Everything we do online is based on trust, we trust our email providers, our cloud services, our search engines, software developers and online stores. We give them personal and financial information, ranging from our pet’s names and first school, to our credit cards and bank details. So, as a result, it is very easy for the criminals to abuse that trust, because the opportunities to do so seem endless. All it takes is one untrustworthy person in the whole chain of events or one person with the necessary privileges to be tricked into creating a gap, opening the door so to speak for the criminals.
The criminals even pose as legitimate companies or specialists, pay to be high in the search engine rankings and like a Venus fly trap, wait for you to make contact. They entice us with ‘too good to be true’ special offers, play on our fears with unfounded warnings and like any good con artist, manipulate the situation where we think they are helping us or doing us a favour. Most of the time in the online world, this means that they need you to install something on your computer, click something, visit a certain website or just simply ask you to confirm your password to get that foothold that they want. From then on, one of the biggest problems with being an online ‘victim’ is not actually knowing that you have become a victim, unless they make it loud and clear with a demand for money.
A patient criminal can sit on trusted credentials for months, credit cards can be used to open online accounts without taking payments and malicious software may not do anything untoward until it is instructed to. It is not easy to know when data has been stolen, as the data is still there and especially harder to spot from online systems if the criminals have everything they need to access it. Timing can be key, with dubious criminal activity started late on a Friday, safe in the knowledge that by Monday morning they would have finished whatever they planned, well before anyone was alerted.
Trust can also be built over time by way of fake accounts, whether on social media like LinkedIn or Facebook, on messaging platforms like Slack or Teams, by spoofed SMS text messages and by spoofed or compromised email. And let’s not forget the old school telephone call, which has now been brought into the 21st century with deepfake cloned audio. There is a myriad of communication options the criminals can pick from, blending in with the hundreds of genuine interactions we may have every day. So, how do you spot the good from the bad?
This is where adopting a mindset of zero-trust can help. Assume everyone is untrustworthy, until you are happy with the risks. So, if someone that you do not know calls, emails or texts you, and informs you that you have a problem, do not initially trust them. They may have some ‘truths’ they give you to validate themselves, like your username or password, but that may have been harvested from an online data breach dump. Question everything and most importantly never install software on your computers or open a file that someone has conveniently given you to help with the ‘crisis’ they’ve informed you about. If someone knocks on your front door at home and told you that the your door lock was damaged, but you were in luck, as they are a locksmith and they just happen to have a replacement lock with them, would you let them change your lock?
Everyone has something of value to a cybercriminal, bank accounts, email, contacts, social media accounts, computing power and an identity. Having the last one cloned can lead to a massive year-long financial headache, just ask the stand-up comedian Bennett Arron or read his book ‘HEARD THE ONE ABOUT IDENTITY THEFT?’ You can find more information about this book and a few others on cyber security at www.booleanlogical.com