skip to main content

As Digital Payments Explode in Popularity, Cybercriminals are Taking Notice

As Digital Payments Explode in Popularity, Cybercriminals are Taking Notice

With $54 trillion in payments flowing through the world’s leading transaction avenues, the payments space is truly exploding. Moreover, seemingly all stakeholders are buying into the space big time. For example, traditional banks are moving full speed ahead in fulfilling consumer expectations for instant and easy digital payments by rolling out new offerings. Policymakers are jumping onboard, since moving money faster means economies can expand. And merchants, neobanks, and fintechs are following the money and debuting a slew of new products as well. That said, cybercriminals are also looking to get in on the act in a big way.

In 2022, more than 60% of global financial institutions with over $5 billion in assets were hit by cyberattacks as cybercriminals look to compromise the rapidly growing – and lucrative – financial industry. And because of the rate that the payments sector in particular is evolving, CISOs and their cybersecurity teams in this space are finding it increasingly difficult to stay one step ahead of bad actors.

With that in mind, here are a few of the key factors that are making the payments sector one of the most interesting areas to watch in terms of cybersecurity.

An evolving digital payments marketplace

For years, apps like Venmo and other digital channels have become a more and more popular avenue for purchases and payments among consumers. However, like with so many industries, the COVID-19 pandemic completely changed the payments landscape, with consumers now demanding – rather than preferring – that banks and non-bank fintechs make it easy, cheap, and fast to execute online transactions, especially payments. Thus, mobile banking and digital wallets are now virtually ubiquitous. So much so, that even the government is getting in on the payments game through the US Federal Reserve’s FedNow. Additionally, digital payments and cryptocurrency are also becoming more intertwined – see payments leader PayPal's recent move to make digital assets available for their users through their digital wallet. This surge in payments tech adoption, and the growing diversity in the types of payments offerings has made the space ripe for innovation but also for cybersecurity threats.

Regulatory complexity in digital payments

Due to the surge in ransomware attacks and other high-profile breaches impacting the financial services industry, policymakers, industry groups and regulators have all stepped up oversight efforts as well. In March, for example, the White House released it comprehensive National Cybersecurity Strategy, which included placing more responsibility on those within the digital ecosystem, the tech providers and payments providers, “to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable.” In addition, an onerous patchwork of data privacy laws has been unfurled in the past few years in several states, and in July the Securities and Exchange Commission (SEC) finalized its new cybersecurity risk management and governance rules, requiring public companies to report incidents and describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. Meanwhile, the payments card industry is working overtime to meet the standards of PCI Data Security Standard (DSS) v4.0 which goes into effect March 2025. This confluence of overlapping oversight is making it increasingly challenging not just for payments stakeholders to remain compliant but to formulate effective cybersecurity strategies moving forward.

Cybercriminals have more surfaces to attack

Cybercriminals have become adept at seizing on gaps in the cybersecurity posture of companies caused by a rapidly expanding attack surface created by the adoption of new technologies like blockchain, generative AI, and cloud computing. Ransomware, once a minimal threat in cloud environments, is growing rapidly in line with increasing cloud adoption. Sophisticated AI tools are making cybercriminals better at their jobs through automation. At the same time, the explosion of fintech companies partnering with other fintechs and banks has opened the door wider to cyber threats. For example, in 2021, 62% of system intrusion incidents in the payments delivery chain stemmed from vendors, partners, and third-parties – clearly demonstrating that while a more interconnected payments landscape may have certain upsides, it comes with significant cybersecurity downsides.

Closing thoughts

As we hurdle towards Q4, financial services tech disruption shows no signs of slowing down. With more and more money moving across the internet at increasing speeds and through varied infrastructures — and soon Web3 — security leaders have more fronts to defend, more regulations to comply with, and more brand reputation risks on their plates than ever before. And these issues will only continue to grow as digital payments become more ubiquitous and offerings like digital lending and securities trading proliferate. This presents significant challenges for payments stakeholders to contend with and is why payments is likely to become one of the most talked about sectors in the cybersecurity world in the years ahead.


Written by Norman Comstock, Managing Director, and Cybersecurity SolutionsUHY Consulting. Originally published by CDM, Cyber Security eMag - October Edition 2023.

Have a Question?

Fill out the form to speak with one of our cybersecurity consultants.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.