It’s a time of reflection and anticipation at The Fintech Times throughout December, as we look back at developments and trends over the last 12 months and forward to the year ahead.
We’re pleased to share the thoughts of fintech CEOs and industry leaders from across the globe to 2023’s key takeaways and what we should expect to be top of the agenda in 2024.
Today, we bring you insights from industry leaders regarding the changing dynamics of cybersecurity threats and trends in 2024. They predict that social engineering attacks will surpass ransomware in 2024 due to increased sophistication, AI tools and emerging techniques, leading organisations to bolster cybersecurity defences with AI, scenario testing and multi-factor authentication.
Social engineering attacks will outpace ransomware
The sad reality is, deceiving people today is easier than ever, suggests Matt Cullina, head of global cyber insurance at global information and insights company TransUnion.
“A never-ending stream of data breaches combined with highly sophisticated and technical attacks means the stolen personal information available on the dark web is continuously replenished. Cybercriminals use that information to impersonate people in positions of authority. Once in digital disguise, they can make all kinds of requests for access from unsuspecting people who are just trying to do their jobs or take care of their families.
“Ransomware attacks, which hit the globe hard in 2021-2022, are becoming more difficult to execute successfully. Governments worldwide have stepped up pursuit and punishment of ransomware gangs. Some have outlawed payment of ransom demands, and frankly, victims have become less inclined to pay a ransom.
“At the same time, insurance companies are covering fewer ransomware claims. Social engineering provides criminals with more anonymity than ransomware, and is being more easily facilitated with new AI tools. Our expectation is that social engineering attacks will only increase further in 2024.”
Rise in social engineering
Doriel Abrahams, head of risk at payment optimisation and fraud prevention platform Forter, also expects social engineering will “take a giant leap forward” in 2024.
“A lot of consumer technology (Apple Pay, for example) is prioritising highly secure and personalised experiences, relying on biometrics and specific device features. A few years ago, this would be a homerun for consumers and a major deterrent for fraudsters,” says Abrahams.
“But with the popularity of generative AI (shout out to ChatGPT and FraudGPT), fraudsters can now make their social engineering scams even more convincing at an unheard of scale. So, while consumer tech may be getting more secure, fraudsters are also getting more cunning.
“Another phenomenon I expect will surge in 2024 is the usage of remote desktop control (RDC) to commit fraud. This is where a fraudster takes over a victim’s device and operates as the victim – changing their passwords, purchasing airline tickets, applying for new credit cards. When you think about it, it’s the high-tech version of social engineering. We’ve always seen RDC attacks, but they’ve popped up more regularly this year and I suspect it’s just the tip of the iceberg.
“A similarly damaging trend is account takeovers (ATOs) where a bad actor gains access and takes over an online account using stolen or hacked credentials. This is especially troubling for online merchants who then must discern a legitimate account used by a trustworthy customer from a legitimate account that’s been hijacked by a bad actor. Because they’re so tricky to catch, and because we’re already seeing an upward trend in ATOs this year, I predict we’ll see a rise in ATOs in 2024.
Engineering tricks will target large language models (LLMs)
Every new technology trend opens up new attack vectors for cybercriminals, warns Corey Nachreiner, chief security officer at cybersecurity company WatchGuard Technologies.
“Companies and individuals are experimenting with LLMs to increase operational efficiency. But threat actors are learning how to exploit LLMs for their own malicious purposes as well. During 2024, the WatchGuard Threat Lab predicts that a smart prompt engineer ‒ whether a criminal attacker or researcher ‒ will crack the code and manipulate an LLM into leaking private data.
““In 2024, the emerging threats targeting companies and individuals will be even more intense, complicated, and difficult to manage. With an ongoing cybersecurity skills shortage, the need for MSPs, unified security, and automated platforms to bolster cybersecurity and protect organisations from the ever-evolving threat landscape have never been greater.”
Organisations will look to bolster their defences
Cybercriminals are always expanding their toolkits, and concerned executives will look for solutions to avoid the potentially disastrous consequences of a cyberattacks in 2024, predicts Rich Cooper, head of financial service go-to-market at US software company Fusion Risk Management.
“In 2023, we saw more organisations focus on protecting their critical business operations from cyberattacks. In 2024, organisations will expand on that and significantly increase their scenario testing capabilities to attain a strengthened and proactive risk posture.
“Organisations will seek additional AI and machine learning-enabled technologies to drive efficiency in manual processes and protect business operations, specifically by scenario testing potential cyber threats. This will enable them to maintain continuity and resilience as well as ensure that the organisation can bend but not break when an inevitable attack or disruption occurs.”
Refining cybersecurity strategies
Andrew Shikiar, executive director and CMO at open industry association FIDO Alliance, also suggests enterprises will be under pressure to review and refine their cybersecurity strategies in response to the scale and sophistication of AI-driven social engineering, plus a general movement towards greater cyber-transparency.
“Approaches and practices that used to be relied upon will no longer pass muster. Take company-wide training to identify phishing attacks for example. How can employees be reasonably expected to identify and report phishing emails when they are increasing in both frequency and effectiveness? This, and other methods, will no longer be an acceptable cornerstone of a modern cybersecurity strategy.
“Similarly, passwords and other shareable credentials will be an increasingly visible source of vulnerability – and as such we’ll continue to see enterprises look to decrease and ultimately eliminate their dependence on knowledge-based forms of authentications.
“Many organisations will embrace the security and ease-of-use of passkeys as a replacement not just for passwords, but for legacy forms of 2FA – either as synced passkeys that are typically managed by an OS or independent credential provider and provide a familiar consumer experience, or as device-bound passkeys that are typically housed in a FIDO security key and can help address higher-assurance use cases.”
Deep fake threats
The year 2023 revealed an escalating challenge posed by the advancing realm of deep fake technology, says John Baird, co-founder and CEO of identity verification platform Vouched.
“The lessons learned underscore the imminent threat to trust and security within digital financial transactions. Looking ahead to next year, we anticipate a continued evolution of deep fakes, accentuating the urgency for fintech entities to fortify their defence mechanisms against these sophisticated impersonations.
This means an increased emphasis on robust multi-factor authentication, continual learning in collaboration with identity verification experts, and proactive measures to educate stakeholders about deep fake risks.
“As we move into 2024, safeguarding the authenticity of financial interactions in the face of deep fake threats will remain a critical focus for the fintech industry.”