Imagine a stranger approaching you on the street, dressed in a fancy suit and carrying a briefcase. He hands you a business card with a logo from a reputable organisation and introduces himself as a representative. He then asks for your personal details, such as your name, birth date, and contact information, claiming that he needs it for a legitimate reason. However, what you don't realise is that the man is an impostor and is attempting to trick you into giving away your sensitive information.
What would you do?
Regardless of how you would react, the above situation is the premise behind phishing, where attackers disguise themselves as trustworthy entities to deceive unsuspecting victims into divulging their personal information or even giving up their hard-earned cash.
In this context, cybercriminals can be compared to adept magicians who skilfully employ a variety of tricks to deceive and manipulate unsuspecting victims. They possess exceptional expertise in social engineering, utilising extensive research and psychological tactics to effectively lower anyone's guard and manipulate them into carrying out their requests. One popular trick involves exploiting our emotions and subconscious biases—something we humans are hardwired to be most at risk of, according to Daniela Oliveira, a cybersecurity expert, computer scientist and Associate Professor at the University of Florida.
These master manipulators exploit our profound fears, desires, and vulnerabilities, cunningly deceiving us into undertaking actions that serve their own interests. They commonly employ tactics such as urgency, authority, or familiarity to lend an air of legitimacy to their requests. For instance, they might send an urgent email purportedly from the victims' bank or their own boss (more details on this will be discussed later).
Cybersecurity's Dark Duet: Identity Theft and Phishing
Identity theft is another “rising star” in the world of cybersecurity. It is reported that 2.5 million identities are stolen every year, and even the dead can become victims of this form of cybercrime.
What’s interesting is that identity theft and phishing scams are two sides of the same coin, and the connection between the two is profound. Phishing serves as the gateway for cybercriminals to acquire the critical information they need to perpetrate identity theft. By tricking unsuspecting victims into willingly providing their personal details, attackers gain access to sensitive information that can be used to impersonate individuals or carry out fraudulent activities.
This can encompass activities such as opening fraudulent accounts, making unauthorised financial transactions, or even assuming the victim's identity for illegal activities. The consequences of identity theft can be severe, causing significant financial losses, reputational damage, and emotional distress for the victims.
The rise of identity theft and phishing can be attributed to several factors. First, the increasing digitisation of our lives has provided cybercriminals with a larger attack surface and a wealth of personal data available for exploitation. To make matters worse, the sophistication and believability of phishing attacks have evolved significantly, making it much harder for us to discern genuine communication from fraudulent attempts.
Identity theft has escalated to such an alarming extent, in fact, that according to Chris Connell, Managing Director for Asia Pacific at Kaspersky, the World Economic Forum ranked identity theft at the top of the personal risk list.
Taking Phishing to the Next Level
Regardless of the form of cybercrime, whether it be identity theft, financial fraud, or other malicious activities, it is highly likely that the initial stage of the attack will commence with a phishing attempt.
In their relentless pursuit, according to Kaspersky, cybercriminals have adopted sophisticated techniques like spear phishing, whaling, and smishing to elevate their phishing campaigns. Spear phishing targets specific individuals or organisations with tailored messages that appear genuine, making it challenging to identify malicious intent. Whaling takes this to the next level by aiming at high-profile figures, leveraging their authority to coerce victims into revealing sensitive information.
Mark Lukie, the Director of Solution Architects at Barracuda APAC, reveals that phishing attacks are becoming increasingly common across Asia-Pacific and are often the starting point for many cyber attacks, including financial fraud, ransomware and credential theft. Recent research conducted by Barracuda shows that a staggering 75% of organisations in Asia-Pacific and around the world have fallen victim to email-based attacks in the past year alone, with 69% of ransomware attacks initiated through malicious emails.
As mentioned earlier, cybercriminals are constantly developing new techniques to deceive their targets and evade detection. One emerging phenomenon that is rapidly gaining prominence is deepfake, made possible by one of the most cutting-edge technology of our time—Artificial Intelligence (AI). Ian Lim, Field Chief Security Officer, Asia Pacific & Japan, Palo Alto Networks, describes deepfake technology as “a kind of AI capable of generating synthetic audio, video, images and even virtual personas”.
Ian adds that AI voice cloning technologies are turning out to be incredibly dangerous, adding another layer that makes scams even more believable than they already are. To wit, AI holograms are now being used to impersonate business leaders over Zoom calls to scam unsuspecting victims, who are likely to fall prey to the ruse because they believe they are seeing someone they know.
Deepfakes, in fact, are now very convincing, and many cases have been reported, from deepfakes that sound just like one’s family member to a voice deepfake used to scam a CEO out of USD $243,000 and even a deepfake video of Elon Musk promoting a crypto scam that went viral just last year.
Curiosity Did Not Kill the Cat
Cybersecurity ASEAN recently conducted an interview with two individuals from a Malaysian company, whom we will refer to as Ike and Tina to ensure privacy and confidentiality. Their story unveils a close call with cybercriminals who cunningly posed as their own boss, leaving them on the verge of becoming victims.
The attempted ruse unfolded with eerie synchronicity, as Ike and Tina found themselves targeted on the very same day and almost at the same time. Both received a lunchtime WhatsApp message from an unfamiliar number, asserting to be their boss, casting a web of deception that threatened to ensnare them. Under the pretence of urgency, the impersonating "boss" cunningly directed both staff members, Ike and Tina, to carry out an imperative task. Unable to engage in a phone call, the fraudulent message instructed them to promptly purchase three Razer Gold Cards, each valued at RM500 (approximately USD $110).
“The person pretended as our boss and even the tone and language of the message sounds exactly like her,” said Ike, even as Tina claimed that the “boss” mentioned the name of another staff member, whom the perpetrator claimed was unlikely to carry out the same task.
This suggests that the threat actor meticulously conducted comprehensive research on the targeted company and its employees, empowering them to execute these scams with remarkable persuasiveness. Astonishingly, they even possessed information about the boss's absence from the office on that specific day, further enhancing the deceptive authenticity of their schemes. Such a level of dedication is truly remarkable!
Fortunately, for Ike and Tina, their inquisitiveness acted as a protective shield, preventing them from falling victim to the scam. Unfamiliar with the concept of Razer Gold Cards, the duo wisely sought information from others, and their prudence paid off.
“Thank God, staff members in my department are gamers who are familiar with it [Razer Gold Card]. So, they questioned why our boss would need gaming cards and asked me to think about it properly,” said Tina.
While Ike and Tine were fortunate to evade the ruse, not everyone shares the same luck. This incident serves as a poignant reminder of the pervasive threat posed by phishing and identity theft. It emphasises the importance of staying vigilant and informed about the ever-evolving techniques employed by cybercriminals. By staying updated on the latest phishing tactics, we can better protect ourselves and mitigate the risks associated with these very real and prevalent issues.
Amidst all these intricacies, a simple yet powerful precautionary measure emerges; the act of reaching out directly to a colleague or even your boss to verify any suspicious requests before proceeding with financial transactions or divulging sensitive information. Consider this as a proactive step towards safeguarding yourself against potential scams. By taking this extra stride, you create a resilient shield of certainty amidst a world where illusions and deceit thrive.
It is also important to stay vigilant, and for organisations to offer cybersecurity awareness training to reduce the likelihood of anyone in the company falling prey to phishing and similar cybersecurity threats.
Being Proactive Is Crucial to Combat Phishing
In other words, there is a need to take a proactive approach to protect ourselves from identity theft and other cybersecurity threats, especially since phishing scams continue to be commonplace.
To this end, cybersecurity experts are recommending several specific precautions in case one receives suspicious emails or messages. Nick McKenzie, CISO at Bugcrowd, and Jacqueline Jayne, Security Awareness Advocate at KnowBe4, shared that among the first red flags of a compromised email are typographical errors and spelling and grammatical mistakes.
However, it's crucial to remember that mere grammatical correctness in an email does not guarantee its safety or legitimacy. Cybercriminals are intensifying their efforts, even leveraging advanced language models like ChatGPT to craft persuasive messages that are increasingly difficult to discern from authentic ones. The point is, we need to be cautious and never let our guard down.
A closer look at the sender's email address could also be a giveaway that an email is malicious in nature. For instance, every company has their own company domain name at the end of each email; eg.: firstname.lastname@example.org. Usually, a malicious email will not have the same domain at the end of the email as it does not have access to the company’s email address.
Additionally, Joanne Wong, Vice President, International Markets, at LogRhythm, and Fabrice Bartolucci, Regional GM, Southeast Asia & Hong Kong, at Exclusive Networks, warn about the dangers of clicking on links or downloading attachments. Clicking on these, according to Wong and Bartolucci, often lead to malicious links that infect devices with malware or redirect the user to fake websites that steal personal information. Rather than clicking away, the two experts recommend always double-checking the legitimacy of any information provided and visiting official websites directly from one’s browser.
It is also best to go the extra mile. For this, Fabrice recommends using two-factor authentication. This added layer of security requires a second form of identification, such as a code sent to one’s phone or email, in addition to the user’s password. It is a small step that can make a world of difference in keeping one’s accounts safe from hackers.
An Ongoing Battle
Cybercriminals are like chameleons, constantly evolving and adapting to new technologies and techniques, making it challenging for individuals and organisations. This is why the fight against cybercrime is an ongoing battle that requires vigilance, constant education, good cyber hygiene and awareness of both the latest threats and how to counter them.
It is also imperative to remember that identity is a precious commodity and protecting it should be a top priority.
So, whether you find yourself face-to-face with a mysterious stranger on the street or encounter a suspicious email in your inbox, remember to guard your prized possessions and protect your personal information. In this age of sophisticated scams and digital trickery, a moment of caution can save you from becoming a victim of identity theft or falling into the clutches of cybercriminals. Stay vigilant, stay informed, and keep your treasures safe from those who seek to exploit them.