Jimmy Fong, CCO at SEON, explores…
Terrifying cybercrime statistics are so ubiquitous nowadays that it’s easy to become blind to them. However, ignoring them is something that no business or individual can – quite literally – afford to do.
In January 2023, the World Economic Forum (WEF) listed cybercrime among its top ten global risks. Global cybercrime losses are estimated to reach $10.5 trillion by 2025. This is a figure greater than the GDPs of Japan, Germany and the UK.
Here we’ll look at some key trends in cybercrime and online fraud and discuss what can be done to make digital ecosystems more resilient.
Exploring the Trends
Various consistent themes emerge when looking through pundits’ predictions of emerging cybercrime trends. Unsurprisingly, the rise of widespread artificial intelligence factors heavily; we’ll cover that later.
First, let’s check out a few other fraud and cybercrime trends that are provoking widespread concern.
Described by Forbes as “still the tool of choice for many hackers”, phishing continues to be where many cybercrimes originate. Phishing via mobile devices is a rising trend, with hackers going beyond email messages and extracting information via voice calls, SMS messages and even QR codes (techniques respectively known as “vishing”, “smishing” and “quishing”).
Cybercriminals are very much aware of human “single points of failure”.
They exploit people’s naivety and lack of technical awareness, and this manipulation continues to work. Anybody in doubt of this only need notice how many individuals still blindly share obvious social media scam posts and willingly divulge their date of birth and the name of their first pet.
Meanwhile, “old school” email phishing techniques still reap rich results for hackers. Posing as big-name tech firms remains popular. Last year over 30 million messages were sent out purporting to come from Microsoft.
Nowadays, having to deal with a ransomware attack is more a question of “when” than “if” for businesses. A recent survey revealed that 73% of its responding organizations had been the target of a ransomware attack in the previous 24 months.
With 49% of affected businesses handing money to hackers, this is clearly a cybercrime that pays. It also suggests that many companies have shortcomings in their backups and recovery processes – given that they feel forced to comply with their attackers in order to resume operations.
Internet of Things (IoT) Cybercrime
In a world with an ever-increasing number of internet-connected devices, hackers now have targets far beyond people’s computers and cell phones. IoT devices are often neglected in terms of technical precautions, left running with default authentication details and behind on firmware updates.
Back in 2016, the Mirai Botnet incident created an army of IoT devices for a DDoS attack. Now, there are millions more IoT devices, ranging from video doorbells to smart speakers. Reported incidents include hackers gaining access to video and audio feeds, attempted exploitation of smart meters, and even hacks on cardiac devices.
Supply Chain Attacks
Supply chain attacks, such as the SolarWinds hack of 2020, have demonstrated to businesses that their risk management must go much further than managing direct suppliers and partners. It’s not just that a business could be hacked – they could be equally affected if their vendor’s (or even vendor’s vendors) are hacked.
Supply chain attacks increased by 600% in 2022. However, businesses are very much behind the curve in tackling related risks. The UK government’s data suggests that only 7% of businesses manage risks created by their “wider supply chain”.
The Rise of AI
Mainstream use of artificial intelligence has now hit its tipping point, with increasingly widespread use of systems like ChatGPT and Google’s Bard.
Businesses and individuals are rapidly discovering ways to use AI to streamline workflows and operate at an unprecedented scale.
Cybercriminals are doing the same. And it’s not only about the ability to use AI to help with technical tasks such as coding malware, cracking passwords and finding software vulnerabilities.
Systems like ChatGPT allow hackers to quickly scale up practices such as social engineering and phishing attacks. Cybercriminals can now instantly create phishing emails without telltale spelling mistakes and grammatical errors. They can use chatbots to create communications that imitate the style of the people or companies they’re impersonating.
Basic failsafe mechanisms exist in these systems: They will typically object to commands like “write me a virus” or “create a deepfake ID verification video”. However, it requires only minimal lateral thinking to convince an AI system to create something for fraudulent purposes, such as saying it is “just for research purposes”.
More from Cybersecurity
How to Respond
Responding to the ever-evolving threat landscape requires a combination of old and new techniques, and strategies that encompass both technical solutions and improvements to business processes. As ever, when it comes to cyber security, user education is also critically important.
Taking AI as an example, many security products already work to “fight AI with AI”. Machine learning can spot fraud patterns that humans are more likely – or even unequipped – to miss. This is something sorely needed when the hackers themselves can use AI to constantly refine their methods and create ever more convincing traps for unsuspecting users.
Companies should also think about security layers that provide protection beyond the first line of defense. For example, fraud detection techniques such as device fingerprinting can raise red flags even if users appear to have the right credentials.
Despite cutting-edge improvements in security software, that human point of failure remains hugely significant. For example, less tech-savvy users must be helped to understand that information they’re naively giving away on a Facebook quiz might be part of a new account fraud scam.
An estimated 90% of cyber attacks originate from human error – and there’s only so much software can do when the criminals are handed authentication details “on a plate”.
Similarly, company executives must understand the importance of business processes. Layers of technical security are crucial too, and are becoming increasingly sophisticated. But not all cybersecurity risks can be mitigated by throwing money at them.
Take the example of supply chain fraud discussed above. Addressing this is more about risk management than software. It’s a task that IT teams should be involved in, but it also requires commitment and effort from the wider business.
If organizations are going to truly address the staggering income of the cybercrime industry, they need to fight back on multiple fronts. With that in mind, it’s essential that management teams understand that the word “cyber” doesn’t mean that mitigation is a purely technical task.
Policymakers should also take note of this – and throw money at both technical evolution and user education.
Digital ecosystems will always be under attack. They encompass the people, as well as the products and services. It’s not just about making sure people change their passwords and update their IoT doorbells – it’s about helping them to understand why it’s so important.