Sweden's cashless society could be more vulnerable to hybrid war attacks

By Evelina Youcefi

 

Marcus Murray has spent more than two decades probing the weak points of financial institutions. As the founder of Truesec, one of Sweden’s biggest cybersecurity firms, he has helped banks across Northern Europe protect themselves against intruders. Increasingly, though, clients are concerned about a different type of threat — state actors not trying to steal or extort money, but simply to cause chaos by shutting down banking systems or eroding trust in their operations. 

 

Across the Nordic and Baltic countries, governments are more and more concerned about Russian “hybrid war” attacks — low-level but highly disruptive tactics that disrupt infrastructure and services, or lead to panic and confusion in societies. Sabotage and cyberattacks linked to Russia and other hostile states have targeted private companies in Europe. Banks, in particular, are being told that they’re in the firing line. 

 

 

“The banking system is a prioritised area for the Russians,” Murray said. “They understand how much damage that does to society.” 

 

For Sweden, an increasingly cashless society where 90% of transactions are digital, the banking sector represents a particular vulnerability. As the Swedish government ramps up its spending on defense and warns citizens that they need to prepare themselves in case of disaster or conflict, the Riksbank is working with commercial banks to harden their systems, and to keep cash and payments available even if communications networks go down. 

 

People take the ability to pay seamlessly using cards and online payments “for granted, assuming they’ll always work,” said Maria Lundstrom, head of preparedness at the Riksbank. “Swedes depend on payments in pretty much every aspect of their lives — for food, fuel, medicine, wages and social benefits,” she said. “If the system breaks down, the consequences are immediate and severe.”

 

The central bank has mapped the payment system’s pressure points and has mainly built its plans around two headline scenarios: large-scale cyberattacks and prolonged outages in electricity and data communications. 

 

Cyberattacks don’t have to be the sort of sophisticated breaches or ransomware attacks that have hit companies around the world in order to create major disruptions.

 

In April, BankID, a digital authentication service used by millions of Swedes and a major part of the country’s digital payments system, was subject to a distributed denial of service, or ddos attack — where assailants try to overwhelm a system with requests, forcing it offline or slowing it down until it’s unusable. The result was hours of disruption that left Swedes unable to send money through Swish — the mobile payment app used for everything from splitting lunch bills to paying rent — or access online banking and other services tied to BankID. 

 

“It’s like a long line of people standing in front of a shop door. The store is intact inside, but customers can’t get in,” Lundstrom said. 

 

Hybrid warfare can combine cyberattacks with psychological operations. Days before Russia invaded Ukraine, Ukrainians received text messages claiming their deposits had vanished. At the same time, banks were hit with cyberattacks that stopped people accessing their accounts online. “People tried to log in, couldn’t — and then thought, ‘maybe my money’s gone,’” Murray recalls. “That’s how you create fear and break trust, and banks cannot exist without trust.” 

 

The consequences of that kind of attack, he said, can be swift and brutal. One CEO told Murray their bank “could not survive” a three-day total outage because of the legal and regulatory fallout that would follow.

 

Banks have stepped up their cyber-defenses, Murray said, including but not limited to secure coding, vulnerability scans and contingency plans for vendor failures. European lenders run what are known as threat intelligence–based red-team tests, or TIBER exercises, under an EU framework introduced in 2018.

 

The framework makes it possible to test, in a standardized way, resilience to cyber risks among actors in the financial system. In Sweden, each test brings together three parties: the bank, the Riksbank and an external assessor such as Truesec acting as the attacker and to gather threat intelligence.

 

The largest banks, and therefore the most important to society, are tested more often, while smaller ones face them less frequently. Though performance differs, the overall trend is clear: “They are improving immensely from when they started,” Murray said. “I think they’re well prepared — but you don’t really know until it happens,” he said. 

 

Lenders have been investing more in resilience. SEB AB set up a civil defense unit in 2024, now led by former Riksbank official Lisa Leirnes, who coordinates governance frameworks, internal processes and contingency planning across the bank. “Building the capability to deliver services to our customers even during a war situation is essential,” Leirnes said in an emailed response. She declined to comment on the financial burden of complying with the Riksbank’s directives.

 

Sara Bengtsson, head of civil preparedness at Nordea Abp, said in an emailed statement that the bank has embedded crisis readiness in its strategic planning for years, and works with the regulator and other authorities “to ensure that financial services critical to society can operate, even under the most extreme conditions, such as war.” 

 

Spokespeople for Sweden’s other major lenders Swedbank AB and Svenska Handelsbanken AB said they are working on business continuity and crisis preparedness. 

 

A new law under review, which would come into effect next year if enacted, would give the Riskbank legal responsibility for managing disruptions to payments and  “operational crises” across the financial sector. Lundstrom noted that the Riksbank has already voiced support for the proposal. “We have been clear that we welcome this responsibility,” she said. 

 

The Riksbank’s next major resilience initiative is targeted at improving the financial system’s ability to function if communications fail. The flagship project is an offline card system that embodies what Lundstrom called “graceful degradation” — keeping essentials running even if networks collapse. Nearly all payments, including card transactions, Swish, BankID log-ins and even ATM withdrawals, assume live connectivity, so a network outage would hit consumers fast.

 

“The dependency on electricity and data communications is high,” the Riksbank’s Lundstrom said. “The longer the interruption, the bigger the consequences.” 

 

Sweden’s embrace of digital payments has made the country both a pioneer and a test case for the risks of going almost entirely cashless. Set off by a surge of armed robberies in the 1990s and accelerated by the rise of BankID as the default way to pay and prove identity, the shift has left most Swedes relying on their phones and cards to move money. 

 

That convenience has brought new anxieties: by 2022, only 8% of Swedes said they used cash for their latest purchase, and with one of Europe’s lowest numbers of ATMs per capita, nearly all transactions now run through digital systems. Any disruption, whether through cyberattack or technical failure, could paralyze everyday life. Concerns over that dependence grew in January, when Prime Minister Ulf Kristersson warned that Sweden and its neighbors face hybrid attacks carried out not with missiles or soldiers, but “with computers, money, disinformation and the risk of sabotage.”

 

In a brochure circulated by the Swedish government titled “In Case of Crisis or War,” citizens are advised to keep enough cash for at least a week and to use it occasionally in case electronic payments fail.

 

Under the Riksbank’s new initiative, terminals will need to be able to process transactions locally for up to a week, limited to  essentials such as food and medicine. “Not for people to go out and buy new TVs,” as Lundstrom put it. 

 

Delivering that requires upgrades by banks, processors, terminal vendors and merchants, with spending caps and reconciliation once systems recover. 

 

For the payments industry, the shift to offline card capability has been less about massive new investment than careful coordination. Bengt Nilervall, senior adviser for payments at Swedish Trade, Sweden’s retail and wholesale trade association, said the first phase — ensuring chip-and-PIN cards can be used at supermarkets, pharmacies and fuel stations without a live network — relied on small technical tweaks and industry-wide agreements. 

 

Visa and Mastercard raised their offline transaction limits to €200 ($233), while banks and merchants adjusted their systems to store and reconcile purchases once networks return. “It’s been a very smooth solution, not a huge or costly overhaul,” Nilervall said. “Everyone from the big grocers to the banks and card networks agreed quickly, which made it possible to get this in place.”

 

The functionality is tightly controlled. Offline transactions are capped and restricted by merchant codes, meaning they’ll work at supermarkets, pharmacies or fuel stations, but not at clothing or electronics stores. That keeps the system focused on essentials in a crisis.

 

Still, Nilervall warned that the next phase will be tougher. With younger consumers increasingly leaving cards at home, about a third of Swedish in-store payments are today made via mobile phones or smartwatches. Extending offline capability to those digital wallets will require new technology, buy-in from Apple, Samsung and handset makers, and likely higher costs across the chain. The Riksbank, he said, will need to take the lead in pushing that work forward.

 

“That will be a bigger technical and financial challenge,” Nilervall said. “But if we want real resilience, we need to start working on it now.”