In a Nutshell: Scammers are constantly working on ways to gain access to internet users’ sensitive data. We spoke to Mason Wilder, CFE, a Research Specialist at the Association of Certified Fraud Examiners, to learn more about this crucial topic that can potentially impact 89% of Americans. Wilder said fraudsters are developing new ways to hack into company databases and individual accounts, including intercepting multifactor authentication (MFA) credentials. And with artificial technology on the rise, scammers could soon be using AI to create deepfakes, which are fake videos that can be indistinguishable from real ones. Wilder said consumers must remain vigilant by varying their passwords, using MFA when possible, and looking out for scamming trends such as a company requesting payment in gift cards.
In 2000, almost half of American adults did not use the internet. In 2018, only 11% remained unconnected.
As the virtual world becomes increasingly intertwined with the real world, consumers must engage in online activity to keep up. Whether they are shopping, helping their children with school assignments, or keeping up with friends on social media, connecting to the internet is almost essential as a contributing member of society these days.
Now, more than ever, an individual’s sensitive information is susceptible to being exposed through security loopholes or online hackers.
Just in 2018, data breaches were revealed that affected millions of Marriott’s Starwood Hotels customers, MyFitnessPal users, Facebook users, T-Mobile customers, and many more. That doesn’t include the millions of less coordinated attacks on individual online accounts.
“The data breaches issue is kind of a constant in today’s world — there is always some new data breach,” said Mason Wilder, CFE, a Research Specialist at the Association of Certified Fraud Examiners. “At this point, everybody has personal information out there on the dark web or for sale somewhere online.”
Wilder is simply stating hard truths of the world we live in, but he said it doesn’t all have to be doom and gloom. Security standards are evolving to keep up with the latest hacking and scam techniques.
And, with a bit of diligence and vigilance, the average consumer can help to protect his or her data from future exposure.
Fraudsters are Finding Ways to Circumvent Multifactor Identification Measures
Traditionally, internet users have created passwords to protect their online accounts. Over the years, password requirements have become more stringent, requiring some combination of upper and lower case letters, numbers, and special characters.
Passwords such as “password,” “qwerty,” and “123456,” simply won’t cut it these days (although they surprisingly remain among the most used passwords every year).
Many organizations in recent years have gone one step better than simply requiring more complex passwords. They are implementing multifactor authentication (MFA), which requires a user to present at least two forms of verification before gaining access to an account.
Common forms of MFA include signing in with a password and entering a secret number created by a token generator.
“One thing that is showing up more is fraudsters being more creative with finding ways to defeat multifactor authentication,” Wilder said. “A big one that’s been getting ink over the past couple of months is SIM swapping.”
Wilder said a scammer will call a victim’s phone company with some basic personal information to impersonate the account holder and get the company to switch the supposed account holder to a new SIM card. Once the new SIM card is activated, the scammer can then intercept the account holder’s multifactor authentication.
“This has been mainly associated with cryptocurrency theft,” he said. “Somebody will be bragging on Twitter about making a lot of money in crypto, and some fraudsters will see it and make that person a target.”
Once the scammers intercept the victim’s multifactor authentication information, they can then empty out the victim’s cryptocurrency wallet and make a clean getaway.
Deepfakes: Artificial Intelligence Can Recreate Voices and Insert a Person’s Likeness into Videos
Perhaps even more disconcerting is the increasingly common use of artificial intelligence and machine learning employed to scam internet users.
Wilder said some of these types of techniques, designed to circumvent biometric data, often show up in a category of fraud known as deepfakes (a portmanteau of deep learning and fake). The method has already been used a number of times to use a celebrity’s likeness in fake, compromising videos.
Wilder said that, while deepfakes haven’t been widely used in scams so far, he could see them becoming more common in the near future as the technology spreads.
“Basically, people figured out a way to train AI programs by feeding them a ton of data and combine it with Photoshop-type programs to edit somebody’s face into a video,” he said.
The advanced AI that exists today can make fake videos or audio recordings virtually indistinguishable from real ones.
Wilder said researchers first presented the technology in 2017 and almost immediately technologically sophisticated fraudsters began using the new development for nefarious purposes.
Comedian and director Jordan Peele brought the topic to mainstream attention in 2018 when he made a convincing video of President Barack Obama hurling insults and using decidedly unpresidential language. Peele then reveals that the video is fake and warns that this type of technology is going to become more common and advises citizens to remain vigilant in detecting it, and not to believe everything they see and hear.
Imagine receiving a voicemail from your boss asking you to send him some important information related to your job or company, Wilder said. Or, perhaps a family member calls in need of a quick loan. You might not think much about it and comply with the request.
But, what if those calls weren’t from your boss or from your family member, but were instead scammers using AI to get sensitive information or money from you?
Wilder Offers a Number of Tactics Consumers Can Use to Remain Vigilant Against Scams
“There’s no way to 100% protect yourself from being victimized,” Wilder said. “Everybody has personal information out there that’s come from a data breach at some point.”
But Wilder said there are steps consumers can take to help protect their identities and personal information online.
One of the most effective ways is for consumers to regularly check their credit reports, he said, which is a service offered by many credit cards these days.
“If you’re in a situation where you’re not going to be applying for a new line of credit any time soon, you can also stay ahead by requesting a proactive credit freeze with the three bureaus,” Wilder said. “That way, if somebody does steal information and try to open a new line of credit, they won’t be able to.”
And when it comes time to apply for a new credit card or to purchase a new car, the consumer can simply request to end the freeze. Wilder said a proactive credit freeze used to only be available as a paid service, but, because of consumers’ increased security concerns, it is now available for free.
Wilder said it also pays to vary passwords rather than using the same passwords for different accounts.
“And even though I pointed out that people are figuring out ways to defeat MFA, I think consumers should still use MFA whenever it’s an option,” he said. “It’s not perfect, but it still provides you with better protection than just a password.”
Gift cards are going to be huge red flags for scams over the next couple of years, Wilder said. Emails are already circulating asking for a person to make some kind of payment using gift cards.
“No legitimate business will ever ask you to pay in gift cards,” he said. “If anybody ever asks for that type of payment, just run away because it’s a scam.”
Wilder also pointed out that with tax season upon us, consumers should be wary of tax fraud scams. Companies will advertise themselves as tax preparers that will get you the biggest refund possible but will ask for payment up front or payment in gift cards.
And in some cases, people have been contacted by companies or individuals claiming to be the IRS. The message states that there is a problem with the consumer’s tax return and to rectify the error, he or she needs to send a payment in iTunes gift cards.
Wilder said the IRS will never reach out in this manner and certainly will not ask for iTunes gift cards as payment.
Overall, Wilder said consumers should just be aware that fraudsters are finding more creative ways to use technology to gain access to sensitive information. And the security world is working hard to keep up with the evolving scams and doing its best to keep consumers safe.