One of the scariest things we may see this Halloween is the notification: We regret to inform you that your credentials have been compromised. This nightmare is reality for many people hit by a data breach attack. This past year alone, we have witnessed numerous attacks affecting millions of Aussies. You have seen the headlines; from the data breach at Starbucks Singapore to Optus, Australia’s largest mobile operator (owned by Singtel) were targeted.
Even Meta, the parent company behind the social media network Facebook, with over 1.9 billion active users each day, fell victim to a cyber attack. Cybercriminals are like trick-or-treaters – knocking on doors and helping themselves to your freely-given credentials.
What are the scariest techniques criminals use?
Whether traditional phishing emails or more sophisticated deepfake-bolstered attacks, our digital lives and the proliferation of passwords make us increasingly vulnerable to cyber threats. As part of this year’s Cybersecurity Awareness Month, I have taken inspiration from the impending spooky season to unmask the scariest techniques and technologies criminals use to steal your sweet candy credentials – and how to stop them.
The Wolf in Sheep’s Clothing
The online world can be a great space for finding friends, work and romance. But wolves can be lurking behind friendly chats and interactions. These types of attacks are sophisticated and usually take place over an extended period while the attacker wins the trust of their unsuspecting victims. According to the Singapore Police Force, over 380 victims have fallen prey to online love scams since January 2022, resulting in more than S$15 million in losses.
The recent Netflix documentary ‘Tinder Swindler’ shows how convincing and persistent these fraudsters can be. Therefore, when forming relationships online, it is important to remember that those on the other end of apps might not always be who they seem before sharing any sensitive information that could help them take over your online accounts.
The Ghosts of Phishmas Past
An email from the bank wanting to confirm your details. A text from couriers asking you to reschedule a delivery. The retailer message to say you have won $100 to spend if you register a new account. You might think you have seen and heard it all before, but these older, tried and tested phishing techniques are haunting us and are still by far effective.
In fact, 68% of breaches reported in the past 12 months stemmed from phishing attacks. As the volume and quality of attacks continue to rise, the simplest of phishing and smishing could catch any of us out. Thankfully, authorities are doubling down on phishing scams.
In Singapore, for example, the Infocomm Media Development Authority (IMDA) has just mandated all organisations using SMS sender IDs to register with the Singapore SMS Sender ID Registry (SSIR) by January next year, and that telecom operators will also implement SMS anti-scam filtering solutions to weed out potential scam messages before they reach consumers. While more can be done to protect end-users, this is a step in the right direction.
You have no doubt seen funny viral videos of deepfakes, like Tom Cruise singing, or heard of the fake videos created of Ukrainian President Zelensky earlier this year. However, deepfake technology is not just used for comedy and political attacks as this technology is becoming both more readily available and more convincing – ringing to the fore even more possibilities of how deepfake technology can be used for effective attacks on everyday consumers.
Deepfake tech is being used to bolster standard phishing attacks and convince victims they are engaging with those closest to them to pressure them into giving away sensitive details.
In a creepy incident involving Patrick Hillman, an executive at Binance, hackers reportedly created a hologram to trick people into meetings with ‘him’. As tech grows more advanced, it becomes even more challenging to determine who truly is at the other end of the line.
This is one type of social engineering attack that should send shivers down your spine. Recent advances in artificial intelligence (AI) and machine learning are enabling attackers to automate highly targeted attacks – known as spear-phishing – by data scraping and integrating convincing details like name, date of birth and employer details into attacks.
By revealing just enough information, consumers are lured into a false sense of security and are even more likely to share credentials. Now at an alarming rate and level of sophistication, this is one attack that will keep coming back if we do not find a strong enough defense.
The only way we can truly protect ourselves from sharing our credentials online is not to have credentials we can share in the first place. If passwords are like Halloween candy at our doors, moving to something we simply cannot share, like cryptographic-based sign-ins and on-device biometrics, means even if you fall for the trick, fraudsters are going hungry.
Earlier this year, the biggest platforms – Apple, Google and Microsoft – committed to supporting a common passwordless standard, also known as passkeys. This means, across our most favoured browsers and devices, we will soon be able to access passwordless sign-in tech with the gestures we use daily on mobile devices, using biometrics or PIN codes.
I urge service providers to put phishing-resistant passwordless authentication on their roadmap. This way consumers can make the move to passwordless, or at the very least, use passwords less so we can leave these social engineering monsters toothless.