This Cybersecurity Awareness Month, we’re raising awareness of the most frightening social engineering attacks and how we can banish these monsters to the past…
Megan Shamas, senior director of marketing, FIDO Alliance
Cybercriminals are like trick or treaters – knocking on doors and helping themselves to your freely-given credentials. Whether traditional phishing emails or more sophisticated deepfake-bolstered attacks, our digital lives and the proliferation of passwords are making us increasingly vulnerable to the cyber threat.
Awareness is a core part of FIDO Alliance’s mission to move the world away from passwords to simpler, stronger authentication. Standards and technology is just one half of solving cybersecurity challenges – we have a duty to educate and provide the best information and resources to help everyone make smart decisions in whatever online environment they’re in – whether you’re at work, studying, or in your personal life.
That’s why we love working with CISA and NCSAM and their efforts around Cybersecurity Awareness Month, as it gets to the ‘people’ part of cybersecurity. And undoubtedly, when we think of that ‘people’ part, phishing and social engineering attacks are top of the list.
To promote this year’s Cybersecurity Awareness Month, we’ve taken inspiration from the impending spooky season to unmask the scariest techniques and technologies criminals are using to steal your sweet candy credentials – and, how to stop them.
The Wolf in Sheep’s Clothing
The online world can be a great space for finding friends, work, and romance. But wolves can be lurking behind friendly chats and interactions. These types of attacks are quite sophisticated, and usually take place over an extended period while the attacker wins the trust of their unsuspecting victims.
Plenty of Fish can quickly become Plenty of Phish, catching consumers when they have their guard down and least expect anything. The recent Netflix documentary ‘Tinder Swindler’ is a great example of how convincing and persistent these fraudsters can be. When forming relationships online, remember that those on the other end of apps might not always be who they seem before sharing any sensitive information that could help them take over your online accounts.
The Ghosts of Phishmas Past
An email from the bank wanting to confirm your details. A text from couriers asking you to reschedule your delivery. The cheery retailer message to say you’ve won $100 to spend if you register a new account.
You might think you’ve seen and heard it all before, but these older, tried and tested phishing techniques are haunting us and are still by far the most effective. Take the Royal Mail SMS scam that blew up last Christmas time in the UK, or the recent global attack on Facebook Business/ad users. An estimated three in five were targeted by fake delivery text messages in 2021. As both the volume and quality of attacks continue to rise, the simplest of phishing and smishing could catch any of us out.
The Shapeshifter
You’ve no doubt seen funny viral videos of deepfakes, like Tom Cruise singing, or heard of the fake videos created of Ukranian President Zelensky earlier this year. But deepfake technology isn’t just limited to comedy and political attacks – this technology is becoming both more readily available and more convincing, bringing to the fore even more effective attacks on everyday consumers. Back in June, the FBI even issued a warning to employers about fake employees using the technology to apply for jobs under false pretences to defraud organisations.
Deepfake video and audio is now being used to bolster more standard phishing attacks and convince victims they’re engaging with those closest to them to pressure them into giving away sensitive information and details.
The Terminator
This is one type of social engineering attack that should send shivers down your spine. Recent advances in AI and machine learning are enabling attackers to automate highly targeted attacks – known as spear-phishing – by data scraping and integrating convincing details like name, date of birth and employer details, into attacks.
By revealing just enough legitimate information, consumers are lured into a false sense of security and even more likely to share credentials. Now automated at an alarming rate and level of sophistication, this is one attack that will keep coming back… that is, if we don’t find a strong enough defence.
Boo, Passwords!
The only way we can truly protect ourselves from sharing our most precious credentials online is to not have credentials we can share in the first place. If passwords are like Halloween candy at our doors, moving to something we simply can’t share like FIDO cryptographic-based signs ins and on-device biometrics means even if you fall for the trick, fraudsters are going hungry.
FIDO authentication, created by global collaboration of the world’s biggest tech companies, numerous service providers and security stakeholders, is the only widely available phishing-resistant authentication method. Increasingly, governments like the US and the UK are citing FIDO as the ‘gold standard’ for organisations to implement and access robust cybersecurity. FIDO technology is readily available for companies big and small to implement and, as Cloudflare’s recent thwarted cyberattacks shows, it’s effective.
FIDO technology is about to become more readily available and ubiquitous among consumers too. Earlier this year, the world’s biggest platforms – Apple, Google and Microsoft – committed to supporting our new security key standards, FIDO multi-device credentials, also known as ‘passkeys’. This means, across our most favoured browsers and devices, we’ll soon be able to access FIDO-based passwordless sign-in technology with the same gestures we use every day on mobile devices, using biometrics or PIN.
This Cybersecurity Awareness Month, we’re urging service providers to get phishing-resistant passwordless authentication on their roadmap so consumers can make the move to passwordless – or at the very least, using passwords less – so we can leave these social engineering monsters toothless.
