What is reality?
Good question in 2024. Deepfakes are hitting the headlines and we encourage you to take nothing at face value. This doesn’t just concern audio or video purporting to be someone you know. Keep your wits about you on that login page or unsubscribe link, because it might not be what it first appears to be.
A good rule of thumb online: make scepticism your default setting unless you encounter solid evidence to the contrary.
Here’s the latest cyber security stories.
How to steal a user’s email details
The FBI calls it the $50 billion scam. Businesses of all sizes as well as individual customers are targets and the battlefield is your email inbox.
Business email compromise (BEC) using Man in the Middle (MitM) attacks have become a top cyber security threat. Hackers lure their victims via spoof websites that look very similar to authentic login pages to steal login information.
This tactic is typically used to perform transfer-of-funds requests. Or, it can be deployed to get access to login details or personally identifiable information such as pay slips, tax details or crypto currency wallets. As we have warned before, the reason this hack is so nefarious is because it’s immune to multi-factor authentication.
BEC using MitM is fast becoming the attack tool of choice for many hackers, with the FBI warning that it’s even more lucrative than ransomware. We’re seeing more and more instances of business email compromise and want to ensure you have the knowledge to stay protected.
Recently, we spotted a suspicious message on our internal Microsoft Teams purporting to be from a luxury hotel chain offering exclusive employee benefits. It included a link to a semi-legitimate-looking SharePoint URL.
This was immediately flagged as dubious because we have very strict policies about any communications relating to employee benefits. They will always be announced via a dedicated platform from the finance and HR teams, not – as in this case – a random link in an email.
Jake Ives, our Head of Security, offers this advice. ‘Hackers are getting more sophisticated with their attacks. Please stay vigilant and think twice before providing your login details to any webpage.’
- If you’ve received a Docusign, iTunes voucher etc out of the blue and you’re not expecting it, irrespective of whether the usual suspicious indications are present, ignore it, and report it.
- Just because the link in the email references a trusted organisation, that doesn’t mean it is safe. Watch out for dead giveaways such as misspellings and poor formatting and always scrutinise the URL in the address bar.
Nothing is real: the deepfake scam that cost a business £20m
Finance employees – picture this. You’re asked to attend a video conference by your company’s chief financial officer. You are slightly suspicious because the invite mentions secret transactions that need to be carried out. However, when you join the call, you are reassured because there are several other colleagues in the meeting. You have also been messaged on WhatsApp and via email with details of the transactions. You end up making 15 payments totalling £20m.
Only here’s the catch. You were the only human present at that video conference. The rest of the staff including the CEO were deepfakes created by hackers using AI to digitally manipulate publicly available video and audio from past video conferences.
It’s a true story from Hong Kong and one that’s left many people in accounts departments feeling very nervous. The scam only came to light after the employee spoke to the head office a few days later.
Deepfake technology uses AI to doctor people’s video and audio, so that it appears as if they are saying or doing something they didn’t actually say or do.
Hong Kong police have warned of an increase in such deepfake scams where criminals are using publicly available video and audio to trick businesses and people.
Recent examples in the UK include WhatsApp voice notes sent to parents impersonating their child in desperation, asking for money. Last year, there was also the deepfake of finance expert Martin Lewis that appeared to show him endorsing a fake investment project by Elon Musk.
Because our videos and audio are often on social media channels, we are all susceptible. Here are some tips to help protect your social profiles:
- Ensure that only friends, and friends of friends, can search for you on Facebook and other social media channels. This limits your exposure online
- On WhatsApp, turn off your profile photo and display name for anyone who is not a contact
- Set your Instagram profile to private
- Use sites like Incogni and Kanary to find old information you’ve published online and take steps to remove it where possible.
JP Morgan forks out $600m a year to guard against cyber crime
The arms race between banks and robbers is reaching new heights.
In the Wild West, cashiers had pistols and steel safes to keep customer’s valuables safe from bandits. Into the Twentieth Century, a panic button and bulletproof glass were the first line of defence.
However, the ever-increasing sophistication of criminals and the lowering of costs associated with committing cyber crime has led to banks spending more and more on security.
It’s no surprise that one of the biggest multinational lenders in the west, JP Morgan, has revealed it shells out over $600m each year just on its cyber security.
The bank’s senior executive, Mary Erdoes, said that they ‘...have more engineers than Google or Amazon…the fraudsters get smarter, savvier, quicker, more devious, more mischievous….it’s so hard and it’s going to become increasingly harder.’
JP Morgans’ cyber security includes ‘…specialised programs designed to protect clients and their accounts such as encrypting data at rest and running sophisticated fraud mechanisms behind the scenes, looking for unusual activity.’ They also invest heavily in cyber awareness training for their clients.
The unscrupulous unsubscribe scam
We’ve all been there – working through our emails on a Monday morning only to be confronted by a somewhat legitimate-looking newsletter or sales/ marketing email that we can’t wait to unsubscribe from. We quickly scroll to the bottom of the mail and look for the unsubscribe link.
But did you know that clicking on such a link could well turn out to be another form of phishing?
Scammers sometimes send out fake emails with ‘unsubscribe’ buttons that can lead unsuspecting victims to download malware on their computers. Such links can also be used to verify that spam email reaches you, thereby ensuring that you’re targeted in the future.
If the email is not from a legitimate mailing list provider or vendor and doesn’t ring a bell, it’s probably best to ignore it and mark it as spam so it goes straight to junk.
For more details on unsubscribing from legitimate emails, check out this article.
Other vulnerabilities
Cisco Adaptive Security Appliance and Firepower Threat Defense (FTD) flaw