A Scoping Analysis of Literature on the Enhancement in Security in Financial Messaging Systems

Madzivhandila, Unarine; Chibaya, Colin

doi:10.3390/info17040387

Open AccessReview

A Scoping Analysis of Literature on the Enhancement in Security in Financial Messaging Systems

by

Unarine Madzivhandila

^*

and

Colin Chibaya

Department of Computer Science and Information Technology, Faculty of Natural and Applied Sciences, Sol Plaatje University, Kimberley 8300, South Africa

^*

Author to whom correspondence should be addressed.

Information 2026, 17(4), 387; https://doi.org/10.3390/info17040387

Submission received: 9 February 2026 / Revised: 13 April 2026 / Accepted: 15 April 2026 / Published: 20 April 2026

(This article belongs to the Section Information Systems)

Download

Browse Figures

Versions Notes

Abstract

The security of financial messaging systems is critical to maintaining trust in digital financial platforms. Despite advances in cryptography, many contemporary systems remain vulnerable to channel-based and cryptographic threats, including eavesdropping, interception, tampering, and unauthorized access. Hybrid cryptographic models that combine asymmetric encryption for secure key exchange with symmetric encryption for efficient data protection have emerged as effective approaches for strengthening confidentiality, integrity, and authenticity in financial message communications. This study presents a scoping review of literature published between 2015 and 2025, mapping research on user vulnerabilities in financial messaging systems and examining the role of hybrid cryptographic models in mitigating these risks. Guided by the PRISMA-ScR reporting standards, 615 articles were identified across nine scholarly databases. Forty-four studies met the inclusion criteria after systematic screening. The findings reveal a growing emphasis on hybrid encryption strategies, particularly RSA–AES and ECC–AES combinations, due to their balance of security strength and computational efficiency. However, significant gaps persist in empirical validation, real-world deployment, and user-centred security design, especially in mobile-first and resource-constrained environments. Existing research largely prioritizes theoretical performance and algorithmic efficiency, with limited attention to practical integration, usability, and operational constraints. This review highlights the need for holistic security frameworks that integrate cryptographic robustness with usability, regulatory compliance, and contextual deployment considerations. It provides a structured foundation for future research focused on developing scalable, user-centric, and resilient security solutions for financial messaging systems.

Keywords:

financial messaging; cybersecurity; hybrid cryptography; user vulnerabilities; secure communication

1. Introduction

The security of financial messaging systems encompasses the technologies, protocols, and practices that protect financial information across its lifecycle from creation and transmission to storage and access [1]. These messages carry highly sensitive data, including account identifiers, transaction details, authentication credentials, and payment instructions. Their compromize can lead to fraud, identity theft, financial loss, reputational damage, and regulatory breaches [2]. Ensuring confidentiality, integrity, and authenticity of such messages is therefore essential for individuals, businesses, and financial institutions.

Modern financial messaging systems rely on encryption, secure communication channels, authentication mechanisms, and access controls to prevent unauthorized access and manipulation [1]. In this study, confidentiality refers to restricting message access to authorized parties [3]. On the other hand, integrity ensures that messages cannot be altered undetected [3]. Authenticity verifies the identities of communicating entities [3]. Together, these principles form the baseline for assessing vulnerabilities and mitigation strategies.

Nevertheless, security cannot be addressed through technical controls alone. Evidence shows that governance structures, human factors, and system architecture significantly influence overall effectiveness. Regulatory frameworks and compliance standards shape how controls are implemented and enforced, ensuring accountability and adherence to best practices [4]. User behaviour and awareness can also either reinforce or undermine security mechanisms, while system architecture, such as the use of secure APIs, distributed systems, and layered designs, determines how well security is embedded across the messaging lifecycle [4]. As digital financial services expand through mobile banking, online payments, and real-time platforms, financial messaging security becomes a multidimensional challenge requiring the integration of technical, organizational, and design considerations.

The shift to mobile and remote financial interactions has further intensified these challenges. While mobile platforms enhance accessibility and financial inclusion, they also increase exposure to cyber threats [5,6,7]. Financial messages serve as the core communication units enabling authentication, transaction processing, and service delivery [8]. Their security directly influences user trust, particularly in decentralized and cross-border environments [9].

Despite widespread adoption of encryption, many systems remain vulnerable due to reliance on single-layer approaches, traditional public-key schemes, or centralized authentication models [10]. These limitations expose systems to advanced attacks, including man-in-the-middle, replay, interception, and unauthorized access [11]. High-profile breaches, such as those involving the SWIFT network, demonstrate how attackers exploit systemic weaknesses to bypass defenses and operate undetected, resulting in significant financial and reputational damage [12,13].

This study focuses specifically on end-user exposure to risks arising from cryptographic and channel-level vulnerabilities in financial messaging systems. Accordingly, security is examined through the lens of hybrid cryptographic models, excluding broader dimensions such as governance, human behaviour, and system architecture. These vulnerabilities directly threaten the core principles of confidentiality, integrity, and authenticity, and ultimately undermine user trust in digital financial platforms. Given this context, cryptography remains a central pillar of secure financial communication [14].

Hybrid cryptographic models have emerged as promising solutions to these challenges. By combining asymmetric encryption for secure key exchange with symmetric encryption for efficient data protection, they offer a balance between security and performance [15]. Empirical studies indicate that such models can strengthen authentication, preserve message integrity, and reduce computational overhead in online and mobile banking environments [16,17]. Additional work proposes enhanced hybrid configurations that improve resistance to interception and tampering while maintaining efficiency [18].

Despite these advances, there is limited consolidated understanding of how hybrid cryptographic models are applied in real-world financial messaging systems. Existing research tends to prioritize algorithmic design and theoretical performance issues, with insufficient attention to deployment constraints, user-centric vulnerabilities, and operational realities. This scoping review addresses this gap by systematically examining financial messaging vulnerabilities, the role of hybrid cryptographic models in mitigating these risks, and the challenges associated with their practical implementation.

1.1. Problem Statement

As financial transactions increasingly rely on digital communication channels [19], the security of financial messaging systems has become a critical concern. Despite the adoption of encryption and secure protocols, these systems remain vulnerable to cryptographic and channel-based attacks, including eavesdropping, interception, tampering, and unauthorized access [20]. Moreover, there is limited synthesis of how existing approaches address real-world vulnerabilities, particularly in mobile-first and resource-constrained environments, constraining the development of practical, user-centric security frameworks.

Although hybrid cryptographic models are widely proposed to strengthen technical defenses, current research largely emphasizes theoretical performance and algorithmic efficiency [21]. Most studies evaluate these models in controlled settings, offering limited insight into their practical deployment within complex financial messaging ecosystems.

This study addresses the lack of a systematic and structured examination of financial messaging vulnerabilities, the effectiveness and limitations of hybrid cryptographic models, and their applicability in real-world financial environments.

1.2. Research Question

Five research questions sequentially summarize the work presented in this study as follows:

What types of cryptographic and communication-channel vulnerabilities affecting end users are reported in the literature on financial messaging systems?
How do hybrid cryptographic models address the identified vulnerabilities in financial messaging systems, and what security properties do they primarily enhance?
What empirical evidence exists regarding the effectiveness and performance trade-offs of hybrid cryptographic models in securing financial messaging systems?
What limitations, implementation challenges, and research gaps are identified in existing studies on hybrid cryptographic approaches for financial messaging security?
What implications do the reviewed findings have for the design of secure, user-centric financial messaging systems in real-world deployment contexts?

1.3. Aim

The primary aim of this study is mapping how hybrid cryptographic models address end-user security vulnerabilities in financial messaging systems through a structured scoping review of existing literature.

1.4. Specific Objectives

Five objectives, aligned with the research questions asked in this study, as well as the aim, are chronologically achieved as follows:

To identify and categorize cryptographic and communication-channel vulnerabilities in financial messaging systems that impact end users.
To analyze how hybrid cryptographic models are applied to mitigate the identified vulnerabilities and which security properties they target.
To evaluate empirical evidence on the effectiveness and performance trade-offs of hybrid cryptographic approaches in financial messaging systems.
To identify limitations, implementation challenges, and unresolved research gaps in existing studies on hybrid cryptographic models.
To synthesize practical implications for the design of secure, user-centric financial messaging systems based on the reviewed evidence.

1.5. Overview

This article is structured to progress logically from conceptual foundations to critical synthesis and practical implications. Section 2 establishes the theoretical grounding by defining financial messages, outlining essential security properties, and examining key attack vectors that threaten confidentiality, integrity, and authenticity. Section 3 describes the scoping review methodology, including search strategies, data sources, and systematic procedures for study selection and analysis. Section 4 analyzes vulnerabilities in contemporary financial messaging systems, drawing on documented breaches and empirical evidence. Building on this, Section 5 examines hybrid cryptographic models as mitigation strategies, focusing on the integration of asymmetric and symmetric techniques. Section 6 critically evaluates their effectiveness under realistic threat conditions, moving beyond simulation results to assess resilience against attacks such as eavesdropping and man-in-the-middle exploits. Section 7 addresses implementation challenges in heterogeneous and resource-constrained environments, particularly mobile-first contexts, highlighting trade-offs between security, performance, and usability. Finally, Section 8 synthesizes the findings, outlines implications for practice, and reflects on the broader importance of securing financial messaging in an increasingly digital economy.

2. Conceptual and Theoretical Framework

This study is guided by an integrated conceptual and theoretical framework for examining financial messaging security and evaluating hybrid cryptographic models as mitigation mechanisms.

At the conceptual level, financial messages are defined as digital communication units that enable core financial operations, including transaction requests, payment confirmations, and account notifications [22]. Their security is assessed through three fundamental properties, namely confidentiality, integrity, and authenticity, towards protecting financial messages against unauthorized access, tampering, and fraud [23,24]. These properties also provide a basis for identifying vulnerabilities, particularly those arising from increased connectivity, heterogeneous platforms, and evolving threat landscapes.

Within this framework, hybrid cryptographic models play a central role. By combining asymmetric encryption for secure key exchange with symmetric encryption for efficient data protection, they address the limitations of single-method approaches [25,26]. Conceptually, hybrid cryptography serves as a bridge between technical safeguards and user trust, enhancing the security and reliability of financial message transmission. While not universally adopted across all studies, the underlying principle of combining cryptographic techniques is widely recognized as an effective strategy for addressing contemporary security threats, reinforcing the rationale for their evaluation in this study.

The theoretical foundation draws on principles from cryptography, information security, network security, and trust theory. Cryptographic theory provides the mathematical basis for encryption, authentication, and key management while also highlighting that vulnerabilities often stem from weak implementations, flawed protocols, or poor system integration [25]. Network security theory further emphasizes the importance of secure communication channels, authentication protocols, and layered defenses in mitigating advanced attacks such as man-in-the-middle and session hijacking [26].

Complementing these technical perspectives, trust and user-centric security introduce a socio-technical dimension. Even robust cryptographic solutions may fail if they do not align with user expectations or sustain confidence [23]. In financial contexts, trust is critical to adoption and continued use, making perceived security, reliability, and usability as important as technical strength [27]. Effective cryptographic implementation reinforces trust, whereas poor execution undermines it regardless of theoretical robustness.

Together, this framework provides a structured lens for analyzing the interplay between system vulnerabilities, the protective capacity of hybrid cryptographic models, and the preservation of user trust. It supports this study’s objectives by enabling a comprehensive assessment that integrates technical, operational, and human factors, moving beyond description to explain why vulnerabilities persist and how hybrid approaches can address them in practice.

3. Methods and Materials

A scoping review methodology was adopted to systematically map literature on user vulnerabilities in financial messaging systems and the role of hybrid cryptographic models in mitigating these risks. This approach is appropriate given the breadth of the topic, the diversity of study designs, and the exploratory nature of the research objectives [28,29].

3.1. Search Strategy

A structured search strategy was implemented to identify relevant studies. Primary searches were conducted across major peer-reviewed databases, including Scopus, IEEE Xplore, ACM Digital Library, ScienceDirect, and SpringerLink, selected for their strong indexing standards and coverage of information security, cryptography, and financial technology research [30]. To enhance coverage and reduce publication bias, additional sources such as MDPI, Emerald, and DOAJ were included, alongside supplementary platforms such as Google Scholar, Semantic Scholar, Frontiers, and ResearchGate to capture grey and emerging literature.

To ensure consistency and quality, a multi-stage screening process was applied across all sources. This included duplicate removal, title and abstract screening, and full-text evaluation against predefined inclusion and exclusion criteria. Studies were further assessed based on relevance, methodological rigour, and analytical depth. Only those explicitly addressing user-facing vulnerabilities in financial messaging systems and providing substantive analysis of cryptographic mitigation mechanisms were retained. This process ensured a balanced and credible evidence base while minimizing database and publication bias [30].

The search strategy was guided by the Population–Concept–Context (PCC) framework [28,31]. The population comprised studies on financial messaging systems. The concept focused on user vulnerabilities and cryptographic mitigation strategies. The context encompassed secure communication processes, including encryption, authentication, and data transmission in financial environments.

Search strings were constructed using Boolean operators (AND, OR), phrase searching, and database-specific field restrictions to ensure both precision and breadth. Three conceptual blocks structured the queries, including user-related vulnerabilities such as “user vulnerability”, “user risk”, and “social engineering”, as well as financial messaging contexts such as “financial messages”, “financial transactions”, and “electronic funds transfer”. They also included cryptographic mechanisms such as “hybrid encryption”, RSA, and ElGamal. Synonyms within each block were combined using OR, while the three blocks were linked using AND to ensure relevance across all dimensions.

Database-specific adaptations were applied to optimize retrieval accuracy. For example, TITLE-ABS-KEY fields were used in Scopus and ScienceDirect, abstract-level searches in ACM, and metadata-wide queries in IEEE Xplore. SpringerLink searches were restricted to titles and abstracts for precision, while broader keyword strategies were used in open-access and supplementary platforms to maximize recall.

The search was limited to studies published between 2015 and 2025 to reflect contemporary technologies and threat landscapes, with the final search conducted on 25 October 2025. Table 1 summarizes the databases and corresponding search terms used in this review.

3.2. Inclusion and Exclusion Criteria

Explicit inclusion and exclusion criteria were established to ensure consistency, transparency, and rigour in the selection of studies. Studies were included if they were written in English, and focused on user vulnerabilities, security risks, or hybrid cryptographic models within financial messaging or transaction systems. Eligible sources comprised peer-reviewed journal articles, conference papers, and credible technical reports. Studies were excluded if they did not relate to financial messaging or digital financial communication, failed to address user-centric vulnerabilities or cryptographic mitigation mechanisms, or were published in languages other than English. For all included studies, key characteristics such as authorship, publication year, research objectives, context, methodology, and contributions were systematically extracted and recorded in a structured Excel dataset.

Table 2 summarizes the methodological, thematic, and technical criteria applied during screening, enabling transparent tracking of study inclusion and exclusion decisions.

3.3. Article Screening Process

The screening process followed a three-stage approach, starting with the title, then abstract, through to full-text review. All retrieved records were managed using Rayyan, Excel, and Zotero. Rayyan facilitated efficient duplicate removal, blinded screening, tagging, and exclusion decisions, enhancing consistency and reducing reviewer bias [28]. Titles and abstracts were independently screened by two reviewers, with disagreements resolved through discussion to ensure consensus. Automated tools supported the removal of duplicates, exclusion of studies published before 2015 and preliminary keyword-based filtering, in alignment with PRISMA-ScR guidelines.

3.4. Data Charting Procedure

Data charting was guided by the PRISMA-ScR framework [29]. A structured data extraction form was developed in Excel to ensure consistent capture of key study attributes, including research focus, user vulnerability types, cryptographic approaches, methodological design, and reported outcomes. A PRISMA-ScR flow diagram was used to transparently document the stages of identification, screening, eligibility, and inclusion. This review was not registered, and no formal protocol was developed.

3.5. Data Analysis

Data analysis followed a structured descriptive and thematic synthesis approach consistent with scoping review methodology. Following data extraction, all included studies were imported into a structured coding framework developed in Excel. Each study was assigned predefined codes covering study focus, user vulnerability type, financial messaging context, cryptographic technique, methodological design, geographic context, and publication characteristics. An initial open-coding phase was conducted to identify recurring concepts, which were subsequently refined into a controlled coding schema to ensure consistency across the dataset.

The coded data were then systematically grouped to support thematic development. Related codes were clustered into higher-order categories reflecting dominant patterns in the literature, including vulnerability types, cryptographic mitigation strategies, deployment contexts, and implementation constraints. These categories were iteratively refined through constant comparison, ensuring that themes accurately reflected the underlying evidence while remaining distinct and analytically meaningful.

To enhance reliability and reduce subjectivity, coding was cross-checked through a validation process involving iterative review and reconciliation of inconsistencies. Discrepancies in coding decisions were resolved through discussion and consensus, and the coding framework was refined accordingly. This iterative validation process improved consistency and strengthened analytical rigour.

Quantitative attributes were summarized using frequency counts and descriptive statistics to support identification of dominant trends and patterns across studies. No inferential statistical analysis, risk of bias assessment, or effect size estimation was conducted, in line with the exploratory objectives of the scoping review. The final synthesis was presented using tables and figures to enhance transparency, traceability, and reproducibility of findings, while highlighting thematic concentrations and gaps in the literature [32].

4. Results and Discussion

This section presents the findings of the scoping review, beginning with a PRISMA-ScR flow diagram summarizing the study selection process. It then synthesizes key trends from the literature, with emphasis on user vulnerabilities in financial messaging systems, the role of hybrid cryptographic models in mitigating these risks, and the practical and technical challenges associated with their implementation. This section further highlights critical gaps in the existing body of knowledge, providing a foundation for future research aimed at strengthening user-centric security in financial messaging environments.

4.1. The PRISMA-ScR

This review adhered to the PRISMA-ScR guidelines, providing a structured framework for conducting and reporting scoping reviews. The guidelines informed the development of the search strategy, execution of multi-database searches, specification of inclusion and exclusion criteria, and transparent reporting of the study selection process. The complete screening workflow, including identification, deduplication, eligibility assessment, and final inclusion, is presented in the PRISMA-ScR flow diagram in Figure 1. The initial search retrieved 615 records aligned with the Population–Concept–Context (PCC) framework. Screening and data management were supported using Rayyan, Excel, and Zotero, enabling efficient deduplication, systematic record organization, and consistent screening procedures [28].

The 615 records identified comprised 498 retrieved from academic databases and 117 identified through Supplementary Sources, including citation tracking and organisational repositories. In line with the PRISMA 2020 guidelines [33], 19 duplicate records were removed, 15 records were excluded through automated screening as non-eligible publication types, and 5 records were excluded for falling outside the review period. The remaining records proceeded to title and abstract screening, during which 303 were excluded for not meeting the predefined inclusion criteria. A further 24 records were excluded due to unavailable full texts, leaving 150 articles for full-text eligibility assessment (132 from databases and 18 from Supplementary Sources). At the full-text stage, exclusions were applied for clearly defined reasons, including studies focused solely on general cybersecurity rather than financial messaging systems (n = 41), those addressing financial transactions without messaging-specific focus (n = 32), and those limited to general user behaviour without cryptographic relevance (n = 15). Additional exclusions from Supplementary Sources included general cybersecurity focus (n = 52), duplicate records (n = 9), and user-behaviour-only studies (n = 38).

Following this multi-stage screening process, 44 studies met all inclusion criteria and were retained for final synthesis. Although the final dataset is relatively focused, it reflects a substantially broader evidence base, as illustrated in the PRISMA flow diagram. Collectively, these studies form the empirical foundation for analysing user vulnerabilities, evaluating hybrid cryptographic approaches, and identifying persistent challenges in financial messaging security.

While 44 studies may appear limited in absolute terms, this dataset is appropriate for the scope of this review for several reasons. First, the research domain is highly specific, focusing on the intersection of user-centric vulnerabilities, financial messaging systems, and hybrid cryptographic mitigation strategies. Second, the search strategy ensured comprehensive coverage across major databases and Supplementary Sources, reducing the likelihood of omitting relevant studies. Third, no new thematic categories or vulnerability classes emerged during iterative analysis, indicating thematic saturation within the defined scope. Finally, as a scoping review, the objective is to map evidence and identify gaps rather than generate statistical generalizations, making this sample size methodologically appropriate and consistent with established scoping review practice.

4.2. Overview of Selected Studies

This review enabled analysis of temporal trends in research between 2015 and 2025 on user vulnerabilities in financial messaging systems. All included studies were coded by publication year using a structured Excel-based extraction framework. Each record was assigned a year code, which was aggregated to generate frequency distributions and visualized in Figure 2. To ensure accuracy and reproducibility, the temporal dataset was independently cross validated during the data verification phase.

Overall, the distribution shows a steady increase in publications over time, with a notable rise from 2021 onwards (see Figure 2). This trend reflects heightened scholarly attention to financial messaging security in response to evolving cryptographic and channel-based threats, alongside emerging technologies such as blockchain and post-quantum cryptography. A temporary decline in 2022 was observed. However, coding analysis indicates that many studies from this period focused on broader financial cybersecurity themes such as network security architectures and regulatory compliance, rather than financial messaging systems specifically. As a result, fewer studies met the strict inclusion criteria despite sustained research activity in the wider domain.

Iterative thematic coding revealed that publications from 2021–2025 largely concentrated on general FinTech security and enterprise-level network protection rather than messaging-specific vulnerabilities. Through open coding and constant comparison, these broader categories were refined into higher-order themes, including financial messaging security, cryptographic protocol design, and user-centric vulnerabilities. This refinement ensured that only studies directly addressing the intersection of messaging systems and cryptographic security were retained in the final synthesis.

Thematic validity was strengthened through iterative review and consensus-based reconciliation of coding discrepancies, particularly in cases where studies overlapped between general cybersecurity and financial messaging contexts. Re-examination against the inclusion criteria ensured consistent classification and improved coding reliability.

Despite the increasing volume of research, the analysis highlights persistent gaps. Financial messaging is still largely treated as a subset of broader cybersecurity or FinTech studies, rather than a distinct domain. As a result, vulnerabilities related to message construction, transmission, authentication, and protocol design remain underexplored. In addition, while hybrid cryptographic models are frequently proposed, they are seldom evaluated alongside user behaviour or human–system interaction factors.

Generally, research integrating hybrid cryptography, user-centric vulnerabilities, and financial messaging system design remains limited. There is also a notable lack of empirical studies assessing the integration of emerging technologies such as blockchain, post-quantum cryptography, and AI-driven anomaly detection within real-world messaging environments. These findings underscore the need for a focused, user-oriented framework that integrates technical safeguards, protocol-level security, and human factors in financial messaging systems.

4.3. Geographical Origin of Researcher

To examine the geographical distribution of research on vulnerabilities in financial messaging systems, all included studies were coded according to the institutional affiliation and country of the lead or corresponding author. A structured extraction framework in Excel was used to assign each study a region-of-author code, which was then aggregated to generate frequency distributions. These codes were aggregated to generate frequency distributions used for the geographic visualization (see Figure 3 which depicts the distribution of the included articles by geographical origin of the authors’). To improve clarity, Table 3 summarizes the frequency of publications from dominant countries. These assignedcodes were subsequently validated through cross-checking during the data verification phase to ensure consistency, accuracy, and reproducibility of the geographical dataset.

The analysis reveals a concentration of scholarly output from authors based in India, Singapore, and the United States. This distribution reflects the maturity of their financial systems, strong cybersecurity research ecosystems, and early adoption of secure digital payment and messaging infrastructures. Through iterative thematic mapping of author regions against research focus, these countries were consistently associated with studies on cryptographic design, secure financial communication protocols, and FinTech security architectures, indicating sustained research investment in this domain.

In contrast, contributions from several regions remain limited, with a notable gap in South African authorship. Despite South Africa’s position as one of the most developed financial hubs in Africa [34], relatively few studies directly address financial messaging system security and user-level vulnerabilities within this context. Coding of the regional dataset shows that South African research output is more frequently situated within broader FinTech risk, online banking fraud, or general cybersecurity themes, rather than focused analyses of messaging-layer threats or hybrid cryptographic mitigation strategies.

Through iterative thematic grouping, studies from underrepresented regions were further examined to determine whether implicit or secondary coverage of financial messaging security existed. This process confirmed that messaging-specific vulnerabilities and protocol-level cryptographic interventions remain underexplored in the South African context.

Validation of regional classifications was conducted through systematic cross-checking of author affiliations and consensus-based reconciliation where multi-country collaborations were present. In such cases, this study was assigned to the primary corresponding author’s institutional country to maintain consistency and comparability across the dataset. Generally, the geographical distribution highlights both concentration and imbalance in global research contributions. While leading contributions from India, Singapore, and the United States demonstrate strong technical advancement in financial messaging security, the limited representation from regions such as South Africa signals a critical research gap. This gap presents an opportunity for context-specific studies that account for regional infrastructure constraints, regulatory environments, and user behaviour patterns. Addressing this imbalance would not only broaden the empirical foundation of financial messaging security research but also support the development of more inclusive, context-aware, and practically applicable security frameworks for diverse financial ecosystems.

Figure 3. Distribution of the included articles by the country of the author.

Table 3. Distribution of published articles by authors’ countries.

Country of the Author	Number of Articles
India	10
Singapore	6
USA	5
Nigeria	5
United Kingdom	3
Saudi Arabia	2
Indonesia	2
China	2
Qatar	1
United Arab Emirates	1
South Korea	1
Turkey	1
Spain	1
Algeria	1
Kenya	1
Japan	1
Switzerland	1

4.4. Distribution of the Included Articles by Aim

To analyze the distribution of included studies by research aim, each article was systematically coded using a structured classification framework as well. During the data extraction phase, the stated objective of each study was identified and assigned a standardized aim code. An initial open-coding process was used to capture variations in terminology, after which similar expressions were consolidated into seven higher-order categories namely, analysis, design, development, evaluation, investigation, proposal, and review. This iterative coding process ensured consistency in classification while preserving conceptual distinctions across study objectives.

To ensure reliability, all coded entries were subjected to validation through cross-checking during the data verification phase. Where ambiguity existed in the stated aims, particularly in studies combining multiple objectives, classification was resolved through consensus-based discussion and re-examination of this study’s primary research intent resulting in the final categorized as visually summarized in Figure 4. This process strengthened coding consistency and improved reproducibility of the categorization scheme.

The analysis reveals that the most common research aim is “proposal”, accounting for 13 studies, reflecting a strong emphasis on the introduction of new hybrid cryptographic mitigation strategies. This indicates a dominant innovation-oriented trend within the literature, where solution development is prioritized. Other prominent categories include investigation (6 studies), analysis (5 studies), and review studies (4 studies), collectively highlighting ongoing efforts to explore, contextualize, and synthesize vulnerabilities in financial messaging systems.

In contrast, fewer studies were categorized under evaluation, development, and design-oriented aims. This imbalance suggests a limited focus on empirical validation, prototype implementation, and system-level architectural design. While conceptual and solution-driven work is well represented, there is comparatively less evidence of studies translating proposed models into tested, operational financial messaging environments.

Thematic development across aim categories further revealed a progression from problem identification (analysis and investigation) to solution formulation (proposal and design), with relatively weak representation in validation-oriented categories (evaluation and development). This pattern was refined through constant comparison during coding, ensuring that each study was accurately placed within the most representative aim category. Generally, the validation process confirmed the robustness of the classification scheme, with discrepancies resolved through iterative review and consensus-based coding adjustments. The resulting distribution highlights a field that is largely innovation-driven but underdeveloped in empirical verification and real-world implementation. This gap underscores the need for future research to strengthen evidence-based validation of hybrid cryptographic solutions and bridge the divide between theoretical proposals and operational deployment in financial messaging systems.

Figure 4. Distribution of the reviewed studies according to research aim.

4.5. Distribution of Reviewed Studies According to User Categories

To systematically map the threat landscape addressed in the literature, all included studies were coded according to the type of user vulnerability reported. An initial open-coding phase was used to capture variations in terminology such as “interception”, “eavesdropping”, or “message hijacking”, which were then consolidated through axial coding into 11 standardized vulnerability categories (see Table 4 for the summary). This iterative process ensured conceptual consistency while preserving the diversity of threat descriptions across studies.

To enhance reliability, all vulnerability classifications were subjected to validation through cross-checking during the data verification phase. Where studies reported multiple overlapping threats, dominant vulnerability types were assigned based on frequency of emphasis and primary analytical focus. Disagreements in classification were resolved through consensus-based review, ensuring consistency and reproducibility of the coding framework.

The analysis identifies channel-based attacks as the most frequently reported vulnerability, appearing in 30 studies. This is followed by unauthorized access (14), social engineering (11), and credential theft (9). Additional categories include data tampering and forgery (7), malware and session hijacking (6), and denial of service and insider threats (4 each). Less frequently addressed vulnerabilities include cryptographic attacks (3), transaction manipulation (2), and identity theft (1). This distribution reflects a concentration of research on externally driven, network-level threats, while more subtle or system-internal vulnerabilities remain comparatively underexplored.

Thematic development of the vulnerability categories revealed three dominant clusters through constant comparison analysis, including channel and network-based threats such as interception, tampering, or hijacking, as well as identity and access-based threats such as unauthorized access, credential theft, and social engineering. These also included system and protocol-level threats such as cryptographic attacks, and transaction manipulation. This clustering process strengthened analytical clarity by grouping related vulnerabilities into higher-order security themes. Further synthesis indicates that cryptographic mechanisms, particularly hybrid encryption models, are consistently positioned as the primary mitigation strategy across studies. These approaches are primarily designed to safeguard confidentiality, integrity, and authenticity, thereby reducing exposure to interception, tampering, and credential compromise. Emerging approaches such as post-quantum cryptography and blockchain-based systems extend this protection by enhancing resistance to evolving attack vectors and improving auditability and non-repudiation.

Validation of thematic groupings was achieved through iterative review and reconciliation of coding decisions, particularly in cases where vulnerability categories overlapped or were ambiguously defined. Reclassification was undertaken where necessary to ensure alignment with inclusion criteria and conceptual definitions, thereby improving coding accuracy and dependability. Generally, the findings demonstrate a strong research focus on common external and channel-based threats, while less attention is given to complex, low-frequency, or emerging vulnerabilities such as identity theft and transaction-level manipulation. This imbalance highlights the need for future research to extend empirical evaluation of cryptographic solutions beyond dominant threat categories and to integrate technical, protocol-level, and human-centric security considerations within financial messaging environments.

Table 4. Distribution of included articles by the type of User Vulnerability.

User Vulnerability	Number of Articles
Channel-based attack	30
Unauthorized access	14
Social Engineering	11
Credential theft	9
Data Tempering & Forgery	7
Malware & Hijacking	6
Denial of Service	4
Insider Theft	4
Cryptographic attacks	3
Transaction manipulation	2
Identity Theft & KYC	1

4.6. Technical Mitigation Strategies

To examine how financial messaging vulnerabilities are mitigated, all included studies were systematically coded and categorized according to the technical security mechanisms they employed. Through an iterative open-coding process, similar techniques were grouped and then consolidated via axial coding into nine standardized categories summarized in Table 5. Distribution of the included articles by Mitigating Method used. This approach reduced redundancy while preserving methodological diversity across studies and ensuring consistency in classification.

Hybrid cryptographic models that combine symmetric and asymmetric encryption emerged as the most frequently reported mitigation strategy, appearing in 12 studies. This was followed by traditional cryptographic approaches (symmetric or asymmetric encryption) in 9 studies. Other recurring techniques included multi-factor authentication, hashing and digital signatures, and AI/machine learning-based anomaly detection. Less frequently represented approaches included hardware-based security mechanisms such as use of smart cards, quantum cryptography, and anti-phishing or social engineering defense, each appearing in only a small number of studies. A subset of articles proposed high-level frameworks or protocol enhancements without specifying concrete technical implementations.

Thematic development of mitigation strategies revealed three dominant clusters, namely cryptographic controls, often restricted to traditional and hybrid encryption, hashing, and digital signatures, as well as identity and access management mechanisms limited to multi-factor authentication, and hardware-based authentication. They also involve intelligent and adaptive security systems such as AI/ML-based anomaly detection and behavioural analytics. This clustering was refined through constant comparison to ensure conceptual coherence and clear separation between implementation-oriented and conceptual proposals.

Emerging approaches such as AI-driven detection, hardware-backed security, and quantum cryptography remain underrepresented in the literature, indicating significant research gaps. Evidence suggests that adaptive and behaviour-aware systems enhance perceived security and system resilience by enabling dynamic authentication, continuous monitoring, and automated response mechanisms [35]. In addition, AI/ML-based models extend traditional rule-based security by learning behavioural baselines, enabling dynamic risk scoring, early detection of protocol-level anomalies, and identification of subtle fraud patterns that conventional systems often fail to capture [4]. Although many studies do not implement full machine learning systems, they provide strong conceptual and empirical support for the transition toward intelligence-enhanced security in financial messaging environments. Validation of the coding framework was achieved through iterative review and consensus-based reconciliation of overlapping classifications, particularly in studies combining multiple mitigation strategies. This process ensured accurate mapping of techniques to categories and improved reliability of the synthesis. Generally, the findings demonstrate a clear imbalance in the literature. Precisely, while cryptographic approaches are well established and widely studied, advanced intelligent security mechanisms and real-world deployment evaluations remain limited. Addressing these gaps is essential for developing integrated, adaptive, and user-centric security frameworks capable of effectively mitigating vulnerabilities in financial messaging systems.

Table 5. Distribution of the included articles by Mitigating Method used.

Mitigating Method	Number of Articles
Hybrid cryptographic model	12
Symmetric/Asymmetric encryption	9
Multi-factor Authentication	7
Hashing/Signature	5
AL/ML/Anomaly detection	4
Smart card/Hardware Security	2
Anti-Phishing	1
Quantum Cryptography	1
Other Protocol & Not specified	1

5. Vulnerabilities in Financial Messaging Systems: Literature Insights

Financial messaging systems are foundational to modern banking, enabling secure exchange of sensitive information across institutions and borders [36]. Their critical role makes them high-value targets, exposing them to threats that undermine confidentiality, integrity, and availability [37]. The reviewed literature indicates that these vulnerabilities are not isolated but emerge from interconnected structural, architectural, and behavioural factors that shape how financial messages are created, transmitted, and validated.

Cryptographic weaknesses remain central. Studies highlight outdated algorithms, weak key management practices, and inconsistently implemented hybrid encryption as key enablers of interception, message manipulation, and man-in-the-middle attacks [38]. Authentication and access control mechanisms such as passwords, PINs, multi-factor authentication, and role-based access are also frequently compromised through phishing, credential theft, SIM swapping, and insider misuse [35]. These issues are often exacerbated by reliance on legacy systems or uneven deployment of newer cryptographic standards. The resulting gap between theoretical security guarantees and real-world implementation creates exploitable weaknesses, particularly where short key lengths, misconfigured protocols, or weak cipher modes are used. The literature consistently shows that institutions struggle to balance cryptographic strength with performance and operational constraints, often introducing security trade-offs.

At the protocol and network level, vulnerabilities include replay and injection attacks, insecure APIs, insufficient integrity validation, unpatched systems, weak network segmentation, and endpoint compromise [39,40]. Evidence also shows that malware and session hijacking are persistent threats to transaction integrity in digital banking environments. In particular, ref. [41] identifies endpoint compromise, malicious software, and traffic interception as primary mechanisms through which adversaries manipulate or disrupt financial messages during transmission.

Human factors further intensify these risks. Social engineering, operational errors, insider collusion, and weak governance frequently bypass technical controls [42]. The literature reveals a persistent lag between technological advancement and organisational readiness, particularly in security awareness, monitoring, and auditing practices. This underscores that financial messaging security cannot be treated as a purely technical challenge; instead, human–system interaction must be incorporated into system design, with users and administrators recognised as active components in the security ecosystem rather than secondary risk factors.

Collectively, these findings demonstrate that vulnerabilities in financial messaging systems arise from the convergence of cryptographic, network, and human factors, reinforcing the interpretive objectives of this scoping review. Despite these insights, important gaps remain. Few studies integrate technical vulnerabilities with human behavioural dimensions [43], and research on real-time detection of multi-layered attacks or systematic comparisons between legacy and modern systems remains limited []. In addition, some relevant studies may have been excluded due to incomplete reporting or restricted full-text access, and not all grey literature sources were captured, potentially limiting the comprehensiveness of the evidence base. These limitations highlight the need for more inclusive and multidisciplinary research frameworks that integrate cryptography, network security, human factors, and regulatory governance [44].

In conclusion, securing financial messaging systems requires addressing the complex interplay of technical, human, and procedural vulnerabilities. While progress has been made, sustained research is needed to anticipate emerging threats and develop integrated, adaptive, and practically deployable mitigation strategies.

6. Role of Hybrid Cryptographic Models in Financial Message Systems

Secure transmission of sensitive financial information, such as payment instructions, account details, and transaction authorizations, is essential in modern banking [45]. Hybrid cryptographic models have emerged as a key solution, combining the strengths of asymmetric and symmetric encryption to provide both robust security and computational efficiency [46]. Based on the patterns observed, the increasing dependence on real-time, high-volume financial messaging platforms is the primary driver behind the adoption of such models. Hybrid models integrate these strengths, ensuring that financial messages remain both secure and operationally feasible under real-world load conditions.

As identified in the literature, beyond encryption, hybrid cryptography supports authentication and integrity, because digital signatures and combined encryption provide verifiable authenticity and message integrity [47]. Along these lines, while not all reviewed papers discussed hybrid cryptography in terms of user trust, the theoretical basis in cryptography as well as secure communications required that this be made possible. A system that protects messages from tampering, replay, or unauthorized reading ultimately strengthens user confidence.

From a conceptual standpoint, the literature consistently examines individual algorithms and their integration strategies, but it often stops short of explaining why hybridization is becoming dominant. Emerging trends underscore the field’s evolution, while interdisciplinary research investigates interactions with network architecture, system design, and governance frameworks [48]. Modern financial messaging must withstand latency constraints, bandwidth limitations, and interoperability demands across heterogeneous infrastructures.

The literature indicates that financial messaging systems rely on layered architectures involving endpoints, middleware, messaging protocols (e.g., ISO 20022) [49], and backend validation engines [50]. Weaknesses at architectural boundaries, such as insecure APIs, poor segmentation, or insufficient endpoint hardening, can negate cryptographic guarantees. The literature shows limited engagement with how hybrid cryptographic models interact with system architecture, particularly in distributed or cloud-based deployments where trust boundaries and message routing paths are complex. This gap indicates that cryptographic strength alone is insufficient without architectural alignment.

7. Challenges of Implementing Hybrid Cryptographic Models

The reviewed studies highlight several challenges in implementing hybrid cryptographic models, but these challenges extend beyond purely technical limitations. Within the literature, that is, integrating multiple security components, particularly cryptographic mechanisms and advanced network protocols, is complex due to legacy infrastructures, heterogeneous systems, and performance overheads within inter-bank environments [51]. Scalability and reliable operation in resource-constrained settings further complicate implementation [52]. This challenge reflects an underlying tension between theoretical cryptographic design and practical deployment realities. Hybrid models that perform well in controlled simulations may introduce latency or energy overhead in mobile devices, payment terminals, or intermediary nodes. Thus, the challenge is not simply computational; it is a question of operational fit, which the literature rarely addresses in depth.

From a security and compliance perspective, hybrid models must adapt to evolving threat landscapes, enforce secure key management, and meet regional regulatory requirements such as POPIA [53]. These requirements create organizational and governance burdens that may prevent practical adoption. Beyond technical deployment issues, governance structures significantly influence the effectiveness of cryptographic security in financial messaging systems. Regulatory compliance requirements (e.g., data protection laws, financial reporting standards) introduce additional constraints that affect cryptographic configuration and lifecycle management. However, the reviewed literature rarely examines governance as an integral component of security design, revealing a gap between cryptographic implementation and institutional accountability mechanisms [51].

Consequently, deployment requires bridging old and new technologies, introducing interoperability gaps that can accidentally create new vulnerabilities. This observation reinforces the need for holistic implementation strategies that consider technical, organizational, and infrastructural layers simultaneously.

The literature highlights four primary areas of focus:

Model design and methodology, emphasizing integration strategies, trade-offs, and system architecture [54].
Practical implementation, addressing infrastructure constraints, scalability, and heterogeneous data handling.
Security, privacy, and compliance, including key management, authentication protocols, and regulatory adherence [55].
Performance evaluation, encompassing efficiency, accuracy, and resource utilization assessments [56].

While hybrid cryptographic models offer substantial benefits by combining complementary techniques to enhance security, efficiency, and reliability, their deployment requires careful consideration of technical, operational, security, and environmental factors. Addressing these challenges requires more than algorithmic refinement; it requires an ecosystem-level approach that aligns cryptographic design with system architecture, regulatory environments, and user behaviour.

8. Conclusions

This review demonstrates that while cryptographic mechanisms dominate existing research, security outcomes in financial messaging systems are shaped by the interaction between technical controls, system architecture, human behaviour, and governance structures. Thus, advancing financial messaging security requires a multi-dimensional approach that strengthens cryptographic primitives, improves endpoint security, enforces operational governance, and prepares systems for post-quantum cryptography. This review contributes to the field by emphasizing that user-centric vulnerabilities remain insufficiently addressed in existing cryptographic research. While hybrid models reinforce confidentiality, integrity, and authenticity, they do not inherently solve human-centric risks such as social engineering, poor authentication practices, or operational errors.

The contribution is that effective financial messaging security requires a multi-dimensional approach that integrates hybrid cryptography with behavioural safeguards, regulatory compliance, improved monitoring, and secure system architecture. Overall, advancing financial messaging security requires a multidimensional approach that integrates hybrid cryptography with endpoint protection, behavioural safeguards, regulatory compliance, and secure system architecture. Hybrid cryptographic models represent a pivotal step in this evolution, but their practical deployment and real-world validation remain critical areas for future research.

8.1. Observations

From this scoping review, three key observations emerge:

There are unanswered questions and research gaps. Critical gaps remain regarding which strategies demonstrably improve security and resilience in financial messaging. The limitations of current models drive interest in hybrid cryptography, yet the components that underpin effective hybrid solutions require further investigation.
Still, there are integration challenges. Hybrid models show promise against channel-based and cryptographic attacks, but systematic integration into operational financial systems is underexplored. Future research should focus on embedding these models into platforms to strengthen security and enhance user trust.
There is a clear need for empirical validation. While many studies propose hybrid solutions, there is limited empirical evidence assessing their real-world resistance to sophisticated attacks. Understanding how these models improve confidentiality, authenticity, and operational security is essential for validating their practical effectiveness.

8.2. Contributions

This scoping review contributes to the field in two primary ways:

It emphasizes user-centric security, highlighting the need for hybrid models that protect not only data but also users from indirect threats such as eavesdropping and man-in-the-middle attacks.
It provides a structured overview of current literature, serving as a resource for researchers and practitioners seeking to implement robust cryptographic solutions in financial messaging systems.

Supplementary Materials

The following supporting information can be downloaded at: https://www.mdpi.com/article/10.3390/info17040387/s1, PRISMA 2020 Checklist.

Author Contributions

Conceptualization, U.M. and C.C.; methodology, U.M. and C.C.; validation, U.M. and C.C.; formal analysis, U.M. and C.C.; investigation, U.M.; data curation, U.M. and C.C.; writing—original draft preparation, U.M.; writing—review and editing, U.M. and C.C.; visualization, U.M.; supervision, C.C.; project administration, C.C.; funding acquisition, C.C. All authors have read and agreed to the published version of the manuscript.

Funding

This research was conducted as part of the activities of the Centre for Artificial Intelligence Research, which receives funding from the Centre for Scientific and Innovation Research (CSIR) under grant number CSIR/BEI/HNP/CAIR/2020/10. This support is made possible through the University Capacity Development grants from the Government of the Republic of South Africa, facilitated by the Department of Science and Innovation.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The data that support the findings of this study are openly available in Figshare at https://doi.org/10.6084/m9.figshare.30797816.

Acknowledgments

During the preparation of this study, the author used M365 Copilot, GPT-4o, for purposes of language refinement. The author has reviewed and edited the output and takes full responsibility for the content of this publication.

Conflicts of Interest

The author declares no conflicts of interest. The funder of this research was involved as an oversight in the design of this study, the collection and analysis of data, the interpretation of the results, and the review of the manuscript prior to submission. The decision to publish the results was made jointly by the author and the supervisor/funder.

Abbreviations

The following abbreviations are used in this manuscript:

AES	Advanced Encryption Standard
AI	Artificial Intelligence
APP	Authorized Push Payment
ECC	Elliptic Curve Cryptography
GDPR	General Data Protection Regulation
HSM	Hardware Security Module
ISO 20022	International Organization for Standardization-Financial Messaging Standard
KYC	Know Your Customer
MAC	Message Authentication Code
ML	Machine Learning
PCC	Population-Concept-Context
PKI	Public Key Infrastructure
POPIA	Protection of Personal. Information Act
PRISMA-ScR	Preferred Reporting Items for Systematic Reviews and Meta-Analyses-Scoping Review Extension
RSA	Rivest-Shamir-Adleman
SHA	Secure Hash Algorithm
SWIFT	Society for Worldwide Interbank Financial Telecommunication
TLS	Transport Layer Security

References

Olaiya, O.; Adesoga, T.; Adebayo, A.; Sotomi, F.; Adigun, O.; Ezeliora, P. Encryption techniques for financial data security in fintech applications. Int. J. Sci. Res. Arch. 2024, 12, 2942–2949. [Google Scholar] [CrossRef]
Hamilton, G.; Williams, M.; Khan, T. Securing Personally Identifiable Information (PII) in Personal Financial Statements. In Future of Information and Communication Conference; Springer Nature: Cham, Switzerland, 2023; pp. 709–728. [Google Scholar]
Ankur, M. Confidentiality vs. Integrity vs. Availability vs. Authenticity vs. Non Repudiation. CIAAN in ICS/OT with Safety & Reliability Considerations. CybersecurityOT. Available online: https://cybersecurityot.com/confidentiality-vs-integrity-vs-availability-vs-authenticity-vs-non-repudiation-ciaan-ics-ot/ (accessed on 24 March 2026).
Agu, E.E.; Obiki-Osafiele, A.N.; Chiekezie, N.R. Addressing advanced cybersecurity measures for protecting personal data in online financial transactions. World J. Eng. Technol. Res. 2024, 3, 029–037. [Google Scholar] [CrossRef]
Ferreira, J.; Perry, M. From transactions to interactions: Social considerations for digital money. In Disrupting Finance; Springer International Publishing: Cham, Switzerland, 2019; pp. 121–133. [Google Scholar]
Ahmed, W.; Rasool, A.; Nebhel, J.; Kumar, N.; Shahzad, F.; Javed, A.R.; Gadekallu, T.R.; Jalil, Z. Security in Next Generation Mobile Payment Systems: A Comprehensive Survey. IEEE Access 2021, 9, 115932–115950. [Google Scholar] [CrossRef]
Zafar, U.; Li, E.Y. Financial inclusion and fintect ecosystems in the digital age: A systematice review and meta-analysis. In Proceedings of the International Conference on Electronic Business, Zhuhai, China, 24–28 October 2024; Volume 24, pp. 196–208. [Google Scholar]
Avira, S.; Setyaningsih, E.; Utami, S.S. Digital transformation in financial management: Harnessing technology for business success. Influ. Int. J. Sci. Rev. 2023, 5, 336–345. [Google Scholar] [CrossRef]
Kou, G.; Lu, Y. FinTech: A literature review of emerging financial technologies and applications. Financ. Innov. 2025, 11, 1. [Google Scholar] [CrossRef]
Lu, H.-J.; Roben, A.J.; Mideth, B.A. Enhancing security in instant messaging systems with a hybrid SM2, SM3, and SM4 encryption framework. PLoS ONE 2025, 20, e0332665. [Google Scholar] [CrossRef] [PubMed]
Singh, R.; Chauhan, A.; Tewari, H. Blockchain-enabled end-to-end encryption for instant messaging applications. In 2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Network (WoWMoM); IEEE: New York City, NY, USA, 2022; pp. 501–506. [Google Scholar]
Liu, X.M. A risk-based approach to cybersecurity: A case study of financial messaging networks data breaches. Coast. Bus. J. 2021, 18, 2. [Google Scholar]
Zamil, M.H.; Faruq, M.O. Cybersecurity and Data Integrity in Financial Systems: A Review of Risk Mitigation and Compliance Models. Int. J. Sci. Interdiscip. Res. 2022, 1, 27–61. [Google Scholar] [CrossRef]
Bhavsar, R.; Madhavi, D.; Pooja, S.; Hetal, A.; Joshiyara, C.P. Enhancing Data Security in Banking: The Power of Hybrid Algorithm-Based Solutions. J. Electr. Syst. 2024, 20, 1093–1102. [Google Scholar] [CrossRef]
Yash, A.K. Security and Vulnerability in Digital Payment Systems. Int. J. Eng. Res. Technol. (IJERT) NCRTCA 2023, 11, NCRTCA-PID-435. [Google Scholar]
Awotunde, J.B.; Brahma, B.; Adeniyi, A.E.; Lauretta, N.E.; Imoize, A.L.; Mejdoub, Y. An Enhanced Hybrid Cryptography Model for Online Banking Authentication and Security. In International Conference on Connected Objects and Artificial Intelligence; Springer Nature: Cham, Switzerland, 2024; pp. 287–293. [Google Scholar]
Jnr, P.K.A.; Aggrey, G.; Asante, M.; Otoo, L. Optimizing Hybrid Cryptographic Frameworks for Secure Financial Data Transmission in Resource-Constrained Environments. In 2025 9th International Conference on Cryptography, Security, and Privacy (CSP); IEEE: New York City, NY, USA, 2025; pp. 41–45. [Google Scholar]
Kuppuswamy, P.A.; Rajan, J.; Mohammad, H.; Ahmed, A.S.M. A hybrid encryption system for communication and financial transactions using RSA and a novel symmetric key algorithm. Bull. Electr. Eng. Inform. 2023, 12, 1148–1158. [Google Scholar] [CrossRef]
Adejumo, A.O.C. Strengthening finance with cybersecurity: Ensuring safer digital transactions. World J. Adv. Res. Rev. 2025, 25, 527–1541. [Google Scholar] [CrossRef]
Jimmy, F. Cybersecurity Threats and Vulnerabilities in Online Banking Systems. Int. J. Sci. Res. Manag. (IJSRM) 2024, 12, 1631–1646. [Google Scholar] [CrossRef]
Nwatuzie, G.A.; Enyejo, L.A.; Umeaku, C. Enhancing Cloud Data Security Using a Hybrid Encryption Framework Integrating AES, DES, and RC6 with File Splitting and Steganographic Key Management. Int. J. Innov. Sci. Res. Technol. 2025, 10, 1555–1569. [Google Scholar]
Multiplier. A Complete Guide on SWIFT Banking System | Multiplier 29 October 2025. Available online: https://www.usemultiplier.com/global-payroll/guide-to-swift-system#:~:text=The%20system%20enables%20financial%20institutions%20to%20securely,transactions%2C%20regardless%20of%20the%20financial%20institutions’%20location (accessed on 1 January 2026).
Osazuwa, C.M. Confidentiality, integrity, and availability in network systems: A review of related literature. Int. J. Innov. Sci. Res. Technol. 2024, 8, 10. [Google Scholar]
Balsa, E.; Nissenbaum, H.; Park, S. Cryptography, Trust and Privacy: It’s Complicated. In Proceedings of the 2022 Symposium on Computer Science and Law, Washington, DC, USA, 1–2 November 2022; pp. 167–179. [Google Scholar]
Ahmad, U.; Khan, M. The Mathematical Foundations of Cryptography and Data Security. 2023, p. 7. Available online: https://www.researchgate.net/publication/370630937_The_Mathematical_Foundations_of_Cryptography_and_Data_Security (accessed on 1 January 2026).
Tripathi, A. Evaluating the role of confidentiality, integrity, and availability in cyber defence. Int. J. Innov. Res. Multidiscip. Pap. (IJIRMPS) 2025, 13, IJIRMPS2504232662. [Google Scholar]
Papanikolaou, N.; Paraskevi, B.; Nikolaos, E. Determinants of Fintech Adoption: A Systematic Review Integrating Trust, Security, and User Perceptions Within Technology Acceptance Frameworks. In Cryptocurrencies—Innovations, Challenges, and Future Prospects; IntechOpen: London, UK, 2025. [Google Scholar]
Ouzzani, M.; Hammady, H.; Fedorowicz, Z.; Elmagamid, A. Rayyan—A web and mobila app for systematic reviews. Syst. Rev. 2016, 5, 210. [Google Scholar] [CrossRef] [PubMed]
Tricco, A.C.; Lillie, E.; Zarin, W.; O’Brien, K.K.; Colquhoun, H.; Levac, D.; Moher, D.; Peters, M.D.; Horsley, T.; Weeks, L.; et al. PRISMA extension for scoping reviews (PRISMA-ScR): Checklist and explanation. Ann. Intern. Med. 2018, 169, 467–473. [Google Scholar] [CrossRef]
Elsevier. Scopus Content Coverage Guide. Elsevier B.V, January 2020. Available online: https://www.readkong.com/page/content-coverage-guide-elsevier-9871653 (accessed on 7 April 2026).
Library, W. PCC Framework: Significance and Symbolism Wisdom Library, 19 March 2026. Available online: https://www.wisdomlib.org/concept/pcc-framework (accessed on 25 March 2026).
Pollock, D.; Peters, M.D.; Khalil, H.; McInerney, P.; Alexander, L.; Tricco, A.C.; Evans, C.; de Moraes, É.B.; Godfrey, C.M.; Pieper, D.; et al. Recommendations for the extraction, analysis, and presentation of results in scoping reviews. JBI Evid. Synth. 2023, 21, 520–532. [Google Scholar] [CrossRef]
Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. BMJ 2021, 372, n71. [Google Scholar] [CrossRef] [PubMed]
Ebatamehi, S. Top 10 Countries with the Most Mature Financial Markets in Africa 2025. The African Exponent, 30 April 2025. Available online: https://www.africanexponent.com/top-10-countries-with-most-mature-financial-markets-in-africa-2025/ (accessed on 30 March 2026).
Riasat, I.; Mahmood, S.; Sinan, M.G. Strengthening cybersecurity resilience: An investigation of customers’ adoption of emerging security tools in mobile banking apps. Computers 2025, 14, 129. [Google Scholar] [CrossRef]
Terli, J. Middleware Integration for Financial Services and Banking: A Framework for Resilient Architecture. Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol. 2025, 11, 1855–1867. [Google Scholar] [CrossRef]
George, A.S.; Baskar, T.; Srikaanth, P.B. Cyber threats to critical infrastructure: Assessing vulnerabilities across key sectors. Partn. Univers. Int. Innov. J. 2024, 2, 51–75. [Google Scholar]
Onumadu, P.; Hossein, A. Near-field communication (NFC) cyber threats and mitigation solutions in payment transactions: A review. Sensors 2024, 24, 7423. [Google Scholar] [CrossRef]
National Institute of Standards and Technology (NIST). Phishing Resistance—Protecting the Keys to Your Kingdom. NIST Cybersecurity Insights. 1 February 2023. Available online: https://www.nist.gov/blogs/cybersecurity-insights/phishing-resistance-protecting-keys-your-kingdom (accessed on 12 December 2025).
Imubit. Cybersecurity in Industrial Control Systems. Imubit Articles. 2025. Available online: https://imubit.com/article/cybersecurity-in-industrial-control-systems/ (accessed on 14 December 2025).
Orucho, D.O.; Fredrick, M.A.; Cyprian, R.; Collins, O. Security threats affecting user-data on transit in mobile banking applications: A review. Acad. J. 2023, 9, 0B513B771288. [Google Scholar]
Jun, D.T.J.; Ahmad, S.R.; Saad, A.; Mehran, B. Human Factors in Information Security: A Quantitative Study with Technical Solutions to Prevent Social Engineering Attacks. Digit. Threats Res. Pract. 2025, 6, 1–35. [Google Scholar] [CrossRef]
Khadka, K.; Ullah, A. Human factors in cybersecurity: An interdisciplinary review and framework proposal. Int. J. Inf. Secur. 2025, 24, 119. [Google Scholar] [CrossRef]
Grigaliūnas, Š.; Schmidt, M.; Brūzgienė, R.; Smyrli, P.; Andreou, S.; Lopata, A. Holistic Security Frameworks for Compliance and Resilience. Appl. Sci. 2025, XV, 345–360. [Google Scholar]
Schneider, J.; Smalley, L. What is Transaction Security? IBM Think. Available online: https://www.ibm.com/think/topics/transaction-security (accessed on 13 December 2025).
Zhang, Q. An overview and analysis of hybrid encryption: The combination of symmetric encryption and asymmetric encryption. In 2021 2nd International Conference on Computing and Data Science (CDS); IEEE: New York City, NY, USA, 2021; pp. 616–622. [Google Scholar]
Rakhimberdiev, K.B.; Tureniyazova, A.; Arziev, A.; Sarsenbaeva, H.; Bimuratov, D. Application of cryptographic algorithms in ensuring and improving the security of bank transactions in the digital economy. In Proceedings of the 7th International Conference on Future Networks and Distributed Systems, Dubai, United Arab Emirates, 21–22 December 2023; pp. 503–510. [Google Scholar]
Harry, H. The adversary: The philosophy of cryptography. J. Cybersecur. 2025, 11, tyaf006. [Google Scholar] [CrossRef]
ISO 20022; Survival Guide, Treasury and Trade Solutions, 2021. Available online: https://www.citibank.com/tts/sa/flippingbook/2021/ISO-20022-Survival-Guide/10/ (accessed on 1 April 2026).
Qin, M.; Gabriela, M. Cyber-attacks on SWIFT Systems of financial institutions. In Proceedings of the 5th International Conference on Computer Science and Software Engineering, Guilin, China, 21–23 October 2022; pp. 596–599. [Google Scholar]
Osundare, O.S.; Ige, A. Enhancing financial security in Fintech: Advanced network protocols for modern inter-bank infrastructure. Financ. Account. Res. J. 2024, 6, 1403–1415. [Google Scholar] [CrossRef]
Shivaramakrishna, D.; Nagaratna, M. A novel hybrid cryptographic framework for secure data storage in cloud computing: Integrating AES-OTP and RSA with adaptive key management and Time-Limited access control. Alex. Eng. J. 2023, 84, 275–284. [Google Scholar] [CrossRef]
Folorunso, A.; Wada, I.; Samuel, B.; Mohammed, V. Security compliance and its implication for cybersecurity. World J. Adv. Res. Rev. 2024, 24, 2105–2121. [Google Scholar] [CrossRef]
Wen, S.; Shukla, A.; Katt, B. Artificial intelligence for system security assurance: A systematic literature review. Int. J. Inf. Secur. 2024, 24, 43. [Google Scholar] [CrossRef]
Oun, A.; Wince, K.; Cheng, X. The role of artificial intelligence in boosting cybersecurity and embedded system performance: A Systematic Review on Current and Future Trends. IEEE Access 2025, 13, 55258–55276. [Google Scholar] [CrossRef]
Zhang, J.; Li, Y.; Chen, K. A systematic review on hybrid AI models integrating machine learning and federated learning for cybersecurity. J. Cybersecur. Priv. 2025, 5, 41. [Google Scholar]

Figure 1. PRISMA-ScR Diagram [33]. The asterisk (*) indicates that records were identified from different source types. Double asterisks (**) indicate records excluded for specific reasons at the screening and/or full-text review stages.

Figure 2. Distribution of the included articles by year of publication.

Table 1. Databases and search scope.

Database	Search Term
MDPI	(“user vulnerability” OR “user risk” OR “user-centric threat” OR “social engineering”) AND (“financial messages” OR “financial transaction” OR “financial communication” OR “electronic funds transfer”) AND (“hybrid encryption” OR encryption OR “RSA-ElGamal” OR RSA OR ElGamal)
SpringerLink	(title:(“user vulnerability” OR “user risk” OR “user-centric threat” OR “social engineering”) OR abstract:(“user vulnerability” OR “user risk” OR “user-centric threat” OR “social engineering”)) AND (title:(“financial messages” OR “financial transaction” OR “financial communication” OR “electronic funds transfer”) OR abstract:(“financial messages” OR “financial transaction *” OR “financial communication” OR “electronic funds transfer”)) AND (title:(“hybrid encryption” OR encryption OR “RSA-ElGamal” OR RSA OR ElGamal”) OR abstract:(“hybrid encryption” OR encryption OR “RSA-ElGamal” OR RSA OR ElGamal”))
ScienceDirect	TITLE-ABSTR-KEY (“user vulnerability” OR “user risk” OR “user-centric threat” OR “social engineering”) AND TITLE-ABSTR-KEY (“financial messages” OR “financial transaction” OR “financial communication” OR “electronic funds transfer”) AND TITLE-ABSTR-KEY (“hybrid encryption” OR encryption OR “RSA-ElGamal” OR RSA OR ElGamal)
DOAJ	“user vulnerability” OR “user risk” OR “user-centric threat” OR “social engineering” “financial messages” OR “financial transaction *” OR “financial communication” OR “electronic funds transfer” “hybrid encryption” OR encryption OR “RSA-ElGamal” OR RSA OR ElGamal
Scopus	TITLE-ABS-KEY (“user vulnerability” OR “user risk” OR “user-centric threat” OR “social engineering”) AND TITLE-ABS-KEY (“financial messages” OR “financial transaction *” OR “financial communication” OR “electronic funds transfer”) AND TITLE-ABS-KEY (“hybrid encryption” OR encryption OR “RSA-ElGamal” OR RSA OR ElGamal)
IEEE	(“All Metadata”: “user vulnerability” OR “All Metadata”: “user risk” OR “All Metadata”: “user-centric threat” OR “All Metadata”: “social engineering”) AND (“All Metadata”: “financial messages” OR “All Metadata”: “financial transaction” OR “All Metadata”: “financial communication” OR “All Metadata”: “electronic funds transfer”) AND (“All Metadata”: “hybrid encryption” OR “All Metadata”: encryption OR “All Metadata”: “RSA-ElGamal” OR “All Metadata”: RSA OR “All Metadata”: ElGamal)
Emerald	(“user vulnerability” OR “user risk” OR “user-centric threat” OR “social engineering”) AND (“financial messages” OR “financial transaction” OR “financial communication” OR “electronic funds transfer”) AND (“hybrid encryption” OR encryption OR “RSA-ElGamal” OR RSA OR ElGamal)
ACM	Abstract: (“user vulnerability” OR “user risk” OR “user-centric threat” OR “social engineering”) AND Abstract: (“financial messages” OR “financial transaction” OR “financial communication” OR “electronic funds transfer”) AND Abstract: (“hybrid encryption” OR encryption OR “RSA-ElGamal” OR RSA OR ElGamal)
Google Scholar	“user vulnerability” OR “user risk” OR “social engineering” OR “financial messages” OR “financial transaction” OR “electronic funds transfer” OR “hybrid encryption RSA ElGamal”
Semantic Scholar, Frontiers, Academic Journals, BEEI	(“user vulnerability” OR “user risk” OR “social engineering”) AND (“financial transaction” OR “financial communication”) AND (encryption OR “hybrid encryption” OR RSA OR ElGamal)
ResearchGate	Financial messaging, cybersecurity, hybrid cryptography, user vulnerabilities, secure communication

Note: The wildcard character (*) was used to retrieve all word variants sharing a common stem.

Table 2. Inclusion and Exclusion Criteria Used in the Screening Process.

Criteria	Inclusion	Exclusion
Study focus	Studies examining vulnerabilities, threats, or security mechanisms in financial messaging systems.	Studies focusing solely on general fintech, mobile money, or financial transactions without addressing messaging-system vulnerabilities.
Technical scope	Articles addressing cryptographic methods, secure communication protocols, message integrity, and user-level risk.	Articles discuss business models, financial inclusion, or economic/market dynamics.
Study type	Peer-reviewed journal articles, conference papers, or credible technical reports.	Editorials, book chapters, non-peer-reviewed sources, or blogs.
Population-Concept-Context	financial messaging systems—user vulnerabilities and cryptographic mitigation strategies—secure data transmission, authentication, encryption, and decryption mechanisms.	unrelated ICT populations—not linked to financial messaging.
Language and accessibility	Text available in English and from an accessible repository.	Articles with inaccessible full text or non-English content without translation.
Timeframe	Publications within the defined review window (2015–2025).	Publication outside the review window.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Madzivhandila, U.; Chibaya, C. A Scoping Analysis of Literature on the Enhancement in Security in Financial Messaging Systems. Information 2026, 17, 387. https://doi.org/10.3390/info17040387

AMA Style

Madzivhandila U, Chibaya C. A Scoping Analysis of Literature on the Enhancement in Security in Financial Messaging Systems. Information. 2026; 17(4):387. https://doi.org/10.3390/info17040387

Chicago/Turabian Style

Madzivhandila, Unarine, and Colin Chibaya. 2026. "A Scoping Analysis of Literature on the Enhancement in Security in Financial Messaging Systems" Information 17, no. 4: 387. https://doi.org/10.3390/info17040387

APA Style

Madzivhandila, U., & Chibaya, C. (2026). A Scoping Analysis of Literature on the Enhancement in Security in Financial Messaging Systems. Information, 17(4), 387. https://doi.org/10.3390/info17040387

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

A Scoping Analysis of Literature on the Enhancement in Security in Financial Messaging Systems

Abstract

1. Introduction

1.1. Problem Statement

1.2. Research Question

1.3. Aim

1.4. Specific Objectives

1.5. Overview

2. Conceptual and Theoretical Framework

3. Methods and Materials

3.1. Search Strategy

3.2. Inclusion and Exclusion Criteria

3.3. Article Screening Process

3.4. Data Charting Procedure

3.5. Data Analysis

4. Results and Discussion

4.1. The PRISMA-ScR

4.2. Overview of Selected Studies

4.3. Geographical Origin of Researcher

4.4. Distribution of the Included Articles by Aim

4.5. Distribution of Reviewed Studies According to User Categories

4.6. Technical Mitigation Strategies

5. Vulnerabilities in Financial Messaging Systems: Literature Insights

6. Role of Hybrid Cryptographic Models in Financial Message Systems

7. Challenges of Implementing Hybrid Cryptographic Models

8. Conclusions

8.1. Observations

8.2. Contributions

Supplementary Materials

Author Contributions

Funding

Institutional Review Board Statement

Informed Consent Statement

Data Availability Statement

Acknowledgments

Conflicts of Interest

Abbreviations

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI