Many of the fraud threats facing organizations today are not new. However, the convergence of these threats—combined with ever-evolving technologies—has created a formidable challenge for cybersecurity teams.
This environment is calling some of the most fundamental security tools into question and threatens to permanently reshape the cybersecurity paradigm.
As Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, detailed in the report, 2026 Cybersecurity Trends, there are three main threats that loom large, including increasingly sophisticated infostealers, quantum computing encryption decoding, and rising supply chain risks.
Removing Trust from the Chain
The supply chain is a critical channel for organizations, but it has also long been a point of vulnerability. This reality drove the adoption of controls such as Know Your Customer and anti-money laundering processes. Despite these safeguards, the current threat landscape is more perilous than ever.
“The threat landscape is growing—and exponentially—and the reason is because there’s more digital data,” Goldberg said. “Every third party that you work with, every organization that’s tethered in that supply chain has its own set of data, so you increase the exposure risk. Any third party that you’re working with, you’re only as secure as your weakest link.”
To address this risk, organizations must return to the fundamentals of a zero-trust approach. This requires assuming that no vendor, and no data, can be trusted until it is explicitly verified. While adopting this mindset is imperative, it also demands greater due diligence to ensure that vendors consistently adhere to rigorous security standards.
Compounding this challenge, cybercriminals now have access to increasingly sophisticated, AI-powered tools. As a result, organizations must monitor communications more closely to validate their authenticity. These steps are critical, but given the sheer scale and interconnected nature of supply chain risks, the most impactful solution would be an industry-wide effort.
“The email verification strategies like DMARC and DCAM are going to become increasingly important, because we’re going to have to constantly be re-verifying the authenticity of senders and recipients,” Goldberg said. “There’s no one solution or one answer, but we’re going to have to all be in agreement. Because whatever we decide, it’s going to have to be industry agnostic.”
Stymying the Infostealers
Infostealers represent another significant threat that requires a similarly holistic response. Infostealers are a form of malware capable of capturing large volumes of data from infected devices—including browsing activity, credentials, and even screenshots.
What makes infostealers particularly concerning is the speed at which they’re evolving. Many variants can now easily bypass security controls that were previously considered effective.
Consider the customer onboarding process at a financial institution. Customers are typically asked to create a username and password. If the customer is using Chrome, Google may suggest a strong password, one that meets length requirements, avoids personal information, and includes a mix of characters. This password is then stored in Google Password Manager.
“The challenge is that with these emerging infostealers, they’re able to go in and capture your browsing history,” Goldberg said. “Even if you are a savvy user and you’re going in and clearing that browsing history and you’re clearing the cache every time you open your browser—which I would argue no one is really doing—these infostealers are able to go in and capture screenshots.”
“Even if you cleared the cache, if they’ve captured a screenshot of what your browsing history was, they’re also able to capture autofill data,” she said. “Any of those passwords that have been autofilled, they’re able to capture that, so they’re circumventing everything.”
This convenience can introduce downstream risk. For example, when a financial institution detects suspicious card activity, it will usually close the compromised card and issue a replacement. Because many cards are stored in digital wallets, customers often receives a digital card immediately, with the card number automatically updating in their wallet before a physical card arrives.
If an infostealer has already compromised the credentials used to access that digital wallet, a criminal could gain immediate access to the new card number as well.
“A lot of banks don’t appreciate how sophisticated these infostealers are,” Goldberg said. “It comes back to the fact that we have to get away from usernames and passwords. The only thing I can think of at this point that’s going to help us get over the hump is something like YubiKey, which is that physical hard key token that you would have to have on your person when you login to the online banking or the mobile banking.”
“Ultimately, what we have to decide as an industry is how are we going to get beyond passwords,” she said. “Until then, we have to get to a place where we as an industry are reauthenticating those users on a more regular cadence. Maybe it has to even happen as often as once every two weeks. That’s going to be a huge shift for the industry, it’s going to require a massive overhaul in culture and in technology on the bank side, and I don’t think we’re there yet.”
Cracking Quantum Computing
While a complete move away from traditional usernames and password may not be imminent, continued advances in computing could eventually force a shift in authentication and encryption protocols. One of the most consequential developments is quantum computing, which applies the principles of quantum mechanics to solve highly complex problems.
Quantum computing holds tremendous potential across many domains, including cybersecurity. However, bad actors are also exploring ways to exploit its capabilities. For example, a recent study by a Google researcher found that quantum computers could crack a 2048-bit RSA encryption key, a common online data security standard, in less than a week.
“We’re close to where quantum computing is going to break encryption,” Goldberg said. “This goes back to the whole risk that we see with the way we’re securing data today. Data is tokenized or encrypted; card numbers are tokenized as they’re transmitted as this is a requirement for PCI compliance.”
“If quantum computing is able to break that encryption, then we’re ultimately sending card data in the clear and it’s setting us back 20 years,” she said. “Tokenization will mean nothing.”
This is not the first time that expanding technologies have prompted a change in encryption methods. A decade ago, Triple DES was the encryption standard, but as criminals’ capabilities increased, vulnerabilities in the format were exposed.
This caused organizations to shift to the more robust Advanced Encryption Standard (AES). Unfortunately, a similar scenario may be playing out with AES.
“We have to start thinking ahead to how we are going to secure data, and maybe it means we hold less data,” Goldberg said. “It could go back to where consumers are having to input data all the time. It’s a challenge because the data is out there; the data’s not going away. We’re just adding more to the digital footprints.”
“Maybe that’s going to require us to take a step back,” she said. “Maybe that’s going to require us to manage the digital data in a different way and maybe it’s a combination of things where we continue to rely on digital data, but it has to be coupled or partnered with something that’s more tangible and physical.”
The post The Fraud Epidemic Is Testing the Limits of Cybersecurity appeared first on PaymentsJournal.
