Tag: Cyber Security

With increased cyber crime comes higher demands and stakes, meaning there is more need for cyber insurance. Not only has the ask of ransoms skyrocketed, but the average ransomware payment has also increased by over 40% and reached over £150,000.

A ransom of this size could easily push some small and medium-sized businesses to the brink of insolvency or lead to a halt of operations that they simply cannot afford. Therefore, many businesses are turning to cyber insurance for protection against cyber risk.

Cyber insurance is typically meant for businesses that depend heavily on their IT systems to be functional 24/7. Today, that covers almost all businesses, especially healthcare, critical infrastructure, municipalities, manufacturing, and transport and logistics industries. However, some companies that purchase a full-coverage plan start to let down their guard and may simply pay out a ransom because they know the insurance company will later cover it.

The original purpose of cyber insurance was to cover the extortion losses of a business in the event of a successful ransomware attack, if the business had no other option but to pay the ransom demand for business continuity or to mitigate future losses. But a growing lack of vigilance and responsibility from some insured companies is tilting the balance of the cyber insurance market, forcing insurance companies to raise the premium price and adjust the underwriting standards to lower their own risks of loss.

The average global cyber insurance premium rate has increased by 32% year-on-year. Additionally, the insurers now require third-party IT companies to conduct a field examination on the insured company’s cyber security protocols to see if they reach a set standard. The checking process used to be mainly conducted via a self-assessment sheet; now, if the company doesn’t meet the standards, the vendor the insurers hire will tell the applicant company what they need to add, and the insurer won’t sign the contract until everything is in place.

Smaller enterprises are now faced with a dilemma: on 1 side there is the risk of rapidly growing malicious attacks, on the other side is the expensive premium packages with complex prerequisites and clauses that might not necessarily cover all their losses. If this vicious cycle continues, the only beneficiary will be the criminals.

What companies should know about cyber insurance

Every company owner should be aware of what they are looking for when it comes to cyber insurance. They should always read the fine print and understand the specifics of coverage, deductibles and exclusions. This safety net can be highly effective if the policy is correctly written, and the business is fully aware of its coverage and its likelihood of facing cyber risk.

Cyber insurance typically doesn’t cover 3 types of losses: potential future lost profits, loss of value due to the theft of intellectual property, and betterment (i.e., the cost to improve internal technology systems after the attack, such as IT upgrades after a cyber event). That said, losses other than the initial ransom are not likely to be covered by insurance.

Today, most ransomware attacks do not stop at the initial breach. Take the SolarWinds incident as an example. Instead of locking SolarWind’s IT systems, attackers planted malicious code into the company’s Orion technology platform, which is used by more than 30,000 customers, including the U.S. Department of Energy, Department of Homeland Security, and other national agencies. In this case, hackers didn’t even ask for a high amount of ransom, but the damage and potential vulnerabilities this attack caused is immeasurable and cannot possibly be covered by insurance.

Ransomware insurance alone is not enough. A well-written policy should also cover data breach liability, regulatory compliance, and other cyber risk-related threats. There are also firms that specialise in cyber insurance and understand the risks related to specific organisations. The simplest way for business owners to find an insurance plan that best fits their company is to start with the current business liability insurance provider and ask if they have experts who deal with cyber insurance.

Lastly, business owners should never let their guard down. Putting an employee cyber security training programme in place and implementing robust cyber security tools and processes should always be the priority, as this helps to mitigate the risks from the root. Conduct regular IT checks and system updates to ensure all patches are implemented, eliminating backdoors for attackers. Training, education and awareness are absolutely vital.

Conclusion

With the ever-changing cyber attack landscape, businesses should be extra cautious. While cyber insurance can be a smart move, businesses should also learn to utilise other tools to protect themselves, including a robust training regime and a fit-for-purpose policy that meets the company’s situation.

If you require advice on cyber risk or would like to know more about cyber insurance, contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

The Cyber Security Breaches Survey 2021, published by DCMS, found that 26% of almost 500 voluntary sector organisations surveyed had reported cyber fraud over the previous year. The report shows that while charities generally compare favourably with private sector businesses – 39% of which said they had suffered cyber security breaches or attacks – the number rises to 51% among charities with annual incomes of £500,000 or more. A quarter of those organisations that had suffered attacks said they had to deal with them on a weekly basis.

The survey, which took place between October 2020 and January 2021, found that the most common type of cyber attack for charities was phishing, identified by 79% of respondents. Phishing often involves trying to con recipients into giving away personal details or passwords. This was followed some way behind by impersonation attacks, suffered by 23% of respondents, where emails are sent out impersonating the charity. Among the charities that identified breaches or attacks, the survey found that 18% ended up losing money, data or other assets.

And even if money, data, or assets were not lost, 4 in 10 charities were still negatively affected for reasons such as requiring new, post-breach measures or having staff time diverted to deal with the problem, the report found – a reputational risk for any charity.

The fallout of such attacks was highlighted last year when more than 100 UK charities reported being caught up in the Blackbaud cyber attack, which targeted commonly used financial software.

While the DCMS report makes it clear that cyber security is still a major issue for many charities, the proportions reporting negative effects of breaches or attacks in 2021 are significantly lower than in previous years. This is not because attacks are any less frequent, the report says, but it could be due to more organisations implementing basic cyber security measures following the introduction of the General Data Protection Regulation (GDPR) in 2018.

Cyber security is also higher on the agenda of trustees, researchers found; 68% of charities said it was a high priority for them, compared with 53% who said the same in a previous study in 2018.

Charities are bigger cyber attack targets than they realise

Many charities, especially the smaller ones, fail to realise the value of the data they possess, according to a report by the National Cyber Security Centre (NCSC). Unfortunately, cyber criminals do realise the value of this data, making charities vulnerable targets to a cyber attack.

While the average person may find it unconscionable to steal from a charity, there are a number of perpetrators looking for some financial gain, besides the typical cyber criminal. This may include:

• Suppliers and third parties – it’s common for charities to outsource the responsibilities of running, maintaining, and securing their data.
• Terrorists – terrorist groups are likely to deface websites and publish victims’ personal details online, which is a process known as doxing.
• Nation states – nation states use cyber crime to further their agendas.
• Insiders – one of the biggest threats, and disgruntled staff with access to employer’s data may commit cyber crimes seeking money or simply for revenge.
• Hacktivists – hackers will target charities if they disagree with the charity’s purpose or are motivated by a specific cause.

In order to prevent cyber-criminals from accessing your charity’s valuable data, the NCSC Small Charity Guide recommends taking these precautions:

• Back up your data and protect it with strong passwords
• Protect your organisation from malware
• Keep your smartphones and tablets safe.

Simple advice and a sobering but easy way to protect against cyber threats

Here is an example of how small differences in passwords can make a huge difference to would-be cyber attackers.

How ESA Risk can help charities become cyber-secure

At ESA Risk, our Cyber Security consultants have years of experience in the industry that equip them to protect your confidential data and your money from cyber criminals. Get in touch with us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form, to find out how we can help make your charity cyber-secure.

This article was published as part of Charity Fraud Awareness Week 2021.

5G works with lower power usage and latency on devices, proposing a more nimble and agile use of technology once it becomes commonplace, such as loading online content faster and making many devices more efficient.

5G will also make use of network virtualisation (NV) which uses software and hardware resources on one virtual network, to optimise network services and enable remote resolutions to any issues. The accelerated speed of 5G in comparison to its forerunners can also contribute to cyber security packages, offering new ways to increase security measures. This could include the Internet of Things (IoT) and an increased use of cloud computing, to aid business networks, in particular, with gaining control over cyber security.

However, 5G comes with potential threats and risks. The network uses an upgraded routing of software rather than hardware-based switching, and this new digital routing contains various vulnerabilities that present risks to users.

Vulnerabilities of 5G cyber security

• Hackers could potentially gain control of the software that manages the entire network, putting millions of devices at risk. Even if the software is initially managed by advanced computer technology this too can be vulnerable.
• 5G being used by the Internet of Medical Things (IoMT) can put client medical information at risk, as, if the network is hacked, information can be manipulated or altered.
• Higher frequency coverage of 5G means that the transmitters cover less area so the number of cell towers will have to increase, otherwise network coverage will be poorer.
• IoT networks involve a connection between many devices, giving hackers more options to target. Since these devices can individually be hacked, it puts the entire connected network at risk. This includes city infrastructure and drones that will all transmit personal data.
• Huge amounts of data will be stored together on the cloud (rather than on secure local servers) so masses of information could be accessed by infiltrators.

Implementing safeguards

It is important to implement regulations and security measures to avoid breaches and data being leaked. Network operations must make sure to secure IoT devices and protect the network to ensure privacy policies are upheld. Software updates can have patches installed to ensure security, alongside password protection for various devices and applications.

The reliance of 5G on digital networks makes it more difficult for IT teams to control risks and attacks, so the network structure must have solid inbuilt defences such as firmware and security operating systems. Mitigation techniques and patching can help to protect IoT devices that will be using 5G. IT employees should also be educated on the security threats that 5G brings so they can be equipped to manage them and human error-based attacks can be avoided. SaaS (Software as a Service) providers will require the means to protect against attacks and individual devices may require installation of a virtual private network (VPN). Conducting regular malware scans and installing firewalls is also a way to secure devices.

5G will certainly bring many positives, such as increased speeds and reliability, so it is paramount that there is a strong understanding of how to protect the interconnected network of devices. 5G particularly protects privacy on devices, as it is cloud-based and rooted in digital software, so more data can be encrypted and safely stored. It will offer a broadening of IoT and be a powerful, faster network and asset to many. And with its development will come a fashioning of artificial intelligence systems that will be able to target and mitigate threats and secure sensitive data at the same time.

Cyber security support from ESA Risk

If you need advice or support on anything cyber security-related, contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

For an organisation, it is of paramount importance to identify areas of exposure and develop adequate risk management programmes that address data privacy and security. To help you get started, here are 7 questions to frame your thinking. If you can confidently meet the requirements in the 7 questions, then you are on your way to better data security.

1. Is the corporation aware of all applicable legislation pertaining to customer data?

For UK businesses, the main legislation is the Data Protection Act (DPA) 2018, but there may be laws in other jurisdictions which you also need to comply with if you do business or have customers outside of the UK. For example, the EU’s General Data Protection Regulation (GDPR) applies to all EU citizens and therefore any company processing the data of EU citizens. While most of the GDPR is currently enshrined in UK law (in the DPA 2018), this isn’t the case for all data laws worldwide, and the UK’s implementation of the GDPR is under consultation. 

2. Is any personal identifiable information (PII) or client confidential information stored on computers or in paper files on premises?

If so, where specifically is the data stored, how is it secured, who has access and how many PII data files are there? Track personal data throughout your entire information infrastructure and identify all parties that have access to this data. Conduct an audit to inspect employee access to and use of personal data.

3. Are all of the company’s laptops encrypted? Are portable media devices like thumb drives prohibited or at least encrypted?

Devices such as laptops, smartphones, external hard drives and flash drives all present possible data security threats if lost, stolen, or hacked. While most people assume that system hackers are the greatest threat, recent studies show that lost or stolen portable devices are the most common cause of data breaches.

4. Has the company implemented strong internal password controls and information security training for all employees?

Make sure passwords are strong. It is also a good practice to reset passwords periodically – 30-45 days is a good timeline – and never duplicate passwords. It’s also imperative to reset default passwords.

5. Are the company’s firewalls current and all security patches regularly updated?

A firewall can be the best defence when trying to isolate and contain breaches. Despite the expense, it is beneficial to invest in a robust set of firewalls that require user authentication.

6. Does the company outsource any services to third-party vendors that may involve a client’s information?

If so, does the third party have the right processes and procedures in place to protect the integrity of the data, as well as security measures governing those processes? If you outsource services to a processor, as the data controller you remain responsible for ensuring that any data processing complies with the DPA. Any contractual agreement should be supported by an indemnity from the third-party processor in favour of the data controller in the event of any breach. That means making sure suitable security arrangements are in place to meet the 7^th data protection principle- that ‘appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of such data’.

7. Does the company have in force a detailed plan in case of a data breach?

In addition to developing and implementing a risk management programme for data breach, risk transfer via insurance can be a cost-effective risk management mechanism.

Need further support?

If you require expert assistance with compliance or risk management strategies, get in touch with our team. We’ll work with you to manage risk and keep your business cybersafe.

Contact Mike Wright (Risk Management & Investigations Consultant) for further advice.

As reported by The Financial Conduct Authority, British financial service companies have seen a fivefold rise in data breaches since 2018 compared with previous years. As the number of cyber threats continues to increase, a stark reality is setting in for many financial institutions: that if they are currently not confident in their ability to manage their current threat level, they might soon find themselves staring over the cliff edge.

The story of cyber security within the banking industry for 2021 will be one of financial institutions placing greater scrutiny on their existing security environments, reigning in their focus to ensure that they have the strongest foundations to help them weather the ensuing storm.

The problem of third-party security 

Monitoring third parties’ cyber security is a growing concern for banks. There is continuous pressure on financial institutions to achieve full visibility and a complete understanding of their vast network infrastructure, including tightening security over their increasing portfolio of third-party environments. To deal with this issue, it is necessary for financial institutions to meticulously investigate their APIs and consolidate their security architectures so they have an improved awareness of the risks that face their business.

The confusion of cloud misconfiguration

Banks have welcomed cloud technologies with open arms. Cloud as a platform is now being used to cope with a surge in data, improve operational efficiency and develop banking platforms. Financial institutions are especially interested in how rapidly cloud services can be integrated alongside existing operations.

However, as banks try to roll out cloud services as quickly as possible, security is being deprioritised to spin up new infrastructure as a service (IaaS) cloud environments. This has resulted in the risk of access point misconfiguration. If financial institutions don’t make sure that security underpins all cloud initiatives, it is likely that the propagation of these types of risks is only going to increase next year.

As cloud is a comparatively new technology, banks are still grappling with how to achieve complete network visibility and comply with necessary security standards. Confusion around how to secure cloud is no excuse, however, for deploying insecure cloud services. Financial institution security teams need to work with DevOps to establish a better way of working that eliminates the possibility for misconfiguration, and they need to do so quickly. The number of vulnerabilities reported which affect cloud IaaS is likely to increase by 50 percent over 2018 figures by the end of 2021, according to Skybox Security’s 2019 Cloud Trends Report. To manage emerging cloud risks in 2021, we are going to see financial organisations pigeonholed into a position where they have to bolster their network audits and tidy up their firewalls.

Cyber threats to the banking industry from technical debts

Financial organisations are constantly being held back by their often-archaic legacy technology. One sector that will be especially vulnerable in 2021 is the ATM industry. This is because many of their operating systems rely on Windows 7, an operating system that will no longer be supported by Microsoft.

To move forward with their digital transformation plans, banks must continue to deploy new controls on top of their old systems. For security teams to cope with the increasing complexity of their aging infrastructure, they must endeavour to embed security within their transformational plans. It’s imperative they look at how they protect their existing environment while simultaneously bolstering their security measures.

“In addition to Graeme’s informative insights into the state of the current financial industry in the UK, the paramount concern among the relevant security management is trying to keep their current teams as upskilled as possible; as the cyber threats get more and more sophisticated, the harder it is becoming to prevent any future attacks. It’s more a game of detect and fix rather than prevention, which is the wrong way round.”

Ali Twidale – Banking & Financial Fraud Consultant at ESA Risk

Processes and people play a part

Banks aren’t immune to the ongoing cyber security skills crisis. But, as they fight to keep members of their security team on board, there is an absence of staff to keep on top of basic tasks such as vulnerability patching. Despite endeavours to use technology to manage these tasks more effectively, there is still a surprising over-reliance on manual processes throughout the sector. Throughout 2021, financial institutions will need to find fresh means of utilising their existing resource more successfully. This can be achieved through readjusting workloads based on detailed threat intelligence, automating more processes and with greater frequency, consolidating activities, combatting organisational silos, or a combination of these tactics.

Ransomware rises again 

The propagation of cryptominers was a primary concern for many financial institutions at the beginning of 2019 and will continue into 2021. Criminals are profit-driven, and the most profitable tactics for them now are their old favourites: botnets and ransomware.

In response to this threat, banks must prioritise operational resiliency. Right now, many organisations are encumbered by a bloated collection of point products. To increase efficiency and better deal with the changing threat landscape, many are seeking to consolidate their cyber security solutions in 2021. To tackle the imposing threat of botnets, systems should be amalgamated, and data normalised to form an intelligence-driven understanding of the complete network. To spot these attacks and remediate their most exposed vulnerabilities, banks need to have this insight.

2021 isn’t going to be easy for chief information security officers (CISOs) operating in the financial services sector. Only time will tell if the sheer volume of cyber threats and attacks knocking at their door gets too much to handle. As talent remains scarce and threats multiply, banks must be sure to invest in the technology that can keep them abreast of the most critical security issues facing their organisation.

Deepfakes are not a new threat, but have been steadily advancing, making this type of fraud difficult to identify. Most deepfakes are created for entertainment purposes, for example in films to ‘resurrect’ deceased cast members, bringing them back to life on screen. Even a Google search will give you a taste of what can be achieved with deepfake technology, like this video apparently showing Mark Zuckerberg giving a speech about data “stolen” by Facebook. It was created by artists Bill Posters and Daniel Howe to demonstrate the potential power of fake news.

How is a deepfake created?

To create a convincing deepfake video, software is used to analyse the facial expressions of the chosen subject using artificial intelligence (AI). This information can then be used to create a video, superimposing the subject’s face onto real footage of someone else. Fairly convincing results can even be created live during a video call. The poor connection and grainy image we often experience during a video conference would mean that the fake doesn’t have to be perfect to work.

Next comes creating the audio. Freely available software such as Lyrebird AI allows you to impersonate anyone’s voice. “Record 1 minute from someone’s voice and Lyrebird can compress her/his voice’s DNA into a unique key. Use this key to generate anything with its corresponding voice,” says the Lyrebird website. None of this software is illegal or requires a special licence to use, meaning anyone can access it. And if you don’t have the technical knowledge to create a deepfake yourself, you can pay someone else a couple of hundred pounds to do it for you.

Deepfakes in business

But what are the threats to businesses from this type of technology? Admittedly, the chances of someone using a deepfake to impersonate your CEO to extract funds are slim. But, despite the odds, this has happened – and using a far less sophisticated approach than some of the high-profile examples you will see posted online for entertainment purposes. In October 2019, it was reported that a top executive in a UK-based energy company had been duped into transferring £200,000 to cyber fraudsters. The perpetrators used AI voice technology to mimic the executive’s boss, who was based at the German headquarters. The executive was instructed to move the funds immediately to a Hungarian bank account and was told they would be returned later. They never were.

This example demonstrates several factors fraudsters rely upon to ensure a deepfake fraud is successful:

1. Authority: In the above example, the senior executive was the head of the UK arm of the company. Despite this, he still felt unable to question the instructions he was given from his boss. Fraudsters rely on professional hierarchies and social norms to predict people’s behaviour patterns. Authority is a useful tool for criminals because people are often reluctant to question it.
2. Urgency: If we are told something is urgent (especially by a superior) it immediately changes the way we react and inhibits our ability to think clearly. Instead of following the normal steps required, we rush – focusing our attention on getting the task done, rather than how or why we are doing it in the first place.
3. Doubt: 9 times out of 10, phone calls are genuine. Fraudsters rely massively upon the ‘benefit of the doubt’.
4. Distance: Contacting someone through email or by phone creates a barrier, allowing for certain inconsistencies or discrepancies to be overlooked or allowed for. The slight difference in the German executive’s voice in the energy company might have been due to the phone line, or because of background noise, or because they’d been unwell. A difference in tone of voice in an email could be because the person was in a rush.

Deepfakes and Covid-19

Even if you had never used a video conferencing app before the Covid-19 pandemic, you will no doubt be more than familiar with the software today. This influx of inexperienced, regular users of apps such as Zoom, Skype and Microsoft Teams has provided an unending supply of data for cyber criminals to exploit. Zoom came under fire recently when it was revealed that thousands of private recordings of Zoom calls could be easily accessed online by doing a simple search of cloud data storage. The recordings weren’t those held by the platform itself, but were files that had been stored locally by the individual users – an option that was given to Zoom users once a recording had been created. Nonetheless, this still means hours of footage are available for fraudsters to access online and potentially use to create deepfake videos.

In times of crisis, financial institutions will always be prime targets for cyber criminals looking to cash in. For this reason, cyber security is something all firms should be investing in right now. But do they fully understand the risks posed by AI and deepfakes?

In my experience, the answer has to be, no, absolutely not. There is a complete lack of training, education and awareness about cyber risk in general, even in some of the UK’s largest financial institutions. AI now allows cyber criminals to take their phishing to the next level, meaning that we can’t rely on a phone call or even a video call to verify authenticity. The solution is to get a proper HR training regime installed in every institution. Every company in every sector should have one for every worker, from the cleaner to the CEO.

Social engineering

Cyber criminals use a combination of factors to break down security barriers in firms and improve the success rates of deepfakes, including social engineering. This involves manipulating individuals to divulge sensitive information which can then be used to access internal systems, or convincing people to transfer funds or data. Keeping employees happy is a huge part of mitigating against this risk. But ensuring sensitive information is always treated as such should be the first step.

I was delivering a talk at an event recently and 2 women who worked at one of the UK’s largest insurance firms approached me afterwards. They said they were a bit concerned about cyber security in their office because they had a notebook where everyone’s usernames and passwords were kept for convenience. This kind of mistake is frighteningly ignorant, but also terrifyingly common. Once criminals have access to a senior executive’s email account, they can easily impersonate that individual and gather enough data to extract funds or cause untold damage. And that’s before we’ve even entered deepfake territory. All they need is a disgruntled member of staff with an axe to grind and they could easily get hold of that notebook.

Combatting deepfake fraud

AI technology is advancing all the time, so deepfakes are only going to become more convincing. For businesses, this means upping the ante when it comes to verification methods, even if it seems ‘silly’ or unnecessary.

Encouraging employees to feel comfortable in getting verification from a senior member of staff is essential. Measures such as calling someone back if they have phoned you to ask for a funds transfer, or implementing a series of security questions which only that particular person would be able to answer, are vital. Of course, many of the examples we have seen of deepfake voice calls have involved something that doesn’t usually happen, e.g. a call out of the blue from a senior executive asking for an urgent payment. Firms need to create strict protocols that are always adhered to, to ensure that a call like this would immediately trigger alarm bells.

If going against protocol is a common occurrence, it increases the likelihood of a deepfake’s success. Being organised and always following the same process and verification measures – without fail – will mean any deviation from normal practice will be easily picked up. If you are unorganised and regularly make exceptions to the rules, how can you expect your staff to know the difference?

Always one step ahead

Active learning technology allows cyber criminals to boost the success rates of phishing emails and other such scams by gathering data on what works and what doesn’t, then using this information to adapt their approach. Cyber criminals are always one step ahead. This is why it is so important to keep educating staff about the technological capabilities cyber criminals now have. Share examples of incidents that have occurred, remind staff of the protocols they must follow and don’t just limit cyber risk training to new recruits; it should be ingrained in everyday, business-as-usual activities so that being aware of these types of risk is second nature.

The sheer speed with which technology is progressing is what makes deepfakes so concerning. In a documentary called The Weekly for The New York Times, investigative journalist David Barstow followed a group of AI engineers and machine-learning specialists in their quest to create the perfect deepfake. Their abilities and the capabilities of the technology they were using – which could easily fall into the hands of criminals – was as impressive as it was alarming. “It’s astonishing the progress a handful of smart engineers were able to make in a matter of months,” Barstow said. “Teams of computer scientists around the world are racing to invent new techniques to quickly identify manipulated audio and video. The bad news [is] some deepfake creators are incorporating the machine-learning algorithms behind those countermeasures to make future deepfakes even harder to detect.”

Barstow believes that even global web platforms like WhatsApp and Facebook are “woefully unprepared” to help users spot deepfakes. If business is to ensure it doesn’t fall foul of this growing threat, firms need to start taking it seriously now before it’s too late.

Common security mistakes that could result in deepfake fraud:

• Sharing too much information on social media platforms.
• Not questioning authority – assuming because the boss calls you should bypass all normal security protocols.
• Leaving cyber security to the IT people – it should be part of every employee’s induction and ongoing training.
• Not looking after staff welfare – disgruntled employees who have access to sensitive information/internal systems/usernames/passwords.
• Not securing personal devices properly – especially in light of increased home working during the Covid-19 pandemic.
• Trusting someone you have only met remotely.

High-profile examples of deepfakes:

American actor, writer and producer, Jordan Peele, created a deepfake video of Barack Obama making outrageous statements and openly criticising US president Donald Trump to demonstrate the potential power of fake news on politics.

Artists Bill Posters and Daniel Howe made a convincing deepfake video of Facebook CEO Mark Zuckerberg, where he appears to tell CBSN news that he owns “billions of people’s stolen data…all their secrets, their lives, their futures.”

Speaker of the US House of Representatives, Nancy Pelosi, has been targeted several times by individuals looking to damage her reputation through fake videos. The examples here are not technically deepfakes, but the speed and pitch of her voice has been altered to make it sound like she is drunk. It is still not known who is responsible for creating these videos.

Catalan artist Salvador Dalí was brought back to life in 2019 as an exhibition “host” by the Dali museum in Florida. The interactive installation included 45 minutes of footage over 125 videos, which allowed more than 190,000 different combinations depending on visitor responses.

Last year, a suspicious video of the President of Gabon after a long absence sparked rumours of a deepfake, resulting in an attempted military coup. This example demonstrates how even just the knowledge that deepfake technology exists can make us question whether what we are seeing is real.

In July 2020, it was discovered that published British journalist Oliver Taylor, who claimed to have studied at the University of Birmingham in the UK, was in fact a deepfake. Alarms were raised when an article by Taylor was published in US Jewish newspaper The Algemeiner, criticising activist couple Mazen Masri and Ryvka Barnard and accusing them of being “known terrorist sympathisers.” A fabricated photograph and an account on question-and-answer site Quora are the only record of his existence. Despite this, “Taylor” had several articles published in newspapers, including the Jerusalem Post.

The internet enables anonymity and layering between the surface web, which most users browse, and the dark web, which is less accessible. The latter enables various kinds of black-market trading, illegal selling and criminal activity via hidden websites and private networks.

The dark web can be found through The Onion Router (TOR), an open-source software that encrypts users’ data and provides a more private browsing route. Taking the name ‘onion’ from its multi-layered protection of data, TOR makes it harder to trace a users’ activity or location and can enable anonymous online communication.

The dark web is said to be considerably bigger than the mainstream web that most people use. Think of the web as an iceberg, with a huge amount of information above the water in plain sight, but even more hidden in the murky depths below. Yet, for the most part, it remains a mystery, even to law enforcement.

However, illegal operations running through the dark web have been revealed and shut down in the past. For instance, in January 2021, a worldwide illegal marketplace was found and its operations stopped. ‘DarkMarket’ was a selling place for various illegal merchandise, including drugs, malware and stolen credit card details. The marketplace was only available to dark web users for the purpose of ensuring identities remained hidden, but the efforts of international law enforcement agencies eventually were able to infiltrate it and take the site down.

Nevertheless, this hidden part of the internet is still at large, as criminals take advantage of law enforcement’s lack of knowledge surrounding it. As internet service providers cannot directly observe web traffic on the dark web, it is extremely difficult to locate its online criminals, as opposed to crime or fraud that takes place on the surface web.

Further examples of the illegal activity on the dark web include:

• Black markets selling weapons and drugs
• Gambling
• Illicit pornography
• Hacking groups and services
• Scams
• Malware and ransomware.

Users of the dark web have now started to exchange money using cryptocurrencies, such as Bitcoin, meaning they can implement further anonymity when conducting purchases. However, the users are also unsafe to potential scams within the dark web itself. Some black markets are advertised using false URLs and users can expect to be exposed to malware including phishing (fraudulent messages that invite malware into a users’ device to steal their data), botnets (a chain of internet-connected devices that are infected with malware) and keylogging (covertly recording the strokes on a keyboard to hack the users’ device).

Some services are false, for instance the option to hire a hitman or buy a certain weapon might just be a scam. Phishing can lead to identity theft or extortion, which is difficult to protect yourself against unless browsing using fake information. Users often create throw-away accounts with fake emails, usernames and bank details in order to protect their identity. They might also install antivirus protection against malicious malware and avoid downloading files from the dark web, unless scanning software is in place to protect against infection.

A Case Study

In 2011, Silk Road was founded and put up on the dark web as an online marketplace that allowed users to obtain illegal drugs. Silk Road used Bitcoin and, being on the dark web, was able to remain undetected or face government regulations.

Silk Road enabled over 1 million transactions over a couple of years, but in October 2013, after international appeal and long-term investigation followed by infiltration, it was finally taken down.

The fact the site was operational for almost 3 years is owed to the anonymity of the dark web, where, it appears, you can say what you want and do what you want. The nature of its privacy and the restricted control of authorities over user behaviour makes it a safe space to speak out, increasing its popularity amongst civil liberties groups and activists that seek to shield their identity. Many journalists, aid workers and whistleblowers use it as a platform for free speech; communities form within the dark web, outside of its criminal activity networks. For people living in countries that deny them the right of free speech, the dark web is a platform that offers exactly that, with the security of knowing that they cannot be easily traced.

Law enforcement is able to infiltrate the dark web, however, as shown in the case of Silk Road. Authorities can often source the cause of security breaches or cyber fraud by conducting long-term investigations into the dark web, meaning that despite its anonymity, it is only a matter of time before online criminals are brought to justice. Other organisations, such as media companies, might also use it to browse for whistleblower activity for news stories.

This ‘dark’ side of the internet is a double-sided coin, enabling both positive and negative online activity, most of which would not be permitted on the parts of the internet the majority of us know.

The average person will likely face fewer sophisticated threats than, say, a senior politician, activist, or CEO. High-profile figures may be targeted with phishing emails that are looking to steal secrets from corporate networks or initiate the transfer of large sums of money. You, your friends, and your family will likely face different threats from people you know seeking revenge or, more likely, crime groups using automated tools to scoop up credentials en masse.

We all like to think we’re not susceptible to social engineering or other kinds of cyber attacks, but the truth is that even intelligent, self-aware people get caught up in online scams that can have very damaging consequences, financially or socially. Even if you think you know what you are doing, you can still be a victim – I was!

Understanding the threats is key. Everyone has their own threat model that includes things that matter most to them – what is important to you may not be equally important to someone else. But there is a value to everything you do online, from Facebook and Netflix to online banking and shopping. If one of your accounts is compromised, stolen login information or financial details can be used across the web. It is that sort of scenario that lets people order takeaways through compromised accounts.

While Facebook, Twitter, Instagram, and other social networks are less likely to contain your credit card details, there are other types of risk. Hacked social media accounts can be used to post compromising messages that could embarrass or defame somebody, be used for harassment, or to build up a picture of who you are and everyone you know.

Discovering if you have been hacked can be a rather complicated task. You could wait to have it proven by losing control of your precious accounts, but like anything, it is better to be proactive and stop it from happening in the future. If you think you have been hacked, here is where to start and what you can do next.

Have I been hacked? Spot unusual behaviour

The clearest sign that you have been hacked is when something has changed. You might not be able to access your Google account using your regular username and password, or there may have been a suspicious purchase charged to one of your bank accounts. These are fairly obvious indications that you’ve been compromised in some way—and hopefully banks will detect any suspicious payments before things spiral too far.

However, before any of your accounts are compromised, there may be warning signs. The account that someone is trying to break into may warn you about unusual attempts to log in. For instance, Facebook and Google will send notifications and emails alerting you to attempts to access your account. This will usually be if someone has tried to get in and failed, but alerts can also be sent when someone has successfully signed in from an unfamiliar location.

There is barely a day that goes by without some company, app, or website suffering a data breach — from Adobe to Dungeons and Dragons. These breaches can include phone numbers, passwords, credit card details, and other personal information that would let criminals steal your identity, among other threats. Companies should be quick to tell you if they have been compromised but using a breach notification service can also give you a heads-up. Haveibeenpwned and F-Secure’s identity checker will tell you about old data breaches but can also alert you to new cases where your details are swept up in compromised accounts.

Take back control

Once you know your account has been hacked, that is when the hard work begins. Regaining control of an account may not be straightforward—depending on who has access to it—and there’s a good chance it will involve a lot of admin: anything from telling everyone you know that your email has been compromised to dealing with law enforcement.

First of all, you should get in touch with the company that owns your account. Every firm will have their own policies, procedures, and recovery steps when it comes to compromised accounts. These can easily be found through an online search. (Some popular sites’ compromised account tools: Facebook; Google; Netflix).

When recovering a compromised online account, you’re likely to go through different steps depending on whether you can still access it or not. If you can access the account, companies will often ask how it was compromised and provide suggestions on steps to take.

If you can’t access it, you will likely be asked to provide more information about how the account was used (previous passwords, email addresses, security questions, and more). If a person or a group claims to have accessed your account and messaged you about it, don’t click on any links they send, as these may be false claims and further attempts to access personal information.

Account recovery through the company where you have been hacked is the first step in taking back control. You should make sure that all apps and software you use (on phone and desktop) are up-to-date. What other action you take is specific to what was compromised. For instance, if you can get back into a hacked email account, it is worth checking the settings to make sure they have not been manipulated. A setting to automatically forward all your emails to another account may have been turned on, for example.

You should change the password of the compromised account and any other accounts that use the same password (more on that later) and get in touch with anyone who may have been impacted by the hack. For instance, if messages have been sent from your Instagram account or you’re forced to create a brand-new social media account, you may need to let friends and family know the details of the new account or explain what the random messages were about.

If appropriate, you can also report hacking to law enforcement bodies. Cases of harassment can be reported to the police.

Secure everything

The best way to reduce your chances of being hacked is to limit your personal attack surface. The better your online hygiene is to begin with, the less chance you have of being compromised. (Although some attacks will always happen; particularly those from sophisticated actors who are going after specific targets).

Information on you is key to a successful attack, so minimising your available private data online should push the attacker onto the next, less fortunate victim. If your accounts have been compromised once and are being attacked by an organised group, there is a greater chance you may be targeted again.

When you are thinking about your online presence, you should take into account how much information you’re proactively putting out there. What I tell people is, Google yourself, lock yourself down, make it harder to access information about you. When you post your photos to Instagram, or you make posts to Facebook, or you tweet something about your location, people can take that content and information, put it into another context and, suddenly, you have been done. What people can really give away about you is the information that you have already given away about yourself.

Practically, there is a lot that can be done to shore up online accounts. Everyone should be using a password manager to create and hold unique, strong passwords. Nobody should be using the same password across multiple websites, even if you perceive your risk of being hacked to be low.

If you have been hacked on one account, this should be the motivation you need to check the other online accounts you use: Update passwords and check security settings. When updating accounts, you should also attempt to use complex security questions where possible. The answers should be something that only you know.

While you are in the mindset of updating passwords across your accounts, also take some time to consider the old zombie accounts you no longer use. What information is stored in that old Hotmail account you never use?

As well as a password manager, multifactor authentication (MFA) should be turned on for as many sites and services as possible. This is one of the most effective ways to secure your accounts from hackers. The most common type of MFA is two-factor authentication (2FA), where another piece of information, on top of your password, is required to log in to a service. Most commonly this is delivered via an SMS message, authenticator app, or physical security key. View a list of websites and apps supporting 2FA.

For people with the highest threat levels, there are a number of extra steps that can be taken. To increase online privacy and anonymity you can use a VPN, Tor, or Google’s Advanced Protection program.

If you have been a victim of cybercrime or online fraud please report it to Action Fraud.