Including banks, fintechs, credit unions, and insurance companies
By Mark Pribish | Founder at IDentity Theft Brokers, LLC
The first five months of 2026 have seen a surge in cyberattacks targeting financial services with multiple high-profile incidents including banks, fintechs, credit unions, and insurance companies.
According to the Financial Sector Breach Tracker | FinSecLedger – which is a comprehensive database of data breaches affecting banks, fintechs, credit unions, and insurance companies – there were 66 data breaches totaling 1.3 million records through the end of May 2026.
Organizations affected by these 2026 data breaches included:
- TD Bank (May 25) – the 9th largest bank in the U.S. with $366 billion in assets and 1,100 branches
- Plaid, Inc. (May 8) – with over 7,000 fintech partners and connecting to more than 12,000 financial institutions
- Frontwave Credit Union (April 2) – with $1.5 billion in assets and 130,000 members
- CNA (January 29) – the 7th largest property & casualty insurance company in the U.S. with $14 billion in assets
When cyberattacks and data breach breaches happen, they often affect multiple parties including:
- Consumers – with stolen social security numbers, driver’s license numbers, dates of birth, cell phone numbers, and other personal identifiers.
- Businesses – where multi-million-dollar fines, penalties and lawsuits can impact revenue and profits.
- Third-Party Service Providers – such as payment processing, cloud computing, IT and technical support, and more.
The vector (i.e., method or pathway) that attackers use to gain unauthorized access to Personally Identifiable Information (PII) can include hacking, physical breaches, and social engineering. They are a critical focus in cybersecurity because identifying and mitigating these pathways can significantly reduce the risk of successful attacks.
According to the 2026 Verizon Data Breach Investigations Report (DBIR), there are three “actor categories” including (1) external threats (2) internal threats and (3) partner threats:
- External threats originate from sources outside of the organization and its network of partners. Examples include criminal groups, lone hackers, former employees and government entities. This category also includes God (as in “acts of”), “Mother Nature” and random chance. Typically, no trust or privilege is implied for external entities.
- Internal threats originate from within the organization. This encompasses company full-time employees, independent contractors, interns and other staff. Insiders are trusted and privileged (some more than others).
- Partner threats include any third party sharing a business relationship with the organization. This includes suppliers, vendors, hosting providers and outsourced IT support. Some level of trust and privilege is usually implied between business partners. Note that an attacker could use a partner as a vector, but that does not make the partner the Actor in this case. The partner has to initiate the incident to be considered the responsible party.
And while IT and hacking make most of the news headlines, the human element and phishing remain dominant attack vectors as they bypass technical defenses by exploiting human trust.
Specifically, Verizon mentions that Mobile-centric Social Engineering and the human element was present in 62% of breaches, a slight increase from the previous year’s 60%.
Verizon also reports that Social Engineering was the third most common breach pattern, representing 16% of all breaches.
In phishing simulations, the median rate of successful “click” rates in mobile centric vectors (such as voice and text messaging) is 40% higher than via email. Pretexting has become a more common initial access vector to ransomware and extortion attacks. In all breaches, it reached 6%, while Phishing remained at 16% like the previous year.
Pretexting is an attacker tactic in which a trusted relationship is built through concocted scenarios to trick the user into taking an action that unknowingly compromises the organization, frequently by voice communications but also seen via email or text messaging.
So, if phishing, smishing, and vishing are some of the most prevalent attack vectors – where attackers trick users into revealing sensitive information like passwords though deceptive emails, texts, and voice communications – what can you do?
Organizations such as banks, fintechs, credit unions, and insurance companies need to remind themselves that high-trust roles (e.g., help desks), partner/vendor relationships, and employee/customer/member data make the above-mentioned business sectors a prime target.
These organizations need to strengthen employee awareness training, enforce least-privilege access, and conduct vendor risk assessments to mitigate the cyber threat landscape.
Lastly, these organizations should consider new and emerging scam protection solutions that will help their business sectors protect their business, employees, and customers along with their revenue and profits.
About Mark Pribish: Mark Pribish is the Founder at IDentity Theft Brokers. Mark is nationally recognized as a digital security and identity theft risk management expert. He is known for his long-running coverage of identity theft trends and prevention, cyber security best practices, and data breach risk management issues.
