The conversation around cybersecurity in banking has become far too narrow. For years, risk has been explained through a relatively familiar sequence: an attacker gains access, deploys malware, encrypts data, and demands a ransom. That model still exists, but it no longer accurately reflects what is happening in financial services.
The challenge in 2026 is far more pervasive: attackers do not always need to breach the perimeter. They can purchase a stolen identity, bypass a remote onboarding process, compromise a legitimate credential, reset MFA, operate through an approved remote-access tool, and later monetize the intrusion through mule accounts or transactional fraud. Viewed from this perspective, cybersecurity, KYC, fraud prevention, and AML are not four separate conversations—they are different stages of the same abuse cycle.
In this context, it is worth considering recent research such as Picus’ Red Report 2026, which is based on the observation of ATT&CK techniques used by real-world malware throughout 2025. Beyond any ranking or individual finding, the report’s value lies in the broader pattern it reveals: attackers are increasingly focused on remaining undetected, maintaining persistence, stealing credentials, and disguising their activities behind legitimate tools.
What matters is not the ranking itself, but what it reveals: attackers are focusing their efforts on remaining undetected, maintaining persistence, stealing credentials, and blending in behind legitimate tools. In banking, this trend aligns with another reality: once an identity has been compromised, many warning signs begin to resemble normal user activity.
The recent warning about “KYC by link” services goes in the same direction. The alert describes offerings that claim to complete KYC verifications against well-known providers via links, proxies, flow manipulation, and Telegram-based support. Another analysis of Telegram channels points to virtual camera tools, deepfakes, and stolen biometric data used to bypass liveness checks. What matters is not whether a specific entity is exposed to a specific tool, but the underlying shift: onboarding a verified account is becoming a purchasable service.
Defense, therefore, cannot be limited to “having KYC”, “having EDR”, or “having AML rules”. What matters is whether these layers share signals with each other. An account may pass KYC and still become a future mule. A session may pass MFA and still be controlled by an attacker. A transfer may look legitimate when analyzed in isolation, but fit into a broader dispersion network when correlated with device, beneficiary, velocity, behavior, and source of funds.
The 5 most relevant attack techniques for financial services
The following table summarizes the five threats that make the most sense to prioritize in banking and fintech when connecting cybersecurity, financial fraud, and AML:
| Threat | Practical risk | Value-added response |
|---|---|---|
| KYC by link and liveness bypass | Verified accounts created or controlled by third parties, ready for fraud, mule activity, or sanctions evasion | KYC as continuous scoring, not a one-time check; defense against camera injection, proxies, anomalous links, and post-onboarding changes |
| Credential theft and ATO | Apparently legitimate access using a stolen password, cookie, or token | Passkeys/FIDO2, session detection, behavioral biometrics, and step-up authentication based on transaction risk |
| Credential reset through social engineering | The attacker does not hack the bank: they convince the help desk to open the door | Reset procedures with strong verification, four-eyes controls, and anti-fraud traceability |
| Use of legitimate remote access | RMM, VPNs, remote desktops, or managed devices used as a hidden control channel | Inventory and allowlisting of remote tools, device posture checks, and alerts for changes in operating patterns |
| Post-compromise fraud and mule accounts | Stolen data is monetized weeks later through transfers, account openings, and dispersion networks | Graph-based KYT/AML, beneficiary detection, account-link analysis, and shared signals from onboarding |
1. KYC by link: when onboarding stops proving who is on the other side
Remote KYC was created to solve a real problem: opening digital accounts without forcing users to visit a physical branch. The flaw appears when the KYC result is interpreted as a binary truth: if it passes, it is good; if it fails, it is bad. In 2026, that logic is weak.
“KYC by link” services exploit precisely this simplification. If a third party can complete verification on behalf of the user, manipulate the camera, route traffic through proxies, or use stolen materials, the “verified” result loses part of its value. Not because the identity provider is useless, but because the attacker is no longer targeting only the document or the selfie—they are targeting the entire session.
For banking and fintech, the impact is direct on AML. A mule account does not begin with a suspicious transfer; it begins with an onboarding process that looked correct but was not properly contextualized. Signals such as a high-risk IP, a newly created device, email with no history, phone reuse, a link opened from an inconsistent country, rapid changes in user data, or the first transaction toward high-risk beneficiaries should all be part of the evaluation from minute zero.
The effective defense is not adding another KYC provider on top of the existing one. It is treating onboarding as the first event in a risk chain. That means protecting the integrity of the capture process, detecting virtual cameras or mobile hooking, binding the session to the real device, reviewing link-sharing patterns, and feeding onboarding signals into the AML engine. KYC should initiate a provisional trust relationship, not close the conversation.
2. Credential theft: the attacker does not break in, they log in
Picus lists “Credentials from Password Stores” among the relevant techniques in the Red Report 2026, and the implication for banking is clear: both corporate identity and customer identity are attack surfaces. Infostealers extract saved passwords, cookies, tokens, and browser data. With that information, attackers can bypass much of the control logic designed to detect technical intrusions.
In a bank, this risk has two sides. On the corporate side, a stolen credential can open access to internal tools, support dashboards, repositories, CRM systems, or fraud platforms. On the customer side, it enables account takeover (ATO), beneficiary changes, loan applications, balance draining, or the setup of movements that do not trigger simple rules.
The effective defense is not asking for more passwords or blaming the user. It is reducing the value of stolen credentials. Passkeys and FIDO2 help because they resist phishing and do not rely on reusable secrets. But that is not enough if the subsequent session is not evaluated. A successful login from a new device, with unusual navigation patterns and an atypical transfer amount, should raise risk even if MFA has been passed.
This is where cybersecurity and fraud prevention converge. The SOC may see the technical indicator; the anti-fraud team may see the behavioral shift in economic activity. Separately, each sees a weak anomaly. Together, they see an account takeover.
3. Social engineering of the helpdesk: the reset as a blind spot
Many organizations protect the login process very well, but do a much poorer job of securing the account recovery process. This turns the helpdesk into a lateral entry point. An attacker does not need to breach the system if they can convince a person to reset a password, MFA, or a trusted device.
Voice and video deepfakes make the problem worse because they lower the cost of a convincing impersonation. But the key lesson is not “train agents to detect deepfakes.” That is both unfair and unrealistic. The real improvement lies in designing processes where a convincing call is not enough.
In banking, any credential reset that impacts access to data, operational support, or fund movement should be treated as a high-risk operation. Verification must be proportional to potential damage: out-of-band checks, device possession proof, liveness biometrics where appropriate, second-operator validation, and temporary restrictions on sensitive actions after the reset.
It is also important to measure risk as fraud, not just as a support ticket. A reset followed by a phone change, new beneficiary setup, login from an unusual IP, or rapid withdrawal should trigger a friction period. Helpdesk security does not end when the ticket is closed; it ends when the account demonstrates normal behavior after the change.
4. Legitimate remote access: what is allowed can also be abused
Another signal from Picus’ Red Report is the relevance of remote access tools. In banking, this should not be read simply as “block AnyDesk.” The issue is more uncomfortable: every legitimate support, administration, or remote work tool can become a control channel if it is used out of context.
Corporate RMM tools, VPNs, remote desktops, customer support utilities, third-party laptops, and vendor access all share a problem: they generate activity that can appear normal because the software itself is authorized. The attacker hides behind the legitimacy of the channel.
The response is not to prohibit all remote access. It is to understand which remote access should exist, who uses it, from which device, at what time, and for what operation. A living inventory of authorized tools, allowlisting policies, device posture checks, session recording or traceability for privileged access, and alerts for operational deviation provide more value than another generic EDR rule.
The connection with KYC and AML appears in onboarding processes for employees, vendors, and high-risk customers. If a third party controls the remote environment from which a sensitive operation is performed, the identity of the person is no longer sufficient. The integrity of the channel, the device, and the session must also be validated.
5. Post-compromise fraud: the breach does not end when the incident is contained
The common mistake after a breach is to think in terms of “what data was leaked” rather than “how that data will be monetized.” In financial services, monetization may come weeks later: new accounts with synthetic identities, account recovery, beneficiary changes, loan applications, SIM swapping, fragmented transfers, or fund movements through mule accounts.
This is directly connected to AML. A stolen or fabricated identity is not just an authentication problem; it can become infrastructure for money laundering. Mule accounts work because each individual account may look insignificant, but the network as a whole reveals dispersion, fund concentration, circular flows, shared beneficiaries, or economically meaningless inflow and outflow patterns.
The effective defense is to move from isolated rules to relational analysis. It is not enough to look at amount, country, or transaction type. You need to correlate holder, device, email, phone, document, beneficiaries, IBAN, merchants, velocity of movement, account age, source of funds, and links to other accounts. AI can help, but only if it produces explainable alerts: an AML analyst needs to understand why a transaction or network is suspicious.
At this point, the key advantage lies in sharing signals across teams. If fraud knows that an account was opened through a higher-risk KYC flow, AML should see it. If cybersecurity detects compromised credentials of an employee with access to customer data changes, fraud should adjust risk scoring. If AML identifies a mule account network, KYC should feed back which onboarding signals are consistently repeated.
What architecture does a financial institution need in 2026
The reasonable architecture is not an infinite stack of tools. It is a shared identity risk layer that connects three moments:
- First, pre-KYC and KYC: Before accepting an identity, the institution must assess whether the session is intact—device, camera, IP, link, behavior, document, and external signals. The goal is not to block more legitimate users, but to better distinguish between low-friction and necessary friction.
- Second, account and session: After onboarding, the account must continue to demonstrate consistency. Device changes, MFA resets, anomalous navigation, proxy usage, keyboard or mouse patterns, and administrative actions should update risk in real time.
- Third, transaction and AML: The final decision should not rely solely on transactional rules. It must incorporate identity and session history: how the account was created, how it has behaved, what links it has, and whether it is part of a network.
This architecture has a clear advantage: it turns isolated controls into cumulative signals. A questionable KYC does not always block an account, but it leaves a risk mark. A suspicious login does not prove fraud, but it adds context. An unusual transfer is not analyzed in isolation, but as part of a chain.
Conclusion: the advantage lies in making better decisionss
Mapping ATT&CK techniques can be useful, but only if it translates into operational decisions. In banking, the value is not in saying “this threat corresponds to T1555 or T1219.” The value lies in answering which control reduces loss, which signal is missing, which team should see it, and which decision changes when it appears.
The shift in 2026 is that identity can no longer be treated as a point-in-time event. It is a living asset that can be bought, stolen, delegated, manipulated, or monetized. That is why KYC, cybersecurity, fraud, and AML must operate on the same risk map.
Before buying another tool, the practical question is simpler: when a verified account starts behaving like a mule, can the organization detect it in time? And if a valid credential is being used by someone who should not have access, are there enough shared signals to stop the damage before the final transaction?
If the answer depends on checking three dashboards, requesting data from another team, and manually reconstructing the case, the problem is not a lack of technology. It is a lack of architecture.
The median ransom in banking reached 3 million dollars in 2025 according to Sophos. The average total cost of a breach in the financial sector exceeded 6.1 million dollars according to IBM. These figures do not include reputational or regulatory costs, which in many cases multiply the final amount.
MITRE ATT&CK is the global reference framework used to classify adversary tactics and techniques, adopted by ENISA, NIST, and analysts such as Gartner. It allows financial institutions to map their detection coverage against the real techniques used by active attackers today, rather than working with hypothetical threat models.
Facial biometrics with passive liveness detection can identify deepfakes and spoofing attempts during onboarding and authentication. Behavioral biometrics analyzes in-session patterns—typing speed, mouse usage, navigation behavior—to detect when the person using a valid credential is not its legitimate owner. It is the only layer that detects account takeover (ATO) when the attacker already has the correct credentials.
Perpetual KYC (pKYC) is the continuous management of customer identity, as opposed to one-off verification during onboarding. In an environment where credentials are stolen and used weeks later, pKYC enables the detection of changes in behavior or risk in real time, before fraud occurs. Gartner identifies it as a differentiating capability of advanced digital identity platforms.
PSD3 strengthens strong customer authentication (SCA) requirements; eIDAS 2.0 establishes the European digital identity framework with verifiable wallets; DORA requires digital operational resilience with auditable evidence; and AML6 tightens transaction monitoring and anti-money laundering detection requirements.