Here are six predictions from Dr Niklas Hellemann, CEO at SoSafe on how cybersecurity and cyberattacks will continue to evolve through 2023.
Vishing will fool the world with increasingly realistic deceptions.
While currently viewed as mostly harmless fun, cybercriminals have quickly realized that deepfakes can be used for social engineering attacks as a prime opportunity to maximize profits. ‘Vishing’ (voice phishing) for example is already being used as a deepfake technology to successfully dupe employees into believing they’re speaking with members of their own organisations. As the quality of deepfake and vishing technology improves and they become even easier to create, cybercriminals are sure to conduct more believable and successful attacks next year.
Emotional manipulation will remain the weapon of choice for cybercriminals.
Manipulating victims’ emotions in order to obtain and exploit confidential information will remain a hugely valuable tactic for attackers in 2023. In phishing emails, cybercriminals use various psychological tactics to trick potential victims into revealing data or opening compromised files. With apparent willingness to help, cybercriminals tempted more than a third (37pc) of recipients to click on malicious content in 2022 – with praise and flattery they even got 41pc to click, as shown by SoSafe data. That’s why in 2023 it is even more crucial to stay up-to-date on the latest big news stories and developments in society that might provoke fear and uncertainty through ultra-believable phishing messages, often using dramatic subject headlines, linking to current political or topical events, such as new Covid variants or the Russian war in Ukraine.
Burnout among remote workers and security teams will cause fresh security vulnerabilities.
The risk landscape has worsened significantly since working from home became the norm – in 2023, the continued shift towards hybrid and remote work models will create new weaknesses in organisations’ security, particularly with increasingly burned-out and overstretched workers operating in a difficult and uncertain economy. As a result, the phishing strategy that increased the most in success last year was exerting authority and pressure on targets – this tactic’s success rate increased by more than 10%. Going into 2023, businesses need to ensure they arm employees with the right security tools and – more importantly – the skills to protect their data no matter where they work from. As organisations are seeing an increase in attacks, security teams are starting to reach their limits and suffering from burnout too, leading to new security threats.
Supply chain attacks will spell devastation for companies.
Supply chain attacks soared in 2022 and this trend will continue in the New Year. Cybercriminals are improving their chances of success by exploiting their victims’ partner and supplier networks. Security flaws in the supply chain (in software used by partners or suppliers, for example) are all it takes to compromise the entire network. The impact of this can be devastating and far-reaching. A very well-known example – with far-reaching consequences – is the Kaseya attack from 2021, where attackers leveraged Kaseya’s automatic software updates to release a fake software update that delivered the REvil ransomware.
One-time ransomware extortion attempts will be a thing of the past.
Compound ransomware attacks will attempt to extort higher value sums from organisations, increasing the risk of damage. Cybercriminals in 2023 will use sophisticated psychological tactics in their extortion and compound them with further attacks – this is known as Multiple Extortion. They follow up their initial theft, encryption, and ransom of sensitive data (with the threat of releasing these data if the ransom isn‘t paid) with other methods such as DDoS attacks, crypto mining, or bot networks until their demands are met.
Board level attention of security will dramatically increase – and demand the need for new security metrics.
Clear and meaningful behavioural metrics not only help decision makers understand how employees react to different types of threats, but also to determine whether a specific type of training works for them. Additionally, it gives them the opportunity to constantly adapt their awareness initiatives based on these results. Such tangible metrics are invaluable tools in discussions with all stakeholders involved, from C-level executives to employees. As the board level attention of security will increase dramatically due to the current threat landscape, there will be the demand and the need for new behavioural metrics that help illustrate the cultural impact security programmes have on an organization’s overall security.
