Threat assessment for banks in Sweden 2025

The banks’ specialists when it comes to physical security, identification, cybersecurity, information security, fraud, card security, money laundering, outsourcing, sanctions, cash and security protection contribute to the report.

The threat assessment is divided into a number of areas, concluding with an assessment of the risk and threat level. Measures that banks cannot 
implement themselves are listed as requiring action by politicians and authorities. 

Summary

The security policy situation and crime trends in Sweden in recent years are now affecting the banks and their customers, primarily in the areas of cybersecurity, fraud and money laundering. In the autumn of 2024, the number of denial-of-service attacks increased, as well as becoming more sophisticated and more difficult to combat. Measures taken by banks to combat telephone fraud have had an impact, and the proceeds of crime from that approach decreased significantly in 2024 compared to 2023. In the field of money laundering, collaboration has been strengthened in 2025 with the establishment of a financial intelligence centre, in which the banks are involved. Collaboration by banks has been strengthened in all areas of security, both between the banks themselves and with the authorities.

In the field of abuse, personal threats and violence against bank staff, banks are reporting increased tension and more aggressive customer behaviour in recent years. Many employees are unwilling to represent the bank in legal contexts. The exposure of individual employees may increase the threat to the individual, rather than to the bank. Ensuring a safe working environment for bank staff is not only the responsibility of the banks, but part of a broader societal commitment.

An insider/enabler can use their insight into the bank to carry out illegal transactions or manipulate financial flows on behalf of criminals or a foreign state. This is also a way for threat actors to influence decisions, information flows and business strategies in the bank. Foreign states can use insider networks to gather intelligence, destabilise the economy or influence political decisions.

In the field of continuity and civil preparedness, current hybrid threats and incidents in the immediate area show that security policy developments require long-term contingency work in Sweden, and this also includes financial services. With an armed attack on Sweden as a defining condition for continuity work in the banks, more far-reaching requirements are imposed than in the case of peacetime crises. In this event, it is necessary to address issues such as the evacuation of data and functions, extensive backup arrangements and the protection of critical facilities such as office buildings and data centres, wartime organisation, etc.

During the period, the field of information security and cybersecurity is characterised by more sophisticated denial-of-service attacks of increased strength and scope. The primary purpose of the attacks is the impact on information manipulation and interference on society and citizens, where the attackers are trying to show that critical financial services are at risk. Companies in the financial sector continue to be affected by ransomware (extortion software that encrypts the data of its victims), although in this respect they are no different from other sectors. During the period, threats to critical infrastructure have been made tangible in the form of suspected 
sabotage of electricity and communication cables in the Baltic Sea.