Report

Denmark cyber: volumes, vectors, and spend signals

Live view of incidents and fraud mechanics for 2024–2025.

12 min read

A compact view of incident volumes, common entry points (phishing, credential theft, exposed APIs), and where organizations are investing. We and our contractors and partners update this with public stats and anonymized insights.

Use this to brief leadership on what is happening now in Denmark, what is driving losses, and which controls are getting budget because they actually reduce risk.

Scope and sources

  • Scope: Danish organizations with internet-facing apps/APIs, SaaS estates, and payment exposure (B2C and B2B).
  • Sources: public situation reports, sector advisories, incident disclosures, court filings, and our anonymized engagement data.
  • Cadence: refreshed as new public data lands; trends look back 12–18 months to smooth noise.

Executive summary

  • Email-led entry remains dominant: phishing and session theft continue to open the door for most incidents.
  • API exposure is a fast riser: mis-scoped tokens and weak authorization checks show up in more real incidents.
  • Fraud mechanics shift quickly: mule recruitment and invoice manipulation adapt to stronger MFA and bank controls.
  • Spend signals: organizations prioritize phishing-resistant MFA, runner isolation in CI/CD, and artifact verification before deploy.

Incident volumes (directional)

We bucket cases by dominant vector to keep the picture decision-ready. Counts are directional and de-duplicated where possible.

  • Phishing/session theft: steady high baseline with periodic spikes tied to themed campaigns (delivery, tax, benefits).
  • Business email compromise (BEC): fewer but higher-impact cases; invoice redirection and supplier impersonation remain costly.
  • Web/API exploitation: gradual increase driven by auth gaps and permissive scopes rather than classic input bugs.
  • Ransom/extortion: lower frequency than 2021–2022 peak, but dwell-time improvements drive faster containment.

Top entry vectors (how attackers get in)

  • Credential interception: session cookies stolen via injected scripts or reverse-proxy phishing; replayed before detection.
  • SaaS misconfiguration: over-broad app grants and legacy protocols expose mail, files, or chat histories.
  • API authZ gaps: missing checks on tenant or object boundaries allow cross-account reads or writes.
  • CI/CD pivots: shared privileged runners and unsigned artifacts enable supply-chain style tampering.

Fraud mechanics we see most

  • Invoice manipulation: attacker lurks in mailboxes, edits PDFs or portal details, and nudges payment timing and destination.
  • Account takeover: stolen sessions used to change recovery options or 2FA seeds, then drain balances or move loyalty assets.
  • Refund abuse: scripting on weakly protected flows to turn small customer service gestures into repeatable loss.
  • Mule pipelines: rapid onboarding of accounts to pass-through funds; detection relies on velocity and device clustering.

Where Danish teams are spending (because it works)

  • Phishing-resistant MFA for admin and payment-adjacent roles; conditional access tied to device posture.
  • Session defense: binding tokens to strong client signals and revoking on risk changes or travel anomalies.
  • CI/CD guardrails: repo/tenant-scoped runners, artifact signing, and verification before promotion or deploy.
  • API authorization reviews: enforcement at the boundary with explicit tenant/object checks and allowlists.
  • Mailbox hygiene: disable legacy auth, tighten app consent, and monitor mail rule changes and OAuth grants.

Metrics leaders can watch each week

  • Phishing-to-click rate: Percent of targeted users who interact with bait; pair with reporting time.
  • Session theft detections: Number of revoked sessions due to device or geo anomalies.
  • Signed + verified deploys: Share of releases that verify provenance and signature before rollout.
  • API authZ blocks: Requests refused by explicit tenant/object checks (healthy friction).
  • BEC dwell time: Median hours from mailbox compromise to containment; drive this down.

What to do this quarter

  1. Protect your release path: enable artifact signing and verification on one critical service; expand from there.
  2. Shut legacy mail auth and app consent holes; alert on risky OAuth grants and inbox rule changes.
  3. Bind sessions to strong client signals; revoke on device posture or location change.
  4. Review API authorization boundaries on high-traffic endpoints; add explicit tenant/object checks.
  5. Practice BEC playbooks with finance: out-of-band verification before any bank detail change.

Methodology and caveats

We merge public statistics with anonymized engagement findings. Some incidents are under-reported; categories can overlap. Treat charts as directional signals to prioritize control work, not as a precise census.

The Danish picture is consistent: email-born sessions, mis-scoped APIs, and pipeline weaknesses drive most real-world impact. The good news is that a small set of guardrails—strong MFA, session defenses, CI/CD hardening, and clean authZ—moves the needle quickly.