What Q1 2026 Bot Traffic to Financial Institutions Tells Us About the FSI Threat Landscape

Modern Bot Attacks Demand Behavioral Detection Capabilities

Fig 1: Split of bot attacks detected using behavioral-based detection techniques vs signature-based detection techniques

Of all the bad bot hits mitigated across our FSI customers in Q1 2026, 81% were detected using our advanced behavioral detection techniques, while 19% were identified through signature-based methods.

Signature-based detection remains a fast and efficient approach for identifying bot activity with consistent and well-defined characteristics, making it an important component of a layered defense strategy. However, modern bot attacks increasingly employ advanced evasive techniques by rotating IP addresses, replicating human browsing behavior, and blending in with legitimate traffic. They are not trying to brute-force their way through, but trying to look like they belong there. From our analysis, a detection approach that relies primarily on known signatures will miss four out of every five of these attacks.

Behavioral detection takes a different approach. Rather than checking if traffic matches known attack patterns, it checks if the traffic behaves the way a real user would, to distinguish and mitigate malicious traffic. This distinction matters because the attackers have specifically evolved their tactics to defeat signature-based defenses.

The takeaway is not that signature-based detection is ineffective. It still detects 20% of bot attacks, and every blocked attack matters. The takeaway is that treating it as a primary defense is a strategic miscalculation.

Nearly a Third of Bad Bot Traffic Now Comes From ISPs

Fig 2: Split of bot attacks by origin

In Q1 2026, 32% of bad bot hits against our FSI customers originated from ISPs rather than data centers.

This meant roughly one in three malicious bot requests was arriving from an IP address that looks like an ordinary home or business internet connection and not hosting infrastructure.

This shift is accelerating, with the most consequential share coming from residential ISPs - compromised consumer devices or proxy networks that route attack traffic through real users’ connections - an attack technique to better resemble legitimate users.

The reason attackers have made this shift is straightforward: most traditional detection approaches are designed to be suspicious of data center traffic. Residential traffic gets the benefit of the doubt since these requests that originate from ISPs often inherit characteristics such as trusted IP reputation, geo consistency, and normal browsing patterns, making them more difficult to distinguish using traditional detection techniques.

This has a very practical implication for FSI organizations. Bot detection signals that rely on IP reputation alone, without layering in behavioral signals, will consistently under-detect attacks originating from residential infrastructure.

ATO Attacks Follow A Pattern

Account takeover attacks against our FSI customers were not evenly distributed across Q1 2026. January recorded the highest volume of ATO attacks, followed by a dip in February, and a recovery in March.

Fig 3: Trend of ATO attacks within Q1’26

The January peak is consistent with established seasonal patterns. The holiday season and post-holiday period is historically an active target for ATO attack campaigns, with the high consumer account activity across retail, banking, and payment platforms. The February dip and March recovery in attack volumes is likely linked to new breach disclosures or credential supply that drives the wave of attacks.

Year-Over-Year Growth and Targeted Spikes

For one of our major FSI customers, ATO attacks in Q1’26 were 22% higher than in Q1’25, with a massive 60% increase in Jan’26 compared to the same period the previous year.

Fig 4: Trend of ATO attacks attempted at a major customer – Q1’26 vs Q1’25

This trend is consistent with the broader threat environment – attackers are increasingly augmenting their ATO attack operations with AI, with a lower barrier to run attack campaigns at scale and supported by an increasing number of compromised credentials through data breaches. ATO attack volumes against financial institutions are growing in absolute terms, and the year-over-year comparison for this customer is one example of that growth.

Alongside the broader seasonal patterns, we periodically observe targeted spikes in ATO attacks. One such instance at a customer stands out, where we observed a pronounced spike in ATO attack attempts on February 9th, followed by consistent smaller spikes throughout the quarter. While the spike cannot be definitively attributed to a single cause, breach disclosures affecting consumer credential data in the region during that period likely created conditions for such a targeted attack.

Fig 5: Trend of ATO attacks attempted at a major customer through Q1’26

What This Means for FSI Organizations

Bot threats targeting financial institutions in 2026 are becoming more sophisticated, with the growing role of AI-enhanced attacks accelerating this further. They evade signatures, blend in with residential infrastructure, and increasingly mimic the behavior of legitimate users. ATO attacks sit at the center of this shift, with attacks growing rapidly in volume and following evasive techniques.

Keeping pace requires solutions that harness the power of AI for bot detection and mitigation, with AI-driven behavioral analysis and signature generation for real-time detection and mitigation of evolving attack patterns.

To learn more about how the Radware Bot Manager protects financial institutions from sophisticated, malicious bot attacks, contact our security experts here.

This blog is part 1 of a multi-part series on bot traffic trends in FSI for Q1 2026. Part 2 will examine the sharp rise in AI crawler activity targeting financial institutions – what it is, who is behind it, and why organizations should care.