to reduce the risks associated with genAI apps while their use continues to increase. 90% of organizations actively block at least one genAI app, and the number of apps blocked per organization continues to grow. The following figure shows the average continuing to climb, while the third quartile now exceeds 30 apps.

Netskope Threat Labs Report - Financial Services 2025 - Number of apps blocked per org median with shaded area showing 1st and 3rd quartiles in the financial services sector

More nuanced strategies–e.g., DLP and real-time user coaching–are still growing in popularity as genAI risk reduction controls. Over the past year, the percentage of organizations employing real-time user coaching to mitigate genAI risk rose from 26% to 35%. The percentage of organizations using DLP increased from 35% to 52%. The following plot shows that DLP for genAI adoption is on the rise but still lags behind DLP for personal app adoption (70%).

Netskope Threat Labs Report - Financial Services 2025 - Percentage of organizations using DLP to control genAI app access in the financial services sector

Data policy violations for genAI apps also have a different makeup than those for personal apps. Whereas personal apps were dominated by regulated financial and personal data, violations for genAI apps are a roughly equal blend of intellectual property, source code, and regulated data, suggesting that both the usage of these apps and the data security concerns are broader.

Netskope Threat Labs Report - Financial Services 2025 - Types of data policy violations for genAI apps in the financial services sector

Social Engineering Risk

Social engineering is a popular tactic many attackers use, from sophisticated geopolitical and criminal groups to low-level ransomware affiliates and cybercrime gangs. These attackers employ various tactics such as phishing, pretexting, malware, and deepfakes to manipulate individuals within target organizations. Social engineering is successful when attackers gain trust, instill fear, or manipulate victims into compromising security.

Among financial services, one of the most common social engineering tactics is tricking victims into downloading and executing malware. 9.8 out of every 1,000 users are tricked into downloading malware every month. The following is a list of the five most common malware families encountered in the past year, highlighting multiple JavaScript downloaders used to deliver malicious payloads, traffic direction systems used to redirect victims to malicious sites, and the popular Cobalt Strike beacon used to control compromised systems.

Downloader.Nemucod is a JavaScript downloader that has previously delivered Teslacrypt.

Trojan.FakeUpdater (a.k.a. SocGholish) is a JavaScript downloader that delivers various payloads, including NetSupport RAT, RedLine Stealer, and Cobeacon.

Downloader.SLoad (a.k.a Starslord) is a downloader often used to deliver Ramnit.

Trojan.Parrottds is a JavaScript-based traffic direction system that has been infecting websites since 2019 and has been used to redirect traffic to various malicious locations.

Backdoor.Cobeacon is a malicious agent created using the Cobalt Strike red-team operation software to maintain control of a compromised system.

One of the social engineering techniques attackers use to deliver malware is to host the malware on popular cloud services. Of the 9.8 out of every 1,000 users downloading malware from cloud apps each month, 1.7 download the malware from popular cloud apps. The top apps by the percentage of organizations with malware downloads include the most popular cloud storage apps and the popular code-sharing platform GitHub, where various hacktools are hosted.

Netskope Threat Labs Report - Financial Services 2025 - Top apps for malware downloads in the financial services sector

Phishing is the second most common social engineering technique, with 4.7 out of every 1,000 users in financial services visiting a phishing site every month. Whereas Netskope tracked a global increase in phishing over the past year, phishing rates in the financial services industry remained relatively stable as the rates in other industries have caught up. As shown in the figure below, nearly half of phishing attacks mimicked cloud apps and banking institutions.

Netskope Threat Labs Report - Financial Services 2025 - Top phishing targets by links clicked in the financial services sector

Microsoft was the most commonly mimicked brand among cloud phishing attacks, while DocuSign and Adobe baits were also frequently used to steal login credentials for various other services.

Netskope Threat Labs Report - Financial Services 2025 - Top cloud phishing targets by links clicked in the financial services sector

Analysis of the referrers of the phishing pages visited by victims in financial services highlights a noteworthy trend: search engine optimization (SEO) poisoning remains a popular tactic to get phishing pages listed in search engine results where victims may have their guard down. After search engines, the remaining traffic to phishing pages comes from various sources.

Netskope Threat Labs Report - Financial Services 2025 - Top web and cloud categories referring phishing pages in the financial services sector

Individual Sector Highlights

This section provides breakouts for the three individual sectors that compose financial services: banking, finance, and insurance.

Banking

Finance

Insurance

Recommendations

Netskope Threat Labs recommends that financial services organizations review their security posture to ensure that they are adequately protected against the personal app risk, generative AI risk, and social engineering risk trends highlighted in this report:

Inspect all HTTP and HTTPS traffic (cloud and web) for phishing, malware, and other malicious content. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to all traffic.
Ensure that high-risk file types, like executables and archives, are thoroughly inspected using static and dynamic analysis before downloading. Netskope One Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until fully inspected.
Block access to apps that do not serve any legitimate business purpose or pose a disproportionate risk to the organization. A good starting point is a policy to allow reputable apps currently in use while blocking all others.
Block downloads from apps and instances not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
Block uploads to apps and instances not used in your organization to reduce the risk of accidental or deliberate data exposure from insiders or abuse by attackers.
Use DLP policies to detect potentially sensitive information–including source code, regulated data, passwords and keys, intellectual property, and encrypted data–sent to personal app instances, genAI apps, or other unauthorized locations.
Employ real-time user coaching to remind users of company policy surrounding AI apps, personal apps, and sensitive data during interaction.
Leverage the responses to coaching prompts to refine and create more nuanced policies, ensuring that coaching remains targeted and effective and does not contribute to cognitive fatigue.
Regularly review AI app activity, trends, behaviors, and data sensitivity to identify risks to the organization and configure policies to mitigate those risks.
Use an Intrusion Prevention System (IPS) to identify and block malicious traffic patterns, such as command and control traffic associated with prevalent malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions.
Use a behavior analytics platform to identify hidden threats, like compromised devices, compromised accounts, and insider threats. A behavior analytics platform can identify sophisticated and difficult-to-identify threats in your environment, like malleable (customized) command and control beacons from frameworks like Mythic and CobaltStrike.
Use Remote Browser Isolation (RBI) technology to provide additional protection when visiting websites that fall into categories that can present a higher risk, like newly observed and newly registered domains.

Netskope Threat Labs

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest cloud threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DEF CON, BlackHat, and RSA.

About This Report

Netskope provides threat protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope One platform relating to a subset of Netskope customers with prior authorization.

This report contains information about detections raised by the Netskope One Next Generation Secure Web Gateway (NG-SWG), not considering the significance of the impact of each individual threat. The statistics in this report are based on the period from January 1, 2024, through January 31, 2025. Stats reflect attacker tactics, user behavior, and organization policy.

Threat Labs Reports

In the monthly Netskope Threat Labs Report, you will find the top 5 malicious domains, malware, and apps that the Netskope Security Cloud platform blocked plus recent publications and a threat roundup.

Browse reports

Accelerate your security program with the SASE Leader

Get Started

NetskopeThreat Labs Report: Financial Services 2025

Financial Services2025