Top 5 cyber threats in 2023
16 February 2023
Many of us know the cyber essentials, but with new threats being uncovered every day – especially those targeting the wealthy – we look at how you can keep cyber safe in 2023.
Here we tackle the five most serious cyber challenges facing us today – from emerging risks to pervasive practices, and clever twists on old ruses.
1. Malicious emails
As we highlighted in an earlier cyber-crime article, Three must-know cyber security threats in 2022, phishing is one of the oldest cyber tricks in the book. It’s a type of online fraud that tricks people into giving up sensitive personal data or financial information, usually by clicking on a malicious link in an email.
The problem is amplified today because more and more data is finding its way into the murky world of the underground economy where hackers buy and sell secrets to attack future victims.
“For a fee, criminals can buy a newly-stolen dataset with millions of email addresses,” says Archie Nelson, Operational Requirements Lead at XCyber, a specialist intelligence company with state-grade cybersecurity expertise.
“They will then load the bait and cast the net. For the hackers, these phishing campaigns are crimes with little investment required and potentially big returns – particularly when targeting high-net-worth individuals and families.”
Phishing remains the most common form of cyber-attack, with hackers sending out upwards of three billion scam emails every day1. Because it’s a numbers game, it only takes a few users to do the ‘wrong thing’ for the criminals to earn a lot of money.
A more refined technique, aimed at increasing their success rate, is ‘spear phishing’ – where hackers will choose their targets intentionally (as opposed to blanket emailing). Armed with this growing stash of stolen data, scammers will use the information to send out well-crafted and highly personalised emails to specific individuals.
High-net-worth individuals are often seen as attractive targets for this kind of cyber-attack – especially as they can be easier to locate online and are seen as being more vulnerable, often with less robust security measures in place than corporations.
Top tip: To avoid falling foul of these scams, it pays to be suspicious. It’s worth scrutinising every email you’re sent, especially if there’s a link, attachment, or instruction to pay a bill.
2. Fake parcel delivery texts
If you’re expecting a parcel – or even if you’re not – online shopping has become so common, you feel like you should click on the link in the text message you’ve just received to check what, or where, the parcel is.
Impersonating delivery companies is becoming a common tactic used by scammers – and it’s sometimes hard to tell the difference between a fake delivery text and a genuine courier message. A scammer’s ‘missed delivery’ text will often include a link to a fraudulent website that seems genuine – asking to reconfirm delivery and to take a small ‘customs fee’.
Top tip: Unfortunately, once you’ve given over your bank details, the horse has bolted, and unexpected payments are only moments away from appearing on your bank statement. Don’t hesitate to question every text you’re sent – it might sound excessive, but it could be the difference between safety and harm.
3. End-of-year tax scams
Just as worries over COVID-19 were used as bait during the pandemic, the key milestones in the tax year provide criminals with great opportunities to ‘re-bait’ their phishing campaigns.
Scam emails, texts or even phone calls – all purporting to be from the tax authorities – are designed to scare you into action. They could mention tax rebates, refunds, or even demands to hand over personal information. But it’s all really just more bait.
If you do get a suspicious message, don’t reply, or click on any links – and don’t be afraid to hang up if you get a bogus phone call. Instead, if you want to check whether a message is genuine or not, contact your tax authority directly via their official channels.
Top tip: Tax authorities will never ask you to disclose personal or payment information by email or text message.
4. Credential stuffing attacks
Credential stuffing occurs when cyber criminals get hold of large numbers of stolen username and password pairs, and re-use the combinations to try and break into thousands of websites at a time.
They look to take advantage of people using the same username and passwords across multiple accounts. Again, this was something we covered in more depth in our article, Three must-know cyber security threats in 2022.
The problem is being exacerbated by some companies, who care little about cyber security, not scrambling your password when it’s in their database.
“As a result, when it’s stolen, your password is available in plain text and can be bought and sold online for pennies,” says Nelson at XCyber. “Recent studies have found that there are over 24 billion email addresses and passwords sloshing around the dark web2; that’s three for every person on the planet.”
Top tip: Avoid using the same passwords and pin codes across your log-in portals. Having variety is one way of making it harder for the criminals to access your data and assets.
5. Shoulder surfing and phone theft
‘Shoulder surfing’ is making something of a comeback, but with a new and potentially more worrying twist. From ATM card machine fraud to public payphone calling card digits before this, the crude method of criminals looking over your shoulder to nab vital information has been around for many decades.
The ATM fraud has since evolved with thieves using ‘skimming’ devices or even fake terminals – alongside shoulder-surfing methods – to clone bank cards.
However, today’s eagle-eyed shoulder-surfers are more likely to be interested in your mobile phone – and the banking apps installed on them.
A scammer will first snoop over your shoulder to learn the phone’s PIN. From there, the criminal will wait for the right moment to attempt to steal your phone – by mugging, pickpocketing or even drink-spiking you.
Once they have your phone, they’ll be able to unlock it and will try the same PIN to access your banking apps, or even search your phone’s notes section to find other passwords and PINs – all in the hope of draining funds from your accounts.
Thankfully, biometric authentication, like fingerprints or facial recognition, can make it harder – but not impossible – for scammers to access your accounts after they have your phone.
Top tip: For an extra layer of security, most services you use online offer something called two-factor authentication. It requires a one-time code – either from an app or text – along with your main password to access an account. If you can, you should always apply two-factor authentication to all online accounts that you care about, such as emails and anything finance related.
Related articles
This communication is general in nature and provided for information/educational purposes only. It does not take into account any specific investment objectives, the financial situation or particular needs of any particular person. It not intended for distribution, publication, or use in any jurisdiction where such distribution, publication, or use would be unlawful, nor is it aimed at any person or entity to whom it would be unlawful for them to access.
This communication has been prepared by Barclays Private Bank (Barclays) and references to Barclays includes any entity within the Barclays group of companies.
This communication:
- is not research nor a product of the Barclays Research department. Any views expressed in these materials may differ from those of the Barclays Research department. All opinions and estimates are given as of the date of the materials and are subject to change. Barclays is not obliged to inform recipients of these materials of any change to such opinions or estimates;
- is not an offer, an invitation or a recommendation to enter into any product or service and does not constitute a solicitation to buy or sell securities, investment advice or a personal recommendation;
- is confidential and no part may be reproduced, distributed or transmitted without the prior written permission of Barclays; and
- has not been reviewed or approved by any regulatory authority.
Any past or simulated past performance including back-testing, modelling or scenario analysis, or future projections contained in this communication is no indication as to future performance. No representation is made as to the accuracy of the assumptions made in this communication, or completeness of, any modelling, scenario analysis or back-testing. The value of any investment may also fluctuate as a result of market changes.
Where information in this communication has been obtained from third party sources, we believe those sources to be reliable but we do not guarantee the information’s accuracy and you should note that it may be incomplete or condensed.
Neither Barclays nor any of its directors, officers, employees, representatives or agents, accepts any liability whatsoever for any direct, indirect or consequential losses (in contract, tort or otherwise) arising from the use of this communication or its contents or reliance on the information contained herein, except to the extent this would be prohibited by law or regulation.