Distributed Denial of Service (DDoS) attacks are no longer just a temporary annoyance that takes down a website for a few minutes for many financial institutions. The latest Akamai threat report on financial services describes a more troubling scenario: longer campaigns, more automated tactics, and a greater capacity to impact online banking, digital payments, critical applications, and APIs.
According to the company, financial services sector is now the most targeted by Layer 3 and 4 DDoS attacks, with a 738% increase in the average overall duration of such attacks since 2024. This data matters because banking has shifted much of its customer interaction to digital channels that must be almost always available. When a banking app, payment gateway, or query API goes down, it’s not just a technical issue—it affects trust, compliance, and business continuity.
DDoS is no longer just noise: it’s operational pressure
The report AI-Empowered Botnets and API Visibility Gaps: Attack Trends in Financial Services, part of Akamai’s State of the Internet Security series, points to a particularly delicate combination: AI-assisted botnets, hacktivist groups, and an expanding attack surface due to financial digitization. Akamai specifically highlights the role of pro-Iranian hacktivist campaigns and AI-driven bots in attacks targeting online banking, payment systems, and critical applications.
The evolution of DDoS is significant because not all attacks aim to steal data immediately. Some seek to disrupt services, overload security teams, wear down technical staff, or create noise to test other attack vectors. In a bank, a prolonged outage can affect individual customers, merchants, payment providers, and services connected via APIs.
Akamai also notes that 96% of financial services leaders surveyed for their 2026 API security impact study reported at least one security incident involving APIs in the past 12 months. This is the highest percentage among the sectors analyzed. The figure aligns with a well-known security reality: APIs are the glue of modern banking but also a difficult entry point to control, especially with mobile apps, open banking, third-party integrations, real-time payments, and internally deployed services at high speed.
| Key Indicator | Data Reported by Akamai |
|---|---|
| Increase in average Layer 3 and 4 DDoS duration against financial services | 738% since 2024 |
| Financial leaders reporting at least one API security incident in 12 months | 96% |
| Web attacks targeting banking in 2025 | 60% of total |
| API endpoint breaches targeting banking in 2025 | 83% |
| Financial institutions affected by ransomware in two years | Nearly 80% |
| Growth in advanced bot activity by end of 2025 | 147% |
APIs, bots, and ransomware: three intersecting risks
One of the most notable points in the report is that Akamai does not present attacks as isolated phenomena. Instead, it sketches a more interconnected threat landscape where attackers combine DDoS, API abuse, advanced bots, malicious scraping, and ransomware. In 2025, according to their data, 60% of web attacks and 83% of breaches against API endpoints targeted banking.
Automation accelerates these attack patterns. An advanced bot can test credentials, scrape information, mimic human behavior, send requests to APIs, or participate in saturation campaigns. Akamai states that activity from advanced bots grew 147% by the end of 2025, citing cases where 96% of site traffic was identified as malicious scraping.
Ransomware adds another layer of pressure. The report indicates that nearly 80% of financial institutions suffered ransomware attacks in the past two years, although less than half have adopted advanced security technologies. This data should be viewed cautiously as it stems from Akamai’s research and methodology, but it highlights a common gap between perceived risk, available budget, and the actual deployment of protective measures.
Regionally, the situation varies. Akamai places EMEA as the primary region affected by Layer 3 and 4 DDoS attacks on financial services, with 62%. In Asia-Pacific, Layer 7 DDoS attacks predominate at 52%, while in North America, web attacks are the most common at 44%. For European banks, insurers, fintechs, and payment providers, this regional insight is key because threat exposure isn’t evenly distributed.
Europe approaches the problem through operational resilience
In the European Union, these insights arrive amid the full implementation of the DORA regulation, effective since January 17, 2025, which aims to strengthen the digital operational resilience of financial entities. DORA requires going beyond prevention: risk management, incident reporting, resilience testing, vendor oversight, and recovery capabilities are part of the same framework.
The NIS2 Directive also influences this landscape by establishing a common cybersecurity framework for 18 critical sectors within the EU. While DORA is more specific to finance, both regulations push towards demonstrating organizational resilience—being able to withstand, respond, and recover from significant technological incidents.
For financial institutions, defending against DDoS attacks can’t rely solely on increasing bandwidth or perimeter filtering. Visibility into APIs, maintaining an accurate inventory of exposed services, bot monitoring, DNS security, coordinated mitigation plans with providers, and regular testing are essential. Additionally, it’s crucial to review dependencies on third parties, as outages in external platforms can impact core banking services.
Many organizations have digitized faster than their architecture was designed for. New APIs, third-party integrations, mobile apps, and cloud services expand attack surfaces. Without a comprehensive view of what is public, who consumes it, and what data flows, attackers find vulnerabilities before internal teams do.
Akamai’s message is clear: AI does not eliminate traditional risks; it accelerates them. For the financial sector, this means that familiar attack vectors can become cheaper, more persistent, and harder to distinguish from legitimate traffic. The solution isn’t to dramatize every statistic but to accept that availability, API protection, and bot defense are now fundamental elements of core security practices.
Frequently Asked Questions
What is a DDoS attack against a bank?
It’s an attempt to overwhelm digital services such as a website, banking app, API, or payment gateway with large volumes of traffic or coordinated requests.
Why are APIs so critical in banking?
Because they connect mobile apps, online banking, payments, internal services, and third parties. Poorly protected or monitored APIs can be exploited for abuse or cause service disruption.
How does AI relate to these attacks?
Akamai states that AI enables automation and scaling of known tactics, from harder-to-detect bots to more persistent DDoS campaigns.
What does DORA require from European financial entities?
DORA mandates strengthening digital operational resilience, managing ICT risks, incident reporting, response testing, and better control over critical technology providers.
via: akamai