One of the scariest things we may see this Halloween is the notification: “We regret to inform you that your credentials have been compromised.” Unfortunately, this nightmare is reality for many people hit by a data breach attack.
This past year alone, we have witnessed numerous cyberattacks affecting millions of consumers. You have probably seen the headlines; from the data breach at Starbucks Singapore to Optus, Australia’s largest mobile operator (owned by Singtel) were targeted. Most recently, even Meta, the parent company behind the social media network Facebook, with more than 1.9 billion active users each day, fell victim to a cyberattack.
Cybercriminals are like trick-or-treaters — knocking on doors and helping themselves to your freely-given credentials. Whether traditional phishing emails or more sophisticated deepfake-bolstered attacks, our digital lives and the proliferation of passwords make us increasingly vulnerable to cyberthreats.
As part of this year’s Cybersecurity Awareness Month, I have taken inspiration from the impending spooky season to unmask the scariest techniques and technologies criminals use to steal your sweet candy credentials — and how to stop them.
The wolf in sheep’s clothing
The online world can be a great space for finding friends, work, and romance. But wolves can be lurking behind friendly chats and interactions. These types of attacks are quite sophisticated and usually take place over an extended period while the attacker wins the trust of their unsuspecting victims.
According to the Singapore Police Force, over 380 victims have fallen prey to online love scams since January 2022, resulting in more than SG$15 million in losses. The recent Netflix documentary Tinder Swindler shows how convincing and persistent these fraudsters can be. Therefore, when forming relationships online, it is important to remember that those on the other end of apps might not always be who they seem before sharing any sensitive information that could help them take over your online accounts.
The ghosts of Phishmas past
An email from the bank wanting to confirm your details. A text from couriers asking you to reschedule your delivery. The cheery retailer message to say you have won S$100 to spend if you register a new account.
You might think you have seen and heard it all before, but these older, tried-and-tested phishing techniques are haunting us and are still by far the most effective. In fact, according to an Infoblox report, 68% of breaches reported in the past 12 months stemmed from phishing attacks. As the volume and quality of attacks continue to rise, the simplest of phishing and smishing could catch any of us out.
Thankfully, authorities across the region are doubling down on phishing scams. In Singapore, for example, the Infocomm Media Development Authority has just mandated all organisations using SMS sender IDs to register with the Singapore SMS Sender ID Registry by January next year, and that telecom operators will also implement SMS anti-scam filtering solutions to weed out potential scam messages before they reach consumers. While more can be done to protect end-users, this is a step in the right direction.
You have no doubt seen funny viral videos of deepfakes, like Tom Cruise singing, or heard of the fake videos created of Ukrainian President Zelensky earlier this year. However, deepfake technology is not just used for comedy and political attacks, as this technology is becoming both more readily available and more convincing — bringing to the fore even more possibilities of how it can be used for effective attacks on everyday consumers.
Deepfake video and audio are now being used to bolster more standard phishing attacks and convince victims they are engaging with those closest to them, to pressure the unwitting into giving away sensitive information and details. In a creepy incident involving Patrick Hillman, an executive at the world’s largest cryptocurrency Binance, hackers reportedly created an AI hologram to trick people into meetings with ‘him’. As technology grows more advanced, it becomes even more challenging to determine who truly is at the other end of the line.
This is one type of social engineering attack that should send shivers down your spine. Recent advances in AI and machine learning are enabling attackers to automate highly targeted attacks — known as spear-phishing — by data scraping and integrating convincing details like name, date of birth, and employer details into attacks.
By revealing just enough legitimate information, consumers are lured into a false sense of security and are even more likely to share credentials. Now at an alarming rate and level of sophistication, this is one attack that will keep coming back if we do not find a strong enough defence.
The only way we can truly protect ourselves from sharing our most precious credentials online is not to have credentials we can share in the first place. If passwords are like Halloween candy at our doors, moving to something we simply cannot share (like cryptographic-based sign-ins and on-device biometrics) means even if you fall for the trick, fraudsters are going hungry.
The good news is that we are getting there. Earlier this year, the world’s biggest platforms — Apple, Google and Microsoft — committed to supporting a common passwordless standard, also known as passkeys. This means, across our most favoured browsers and devices, we will soon be able to access passwordless sign-in technology with the same gestures we use daily on mobile devices, using biometrics or local PIN codes.
This Cybersecurity Awareness Month, I urge service providers to put phishing-resistant passwordless authentication on their roadmap. This way consumers can make the move to passwordless, or at the very least, use passwords less so we can leave these social engineering monsters toothless.