Heads up, gamers and metaverse pioneers: Cybercriminals will be looking to pilfer your money and data in 2023.
Experts say that while the objectives of those looking to steal the personal and financial information of consumers won't be any different next year, they'll be targeting new people and tech platforms in hopes of getting around their defenses.
As more people and businesses get wise to traditional email phishing, text and social media scams, cybercriminals will be moving to new online frontiers like gaming platforms, virtual reality worlds and the tech used by kids for both school and play, according to researchers at the cybersecurity company Kaspersky.
With the security of many of those new and exciting platforms still in its infant stages and users not always aware of the possibly lurking dangers, untold amounts of consumer data and money could be at risk of compromise. The bottom line: No one is safe from scammers.
The pool of potential victims is only growing. Kaspersky's researchers pointed to a boost in the overall population of online gamers as Sony's PlayStation Plus gaming subscription service starts to compete with Microsoft's GamePass service. That's also boosting criminal interest in stealing accounts and related scams, Kaspersay said, adding that it's not unlike the fraud surrounding streaming subscriptions.
Here's a look at what some cybersecurity experts predict for 2023.
PlayStation VR a catalyst
After a year when supplies bounced back, the Kaspersky researchers expect online criminals to try to exploit another possible shortage of PS5s next year stemming from the upcoming release of Sony's PlayStation VR 2 headset, which requires the console. It's also possible that Sony will release a "Pro" version of the console next year, which could spur scams involving fake presale offers, discounts and giveaways.
The researchers also expect cybercriminals to go after game accounts that hold stashes of in-game virtual currencies, in hopes of selling them off for real cash. Cryptocurrencies stored in gaming accounts also could be at risk.
Gaming platforms have been hacked for profit before. In March, cybercriminals made off with over $600 million worth of cryptocurrency from a network used to process in-game transactions for Axie Infinity, one of the world's most popular NFT video games.
In addition to keeping your crypto off of gaming platforms, Andrey Sidenko, lead web content analyst at Kaspersky, said players should keep their main credit and debit cards separate, too. He recommends using temporary or virtual cards that can be topped off when needed.
Metaverse scams will be a thing
When it comes to the metaverse, the risks are less clear, since there are only a few platforms up and running and they're mainly being used for entertainment purposes, though industrial and business applications could emerge soon.
Daniel Clemens, CEO of cybersecurity company ShadowDragon, said he expects the metaverse to go through the same kinds of security growing pains as any new platform.
"The metaverse is no different when it comes to criminal behavior, which other users will need to be aware of," Clemens said. "Where there is human interaction, there will be a free market mixed with the good and the bad."
Patrick Garrity, vice president at Nucleus Security, said the prevalence of digital assets, like NFTs, in the metaverse will make the platform prone to scams, pointing to their transferability and the lack of regulations and consumer protections built in to the platform. He emphasized that users should be extremely careful when it comes to their cryptocurrency.
"The best strategy is to not participate in cryptocurrency portions of the metaverse, as there is a strong probability that new users will get scammed," Garrity said, adding that it's also easy to identify people's wealth based on what their accounts and wallet look like.
In addition, since the platforms are global, it's doubtful they'll follow regional privacy regulations, like the General Data Protection Regulation in Europe, or data breach notification laws, Kaspersky said. There also have already been cases in the metaverse of virtual harassment and sexual assault. Without any kind of regulation to stop it, the researchers say they expect that kind of scary behavior to continue.
The threats to both gamers and metaverse users are especially frightening, given that many of the people who fall victim could be kids.
Cybersecurity experts say kids' data will also be increasingly threatened next year by ransomware attacks against schools and school districts. Meanwhile, the ever-increasing amount of data being collected from all people and shared will put pressure on companies and consumers alike to protect it and keep it private.
Though it may seem like there's not a lot parents can do, experts say making sure kids set strong, unique passwords for their accounts and enable two-factor authentication whenever possible will keep many of the bad guys out of those accounts.
Kaspersky's Sidenko adds that good antivirus software with anti-spam and anti-phishing tools will go a long way toward protecting everyone at home in the event someone accidentally clicks on a phishing link.
School IT professionals will struggle
Ransomware attacks against schools and school districts took off in 2022, with districts from Los Angeles to small-town Michigan falling victim.
Even the smallest school can have hundreds of devices behind its firewall and connected to its network, giving cybercriminals countless potential entry points, said Andrew Wildrix, chief information officer for cybersecurity company Intrusion.
At the same time, kids are often using their devices for things like games that they share with each other, not knowing that those games and apps could be extracting school-related data, he added.
What's worse is that given tight budgets, it's also unlikely that schools will allocate money for cybersecurity until after an attack has occurred, Wildrix said. After that, you're looking at months-long searches to find the right cybersecurity protections, scrape up the money to pay for them and put them in place.
By then, new threats have emerged and schools are back to square one again, he said.
"This existing approach is reactionary," Wildrix said. "In 2023, we need to start taking a holistic approach to cyberdefense where we think ahead and take the time to look at emerging technologies."
It's time to ask, 'Dude, where's my data?'
It's hard to make sure your data is safe and private if you don't know where it's being stored or who it's been shared with.
Jeremy Snyder, founder and CEO of the cybersecurity company FireTail, notes that even the simplest online act, such as the ordering of takeout through a meal delivery service, can involve three or more companies and that it's anyone's guess how secure each company's system is.
In Snyder's opinion, the biggest risk to security and privacy headed into 2023 is a lack of visibility. Companies are collecting and sharing so much data that they often don't know where it is or who has access to it.
"Will 2023 mark the year that companies finally start recognizing the scale of this problem?" Snyder asked. "I certainly hope so."
Wildrix said it'll also be up to consumers to take stock of where their data is going, especially when it comes to their collection of Internet of Things devices.
"How much stuff in your house is talking that you aren't aware of?" he asked, noting that in one instance he's seen Wi-Fi traffic collected by a robotic vacuum sent to a power station in Mongolia. "These are things that nobody considers."
Keeping track of personal data shared on social media should also be a priority for consumers, said Jeff Hodgin, vice president of product for CyberGRX. He notes that when people post on social media, they're promoting themselves as a brand just like a company would. The bigger the brand, the bigger the target for cybercriminals.
"Individuals who wish to promote themselves should consider their individual risk," Hodgin said. "What is my exposure? What would be the impact of a breach? What is the likelihood of that happening?"