Threat assessment for Sweden's Banks 2026

The banks’ specialists when it comes to physical security, identification, cybersecurity, information security, fraud, card security, money laundering, outsourcing, sanctions, cash and security protection contribute to the report.

The threat assessment is divided into a number of areas, concluding with an assessment of the risk and threat level. Measures that banks cannot implement themselves are listed as requiring action by politicians and authorities. 

Summary

In the field of abuse, threats and violence against bank staff, banks are reporting a continued aggressive tone and aggressive customer behaviour. The exposure of individual employees may increase the threat to the individual, rather than to the bank. A significant proportion of the threats are linked to banks’ anti-money laundering efforts, for example in connection with frozen accounts or restrictions to services. Ensuring a safe working environment for bank staff is not only the responsibility of banks, but part of a societal commitment.

An insider/enabler can use their insight into the bank to carry out illegal transactions or manipulate financial flows on behalf of criminals or a foreign state. This is also a way for actors to influence decisions, information flows and business strategies in the bank. Foreign states can use insider networks to gather intelligence, destabilise the economy or influence political decisions.

The deteriorating security policy situation means that the threat to the financial sector remains elevated in the area of continuity and civil preparedness. Suspected acts of sabotage against critical infrastructure, vulnerabilities in digital dependencies, as well as reliance on foreign IT providers are placing increased demands on banks’ continuity and contingency efforts. At the same time, planning for heightened preparedness requires the development of the banks’ wartime organisational structure, staffing and coordination, where unclear mandates and regulations currently act as limiting factors.

The field of information and cybersecurity is characterised by a broader and more complex threat landscape, where cyber extortion is increasingly based on information and identity theft as well as the exploitation of supplier dependencies. At the same time, denial-of-service attacks have had less actual impact due to banks’ increased resilience, although the threat remains. Overall, increased third-party risks and the emergence of AI-based attack methods mean that greater demands are being placed on banks’ ability to detect, manage and withstand both direct and indirect cyberattacks, the consequences of which could have a systemic impact in a worst-case scenario.

Social engineering has made fraud offences more targeted and more personalised. The banks’ programme of action to reduce vishing fraud have resulted in an approximately 60% reduction from the proceeds of crime in 2025 compared to 2023, as well as a clear drop in the average amount per vishing fraud offence.

The threat of money laundering remains widespread due to the fact that the illicit economy generates large sums of money every year. Criminals prefer to launder money through the formal economy in the first instance. Any proceeds of crime that cannot be used are basically of no value. There are several risk areas, with the most prominent including cash handling, cryptocurrencies and the trade in luxury goods and vehicles.

Companies are used frequently and on a large scale for criminal purposes, with straw men being used to conceal the real operators. Companies can be used for different types of crime in parallel, and the returns from such crime are often high. It is not uncommon for welfare crime and tax crime to generate criminal proceeds. It is common for criminal networks to run a large number of companies and conduct criminal transactions between them.

Terrorist financing involves many different approaches, such as the use of crowd funding, hawala and cryptocurrencies. Terrorist financing generally takes place under false pretences and can therefore be difficult to detect. One risk factor is that banks often lack access to up-to-date information about where such financing is suspected and which individuals or organisations may be involved.

With growing geopolitical tensions, international sanctions have become an increasingly important means of exerting pressure on foreign and security policy. The scope of the sanctions has increased rapidly, making it increasingly difficult for business operators to understand and apply them. Greater information is required here, along with cooperation and dialogue between the various actors in the field of sanctions. Particular challenges include increasingly sophisticated methods for circumventing sanctions, as well as the growing diversity of sanctions that banks have to take into account.

In 2025, there were no bank and cash in transit robberies and no attacks on Bankomat AB’s ATMs. The threat of bank and cash in transit robberies and ATM attacks remains, but the number of robberies and attacks is expected to remain low in 2026.

There are policy incentives aimed at increasing the use of cash in Sweden. For the banks, the challenges associated with cash are that it creates risks for those working with cash, as well as the fact that the traceability of cash is low or non-existent. Since cash is used to such a little extent in normal conditions, the notion that cash can play a major role in the event of a crisis or war event is also not realistic.

As regards the threats facing security-sensitive activities, the assessment is that, within the cyber domain, there is both the intent and the ability to carry out sophisticated and sustained attacks. Capabilities in respect of personnel and physical security are considered to be more limited, involving the use of insiders or basic physical attacks carried out by local actors with limited perseverance.