Cyber threats are evolving faster than ever, and attackers are becoming smarter, stealthier, and more creative – but awareness is still your best defence.
Here are three emerging threats and attack types you need to recognise, all with simple ways to protect yourself and your clients’ data.
“Use this AI browser to save time”
Agentic AI browsers are web browsers expanded with AI agents that can undertake multiple actions for you, from searching sites, filling out forms, downloading files, and even executing scripts, all based on high-level prompts.
This sounds like a useful time saver, but it also creates new risks, as attackers find new ways to exploit them to steal sensitive information.
This could include getting the AI agent to follow malicious instructions hidden on compromised web pages or getting it to automatically exfiltrate data it has access to (files, clipboard contents, saved logins). Because these agents can link actions together without a human checking them, an attack can cascade into a large-scale data breach very quickly.
This has resulted in Gartner, an advisory firm for industries including finance, urging businesses to ‘block all AI browsers’.
How to protect yourself:
- Ensure careful procurement and risk assessments on AI tools before letting them loose on your business data.
- Consider blocking AI tools and browsers and only allowing those which have been assessed and approved.
“Log in via this pop-up”
Attackers are using fake browser pop-ups that look exactly like the real sign-in windows you see every day. These attacks can originate from a phishing email, or from a legitimate website that has been compromised.
The style of attack, known as ‘browser-in-the-browser attack’, is a social engineering technique that tricks users into believing they’re interacting with a genuine browser pop-up login window. In reality, it’s a fake pop-up designed to steal your login details.
It can be difficult to spot this attack because the pop-up login window is engineered to include the legitimate website’s URL, a clue usually relied on to spot malicious sites.
To see an example of what this looks like and find out more, check out this 'Browser-in-the-browser attacks' article.
How to protect yourself:
- Use MFA – even if you give your password away, the attacker still needs an additional piece of information to access your account.
- Use a password manager – if the password manager autofill isn’t populating your credentials, this tells you it’s likely a scam and not the legitimate website you think it is.
- Avoid logging in through pop-up windows. Open the website directly in a new tab.
“There’s an error – run this command to fix it”
This style of attack continues to evolve, but the result is always the same – it tricks the users into ‘fixing’ an alleged issue by copying and pasting a command that’s given to them in a legitimate looking security alert. Following the instructions installs malicious software that’s designed to steal your information.
Variations of the attack include:
- A pop-up claiming your browser has crashed or a security check has failed when you visit a website, requiring you to copy and paste a command to ‘fix’ an issue or “restore” your system.
- A phishing email which leads to a ‘broken’ CAPTCHA on the visited website, requiring you to run a command to ‘fix’ it.
- A fake “Windows update” which instructs you to run a command to complete the update.
- A fake website claims a file has been shared and to access it you need to copy and paste a command into File Explorer.
To see examples of what this looks like and find out more, check out this article on the ClickFix technique.
How to protect yourself:
- Slow down and don’t rush to follow instructions. Attackers often push a sense of urgency to bypass your critical thinking.
- Never copy and paste text or commands provided by a website into command-line tools, dialogue boxes, terminal windows, or address bars.
Never miss an update
The cyber landscape is constantly evolving, staying informed and proactive can help businesses mitigate risks.
Sign up to our fortnightly 'Adviser Insight' newsletter for expert insights – use the 'Sign up' button on the right-hand side to receive our updates.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
