Letter from the CISO, Vol 4 Issue 9
WashU Community:
For every season, there is a scam
Our theme for February is “Securing information, promoting innovation, supporting tech – IT is a labor of love.” This sets me up nicely to provide dire warnings about romance scams, tax scams, and deepfakes.
“Nearly 59,000 Americans lost $697.3 million to romance scams” screamed the headline of a recent article explaining the FBI Internet Complaint Center’s “2023 Cryptocurrency Fraud Report.”
Email security company KnowBe4 reports a nearly 200% increase in the second half of 2024 phishing attacks and a 34.8% increase in Valentine-related email cons and phishing attacks compared to 2024. In November and December, we see a lot of fake package delivery messages. February is the month for romance targeting. Next up in March and April will be tax-related scams. Lately, I’ve seen a bunch of scam text messages telling me I have unpaid fees from toll road use.
In all cases, attackers exploit heightened emotions and create a sense of urgency. They seek to prompt a hasty, reflexive response, effectively increasing the likelihood of success in their phishing campaigns.
The phishing attacks reported by KnowBe4 identify simple scams. Some attacks pretend to be from major vendors, using similar website names, with convincing user interfaces and copied graphics. Hilton, Marriott Bonvoy, Walmart, Amazon, and 7-Eleven were the most frequently impersonated brands for Valentine-themed cons. Other attacks sought to combine seasonal themes, offering Super Bowl Valentine’s Gifts from the NFL, hoping to grab your attention any way they can.
Abusing AI in deepfake attacks
KnowBe4 also reports that phishing attempts increased by 76% in 2024. More than 90% of cyberthreats were driven by social engineering – which is what cybersecurity people call confidence tricks. Increasingly, these attacks use artificial intelligence (AI) to create highly believable deepfakes that impersonate users.
Deepfake videos allow an imposter to combine a targeted person’s facial images from public websites with audio recordings of less than a minute to put on a “deepfake” mask and voice that looks and sounds like the target.
A fellow CISO at another organization told me the other day that he was having difficulty convincing his executives that this kind of deepfake was possible, so he joined their next Zoom meeting “deepfaking” his CEO. This stunt was very successful in getting everyone’s attention and justified efforts to improve their identification processes, eventually outsourcing it because it was so difficult to do well internally.
Coded safe and stress words
In previous columns, I have encouraged everyone to establish family, social group, and work team code words by which someone can verify the identity of another member of the group and, therefore, the legitimacy of a request.
For example, my widowed neighbor’s adult son received a call from someone claiming to have taken her hostage. They threatened to hurt her unless money was transferred via a cash transfer app, with a woman sobbing in the background. He could have asked for the code word to verify that this wasn’t a complete fabrication. It turned out to be a fabrication, but only after $750 was sent, four police cars descended on her house, finding her talking with a neighbor in her garden, and a lot of stress was endured. Safe words can be favorite vacation spots, places, schools, or companies where people first met or important shared memories that didn’t make it onto social media.
Taking this to the next level, your circles of family, friends, and coworkers can also have coded “stress” words. They subtly verify the identity of the person involved but also signal that they are under stress or something is wrong. This would be useful if someone is being forced to do something against their will but can’t say so. For example, if someone’s name is “Robert,” but he goes by “Bob,” it could be as simple as calling him “Robert.” Or, if the family’s favorite vacation is Disney World, one might say Disneyland, Universal Orlando, or Busch Gardens. Or if everyone in the family hates cold weather, one might say “skiing.”
Perpetual vigilance is hard
My monthly mantra encourages everyone to be “vigilant, skeptical, and a little bit paranoid.”
Part of being paranoid is worrying enough about these things that you take time in advance to establish the coded safe and stress words. It may be possible to improvise by telling stories with falsehoods to see if the other person notices (sort of like asking for a safe word) or to signal inauthenticity to the other person (indicating a stressful situation).
If you need help with any of these ideas, please contact the Office of Information Security.
Thank you for reading my column and for being a member of the university’s Information Security team!
Good luck, and be careful out there!
-Chris Shull, CISO