Financial institutions have experienced a 15.3% increase in share in phishing attacks, according to PhishLabs’ Quarterly Threat Trends & Intelligence Report. This increase establishes financial services as the top targeted industry and shows threat actors continue to place high value on compromised banking credentials. In this post, we take a look at the tools and infrastructure used by threat actors to target financial services.
Attack Staging Methods in Financial Phishing
Threat actors targeting financial institutions overwhelmingly rely on free tools and services to stage phishing sites. Free hosting alone accounts for 80.6% of phishing sites aimed at financial services—far higher than in other industries—indicating a heavy dependence on abusing free hosting rather than alternatives like free domains or tunneling services.
Sites hosted on free platforms often have short lifespans and suspicious-looking domains, making them less effective individually. To succeed, attackers rely on volume and speed to harvest credentials. Financial institutions should focus on intelligence sources capable of early detection and be prepared to rapidly mitigate these threats.
An emerging tactic across industries is the use of tunneling services and developer tools to provide connectivity to phishing sites. While these methods make up over a quarter of phishing volume for non-financial targets, their use against financial institutions remains low—but it could grow, as there are no barriers to exploiting these services.
Finally, threat actors are compromising existing sites less frequently in financial attacks (15.3%) compared with non-financial industries (27.2%), highlighting the unique staging patterns in this sector.
TLD Breakdown
In the financial sector, phishing sites predominantly use Legacy generic Top-Level Domains (gTLDs). Legacy gTLDs accounted for 70% of attacks, with .com alone making up 56%. Country-code TLDs (ccTLDs) were far less common, representing only 13% of financial phishing sites.
Across all industries, TLD abuse is more evenly distributed, with Legacy gTLDs at 49% and ccTLDs at 43%. The heavy use of Legacy gTLDs in financial phishing aligns with attack staging patterns, as the most abused free hosting services often operate on these domains.
Among New gTLDs, only .monster and .xyz appeared in the top ten for financial phishing, representing 17% of attacks — more than double the share for all industries (8%).
These patterns highlight how threat actors combine multiple attack vectors — domain choice, hosting methods, and TLD selection — to target financial institutions and their customers effectively.
Threat actors are using multiple attack vectors to target financial institutions and their customers. Phishing continues to increase quarter over quarter as varying tactics, tools, and channels aid in the success of campaigns. To learn more about phishing threats targeting enterprises, check out the Quarterly Threat Trends & Intelligence Report. And to learn how to break the attack chain, check out Fortra Brand Protection's Customer Phishing Protection.