Source: ESET

Date: 28 Oct 2024

ESET levels up its Mobile Security app to be even more effective against phishing.

Smartphones have become an integral part of our social lives. From children to teens and on to adults and the elderly, globally, the average user now spends almost four hours daily staring at their mobile phone. There’s really no point in naming all the things people can use their mobile phones for. From social interaction to shopping, gaming, and so on… you know what they are capable of.

These capabilities, however, come at a price. The variety of things people can do on their mobile phones creates one huge, messy cyberthreat landscape with criminals trying to steal victims’ money, data, and identities, sometimes demanding a ransom for their return.

This blog will show you some real-life examples described by ESET researchers of what such threats look like. As you will see, some of them are no longer simple scams that can be easily spotted, but are instead sophisticated, multi-staged and AI-driven attacks that require much stronger defenses than a watchful eye and simple antivirus.

The long list of ESET research pieces on this topic demonstrates how carefully ESET studies these threats. And ESET experts are not just watching. More than ten years ago, ESET created award-winning multilayered protection against a multitude of Android security issues called ESET Mobile Security, which has been protecting millions of people around the globe. Now ESET is coming forward with improved Phishing Protection, extending threat coverage even more.

TRY ESET MOBILE SECURITY NOW!

Anyone can be a target

There are 4.8 billion smartphone users, which is more than half of the current global population of 8.2 billion people. Statista estimates the smartphone user base to reach 6.4 billion by 2029.

According to a 2024 survey conducted by the data management firm Harmony Healthcare IT, phone screen time increases with every generation. While U.S. baby boomers (people born from 1946 to 1964) spend 3.5 hours per day with phones in their hands, millennials’ use of phones is one hour longer, and Generation Z spends an average of 6 hours and 5 minutes on their phone daily.

And just as smartphone usage is rising, so is the total volume of detected Android malware, increasing from 1.7 million in July 2014 to 35.2 million as of July 2024, according to the AV-TEST Institute’s data.

While the usage of mobile phones grows, so does the increase in user susceptibility to phishing attacks. Global data gathered in 2022 shows that encounters of personal mobiles with phishing rose from 35.46% in 2020 to 53% in 2022, and the percentage of mobile users who tapped on six or more phishing links almost doubled from 14.3% to 27.6% within this time period.

Threats are out there

Let’s see several of the latest examples of mobile threats, some covered by the latest ESET Threat Report (H1 2024).

ESET experts complemented the research conducted by Group-IB’s Threat Intelligence unit, describing the GoldPickaxe malware family available for both iOS and Android, targeting victims in the Asia-Pacific region.

This malware can steal a victim’s sensitive personal information from financial apps such as Digital Pension for Thailand despite a requirement that users record a brief video of their face from various angles using the front camera of their mobile device as a form of secure authentication.

To achieve that, threat actors steal victims’ biometric data and utilize AI-driven face-swapping services to create deepfakes.

Another example shows that scammers don’t hesitate to even target children. According to the latest Threat Report, ESET telemetry detected phishing scams abusing Roblox, a sandbox gaming platform very popular with kids and available on multiple operating systems (including Apple and Android). Roblox contains virtual currency named Robux that can be purchased with real money, which makes it attractive for cybercriminals. The Roblox community has created a long list of Roblox threats here.

Also, using ESET detection engines in combination with other sources, ESET researchers recently discovered espionage campaigns spreading fake apps or trojanized and reverse-engineered legitimate apps to Android users in Egypt and Palestine. Threat actors used dedicated phishing websites to distribute malicious apps impersonating legitimate chat apps, a job opportunity app, and a civil registry app.

Another recent malicious campaign uncovered by ESET researchers and run in the Czech Republic targeted clients at three Czech banks to facilitate unauthorized ATM withdrawals from the victims’ bank accounts.

NFCGate architecture (source: https://github.com/nfcgate/nfcgate/wiki)

At first, cyber criminals deceived victims into believing that they are communicating with their bank, and then tricked them into downloading and installing a fake banking app with the unique malware that ESET named NGate. The malware then clones near field communications data (NFC) from victims’ payment cards using NGate and sends this data to an attacker’s device that is then able to imitate the original card and withdraw money from an ATM.

Just this handful of recent examples shows how large of a portfolio of tools cybercriminals have at their disposal. Notice the variety of their targets – children playing games or adults seeking a job, wanting to chat, or doing financial operations.

ESET Mobile Security

To deal with these scenarios, both individual users and households need a reliable security solution capable of stopping threats, ideally before they execute and cause any harm.

ESET Mobile Security provides award-winning protection against a multitude of Android security issues such as viruses, ransomware, adware, and other malware, or unwanted permissions given to applications. It also offers multilayered protection against phishing, smishing, and scams.

Here is a brief list of some features:

Antivirus – Protects against malicious app installs and from malicious apps downloaded from app stores. With permission, Antivirus can also check all files on the mobile device.

Anti-Phishing – Protects against malicious websites attempting to acquire users’ sensitive information on the most used browsers and social networks including Facebook, Facebook lite, Instagram, and Facebook Messenger. SMS notifications are also covered. It also protects from accessing phishing or fraudulent sites that can be used, for example, to distribute malicious apps.

Link Scanner – This year, ESET introduced Link Scanner, which allows ESET Mobile Security to check every link a user tries to open, not only those coming from supported websites and social network apps. For instance, if a user receives a phishing link in a game app and opens it, the link is first redirected to the ESET Mobile Security app, where it is checked before being redirected to the browser.

Remember the Roblox attacks? Some of them start exactly with phishing links received via in-game messages or found in fake profiles used by scammers.

Adware Detector – Sometimes a user cannot identify which app is causing annoying unwanted pop-ups. The ESET Adware Detector functionality tracks all apps that are shown on the screen so the user can easily identify the app that should not be running and delete it.

Payment Protection – This is a safe launcher for financial apps, ensuring that other apps on your device will not be able to recognize the launch of a sensitive app, nor allow other apps to replace or read the screens of the financial app in question. This makes use of finance or other sensitive apps safer.

Anti-Theft – The ESET Anti-Theft feature protects your mobile device from unauthorized access, enables you to monitor foreign activity, and tracks your device’s location. You can also display a message to the finder if your device is lost.

What about iOS?

There may be some iOS users who still hold on to the myth that their devices are secure simply because of the way these operating systems are built – applications on iPhone or iPad devices run in their own separate virtual spaces and can communicate with each other to a very limited extent. This environment also prevents external antivirus apps for iOS from working properly.

However, there are notable cyber incidents, proving that iOS is not impenetrable. Therefore, iOS users should enhance the security of their devices with additional layers such as  , Identity Protection*, and Password Manager.

All of these are available for both iOS and Android users via ESET HOME Security, the recently upgraded all-in-one solution created for consumers who want to protect their household against all kinds of cyberthreats.

Be prepared for anything

Packed with tons of features and capabilities, mobile devices should make our lives easier, and not trigger headaches due to cyberthreats. That is why multi-layered protection focusing on prevention is needed.

Being a security leader with more than three decades of experience, ESET protects smartphone users of all generations whether they are browsing the internet, chatting, shopping, playing games, or executing financial operations.

* ESET Identity Protection is available only in selected countries.

Source: ESET

Date: 24 Oct 2024

With increasingly sophisticated attacks, households need top-end protection covering today’s complex threat landscape.

In a world where cybercriminals can abuse AI to create fake recordings of your face needed to bypass video-based authentication, or where phishing copycats of legitimate websites are almost unrecognizable from their real counterparts, and media repeatedly inform us about huge data breaches, it is no surprise that the general public is worried about what the future holds.

Even tech-savvy and vigilant home admins can’t be sure that their personal data won’t leak due to third-party data breaches, nor can they monitor their children or less-aware family members 24/7 to prevent them from being fooled by an advanced scam.

In such a world, security awareness training combined with a simple cybersecurity solution is not enough. Robust high-quality defenses covering numerous attack vectors such as accounts, web browsing, financial operations, mobile apps, and even physical theft are needed. Ideally, if such a solution is easy to use and its first line of defense is prevention – avoiding or stopping threats before they can do any harm – then home admins and their families will be able to rest better.

This year, ESET boosts its all-in-one solution for consumers, ESET HOME Security, with several new handy features battling the most feared attacks such as ransomware or phishing. Moreover, ESET introduces global Identity Protection* service, which provides rapid warning about personal data leaks and helps victims promptly mitigate possible identity fraud.

Growing concerns

The vast majority of British and American consumers are concerned that cyberattacks will increase or remain consistent over the coming year (97%) and become more sophisticated (69%), according to a 2024 study conducted by ThreatX and Dynata among 2,000 consumers. Only 13% express their confidence in being completely protected from cyberattacks in the next year.

Considering the volume of news about advanced cyberthreats and huge data breaches, these numbers are understandable. Here is a brief summary of the general public’s situation:

• Cybercrime is profitable, and it will grow. The global cost of cybercrime is expected to surge in the next four years, rising from $9.22 trillion in 2024 to $13.82 trillion by 2028.
• Technology is evolving, and so are cyberattacks. The recent Netacea survey among 440 businesses across the U.K. and the U.S. found that 93% of respondents believe they will face daily AI attacks within the next six months.
• Automated attacks are a constant threat. For example, Microsoft deflects more than 1,000 password attacks per second, spam messages accounted for over 46.8 percent of email traffic in December 2023, and more than 76 billion emails were phishing in the same year.
• The latest generation of PCs can break encryption by guessing random 6-character-long passwords in a single day, this despite the improved hashing methods used. Users of older hashing methods can get breached almost instantly.

Setting up defenses

The statistics above are not here to scare you, but rather to demonstrate the scale and complexity of the current threat landscape. This means that home defenses must be comprehensive but, at the same time, easy to operate to avoid security fatigue. Yes, cybercriminals are evolving; they use AI and automation. But guess what: cybersecurity vendors (such as ESET) can do the same.

Keeping all these threats in mind, proper home security should be multi-layered, covering multiple attack vectors and focusing on prevention. Here are some basic rules and solutions that people concerned about their cybersecurity should consider:

Cyber Hygiene – Besides awareness education, proper cyber hygiene also involves backups, regular patching and updates, encryption, and password hygiene.

Password Manager and Two-Factorial Authentication – An average person now uses 168 passwords and manages nearly 200 accounts. Considering how often cybercriminals attack credentials, it is quite useful to have these two solutions.

Antivirus – High-quality antivirus is a must nowadays. Don’t rely only on free or in-built protection.

Modern Endpoint Security – This involves Antispyware, Anti-Phishing, Ransomware Shield, and Script-Based Attack Protection combined with Advanced Machine Learning and sandbox technology that analyzes software before execution.

Parental Control – Parental Control offers a general overview of children’s online activities and flexible options to restrict access to some content or screen time.

Anti-Theft – Just recently in London, a mobile was stolen every six minutes in 2023. An Anti-Theft tool helps track stolen devices and protects their data.

VPN – Virtual Private Network is a technology that enables the creation of a secure and encrypted connection between a device and the internet.

Focus on quality

ESET HOME Security is an all-in-one, subscription-based solution offering all these technologies and covers multiple operation systems from Windows, to macOS, to Android, and also improves iOS security.

Despite being packed with a number of capabilities, it’s not hard to operate. ESET HOME Security comes with its own complete security management platform, ESET HOME, which allows easy management and sharing protection with family and friends.

Moreover, it is constructed in a way that allows low usage of your PC’s system resources, a fact also acknowledged in 2023 AV-Comparatives Performance Test.

As a global leader in digital security with more than 30 years of experience, ESET is committed to progress and staying ahead of adversaries. That’s why ESET constantly improves its technology, including ESET HOME Security.

This year, ESET comes with several new security and privacy features while improving already-existing ones:

New Global Dark Web Monitoring – ESET Identity Protection* scours websites on the dark web, black market chat rooms, blogs, and other data sources to detect the illegal trading and selling of users’ personal information. ESET technology sends prompt alerts so they can take immediate action.

New ESET Folder Guard – This technology helps protect Windows users’ valuable data from malicious apps and threats, such as ransomware, worms, and wipers (malware that can damage users’ data). Users can create a list of protected folders and files in these folders; these can’t be modified or deleted by untrusted applications.

New Multithread Scanning – Improves scanning performance for multi-core processor devices using Windows by distributing scanning requests among available CPU cores. There can be as many scanning threads as the machine has numbers of processors.

New Link Scanner – This feature improves ESET Mobile Security Anti-phishing (EMS), which, in general, blocks potential phishing attacks coming from websites or domains listed in the ESET malware database. The Link Scanner allows EMS to check every link a user tries to open, not only those coming from supported browsers and social network apps. For instance, a phishing link that pops up in a game will also be checked.

Improved Gamer mode – This feature is for users who demand uninterrupted usage of their software without pop-up windows and want to minimize CPU usage. The improved version allows users to select applications that will not run in Gamer mode. When running an excluded application in full screen mode, Gamer mode will not be used. For cautious players, there is also a new option to display interactive alerts while gamer mode is running.

Improved Password Manager – ESET’s Password Manager now includes an option to remotely log out of Password Manager when logged in on other devices. Users can check their password against the password breach list and can view a security report that informs them if they use any weak or duplicate passwords for their stored accounts. Password Manager has an integrated option to use third-party programs as an optional two-factor authentication (2FA) solution.

Improved Cyber Security for Mac users – ESET HOME Security tiers for Mac users now have a new unified Firewall with both basic and advanced setup options in the main Graphical User Interface (GUI). This means the solution is tailored to the needs of users from basic to more advanced, and without unnecessary settings.

Home is where you feel safe

Despite the digital world becoming more complex and dangerous, this doesn’t mean that average users should constantly look over their shoulders. Yes, they need to stay vigilant, but home should first and foremost be a place of peace and comfort.

So set up defenses, update them regularly, and enjoy your time with your family knowing that your cybersecurity is left to professionals.

* ESET Identity Protection is available only in selected countries.

Source: ESET

Date: 22 Oct 2024

BRATISLAVA — October 22, 2024 — ESET, a global leader in cybersecurity solutions, today announced the launch of its upgraded consumer offering ESET HOME Security, introducing new features such as ESET Folder Guard and Multithread Scanning, together with an overall improvement of its capabilities. Identity Protection* featuring Dark Web Monitoring is now globally available.

These enhancements to ESET HOME Security, as an all-in-one solution for consumers, correspond to the increasing number of advanced, automated, and AI-driven threats targeting individuals and address growing concerns about data privacy, ransomware attacks, phishing, and scams.

Despite being packed with the latest technology, ESET HOME Security remains easy to use thanks to ESET HOME, a comprehensive security management platform available across all major operating systems — Windows, macOS, Android, iOS — and covering all typical smart home devices. Now ESET HOME Security offers even more formidable protection for entire households.

“As a progressive digital life protection vendor, ESET is dedicated to always being one step ahead of adversaries. Our team of experts created a powerful digital life protection solution that blends more than 30 years of human expertise with artificial intelligence, multilayered security technology, and live cloud protection. Following a prevention-first approach that stops threats before they can do any harm, ESET HOME Security brings peace of mind regarding privacy and security, while staying user-friendly, powerful, light, and fast,” said Viktória Ivanová, Vice President of Consumer and IoT Segment at ESET.

To complement the long list of already existing layers of protection, including Antivirus & Antispyware, Firewall, Ransomware Shield, Anti-Phishing, Safe Banking, Safe Browsing, Password Manager,   and Anti-Theft — to name just a few — new features and upgrades have been added:

New Dark Web Monitoring — ESET Identity Protection* scours websites on the dark web, black market chat rooms, blogs, and other data sources to detect the illegal trading and selling of users’ personal information. ESET technology sends prompt alerts so users can take immediate action.

New ESET Folder Guard — This technology helps protect Windows users’ valuable data from malicious apps and threats, such as ransomware, worms, and wipers (malware that can damage users’ data). Users can create a list of protected folders — files in these folders can’t be modified or deleted by untrusted applications.

New Multithread Scanning — Improves scanning performance for multi-core processor devices using Windows by distributing scanning requests among available CPU cores. There can be as many scanning threads as the machine has processor cores.

New Link Scanner — This feature improves ESET Mobile Security Anti-Phishing that, in general, blocks potential phishing attacks coming from websites or domains listed in the ESET malware database. The Link Scanner is an additional layer of protection for Android smartphone users that allows ESET Mobile Security to check every link a user tries to open, not only those coming from supported websites and social network apps. For instance, if a user receives a phishing link in a game app and opens it, the link is first redirected to the ESET Mobile Security app, where it is checked, before being redirected to the browser. If the user is using an unsupported browser, the Link Scanner will block the malicious link in this case.

Improved Gamer Mode — This feature is for users who demand uninterrupted usage of their software without pop-up windows and want to minimize CPU usage. The improved version allows users to create a list of apps automatically starting gamer mode. For cautious players, there is also a new option to display interactive alerts while gamer mode is running.

Improved Password Manager — ESET Password Manager now includes an option to remotely log out of Password Manager when it is logged in on other devices. Users can check their password against the password breach list and view a security report that informs users if they use any weak or duplicate passwords for their stored accounts. Password Manager has an integrated option to use third-party programs as an optional two-factor authentication (2FA).

Improved Cyber Security for Mac users — ESET HOME Security tiers for Mac users now have a new unified Firewall with both basic and advanced setup options in the main Graphical User Interface (GUI). This means the solution is tailored to the needs of users from basic to more advanced, without unnecessary settings.

This robust all-in-one security product is an ideal solution for all who have concerns beyond general cybersecurity, and it includes privacy protection, identity protection, performance optimization, device protection, and smart home protection. Because in a world of advanced cyberthreats, quality matters.

More information about the consumer offering and subscription tiers can be found here.

ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyberthreats — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network.

Source: ESET WeLiveSecurity

Written by: Christian Ali Bravo

From sending phishing emails to posting fake listings, here’s how fraudsters hunt for victims while you’re booking your well-earned vacation

Booking.com has become one of the main go-to platforms for travelers looking for holiday accommodation deals, but also for services like car rentals and airline tickets. In fact, it is the most visited travel and tourism website worldwide, having processed more than a billion bookings in 2023, double the number recorded in 2016.

Obviously the site’s popularity hasn’t escaped the attention of cybercriminals, who invariably flock to online services with high traffic and exploit it as lucrative hunting ground for victims.

Booking.com itself has acknowledgement the magnitude of the problem and said that it has seen a staggering “500 to 900% increase” in travel scams in the past 18 months – and that this increase is largely driven by cybercriminals’ misuse of tools such as ChatGPT since November 2022.

With vacation season in full swing, let’s review some of the most common scams exploiting Booking.com and what to look out for when using this platform.

Phishing

Phishing emails, texts and social media messages are a staple in fraudsters’ arsenals. In these scams, they impersonate a reputable platform or organization to trick the victim into believing they are in contact with the site’s official representative.

Obviously Booking.com isn’t immune to these scams, and fraudsters continue to churn out campaigns where they pose as the platform or representatives of the hotel or another service that the targets have booked via the site.

They often come up with a plausible story where they drum up a sense of urgency and seek to dupe the victim into clicking on a malicious link, under the guise of a new payment that should fix a purported error – or else face the prospect of losing their reservation.

Figure 1. Scam attempt (Source: Reddit)

The easy availability of generative AI tools has opened the floodgates to waves of more convincing and effective scams. By generating phishing emails that are grammatically correct, contextually appropriate, and free of typical red flags that might alert the recipient, they can easily trick people and businesses into downloading info-stealing malware on their devices or into divulging sensitive information or transferring money.

Hijacked chats

Some scammers may go a little further than sending out random phishing messages. There have been a number of reports of attackers finding a way to dupe their victims via the platform’s messaging system.

After finding their way into the accounts of the hotels where holiday-makers made their reservations, they have contacted large numbers of people directly via the in-app chat and urged them to make a payment to confirm the booking.

The ruse involved an alleged error with the previous payment, requiring them to pay again and avoid missing out on their holiday. In other variations of this ploy, the fraudsters requested credit card or passenger data to verify or confirm the booking.

While this didn’t occur as a result of a breach of the platform’s backend systems or infrastructure, you’re well advised to look out for any communications that request your personal or payment data.

Non-existent accommodation

Many holiday properties appear to be straight out of a fairy tale. Indeed, some of them are, quite literally, unreal. Over the years, many holiday-makers have fallen victim to fake listing scams where cybercriminals advertise a luxury holiday home that can be rented at an irresistible price and instruct people to pay, even via Booking.com. Upon arriving, you’ll find that the accommodation doesn’t exist or the property is not for rent.

In fact, soon enough, the platform’s own systems kick in – the fake listings are discovered and removed. However, your vacation may be ruined by then, so you’re better off doing your diligence before booking.

Look for reviews and ratings for the place, check if the price is roughly similar to those for “competing” houses or apartments, and reverse-search the image to see what comes up – it is likely a free stock image or it was stolen from other websites. The bottom line is, if something looks too good to be true, it usually is.

Fake job offers

The text or social media message is straightforward enough: “We need someone to evaluate hotel bookings. We pay between $200 and $1,000. All you need to do is rate or like the hotel on (a fake Booking.com link).” This is how the message offering an irresistible side hustle, supposedly from Booking.com, begins. It’s also a variation on popular work-from-home scams.

Figure 2: Bogus job offer (Source: Reddit)

You’re then asked to pay an advance fee to secure their jobs and/or to send their personal information like Social Security numbers or other details, which can be used to commit identity theft. In some cases, the scammers may be after your bitcoin or other crypto.

How to stay safe? Booking.com doesn’t hire people to review hotels, and they don’t hire people via unsolicited text messages. Hiring as such takes place through Booking Careers, and there is no job vacancy on the platform requiring people to review hotels.

12 tips for avoiding Booking.com and other travel scams

These tips will go a long way towards helping you stay safe while using Booking.com.:

1. Whenever you’re contacted by someone who represents Booking.com or a hotel where you’ve booked your stay, watch out for the typical signs of a phishing email, such as requests for urgent action.
2. Always verify that emails came from their official domain and be wary of slight misspellings or variations. A number of trusted email addresses are also listed on the site itself.
3. If you receive any suspicious communication, go directly to the website and log into your account to verify any claims.
4. Booking.com never asks for information like your full credit card details, social security number, or passwords via email or chat.
5. Avoid clicking on links in unsolicited emails or messages.
6. Make payments through the official Booking.com platform. Avoid transferring money directly to the accommodation provider.
7. Check reviews and ratings of the accommodation on Booking.com and look for reviews that are authentic and detailed. Inspect and cross-check the accommodation details and images on other travel websites or review platforms.
8. Ensure your devices have up-to-date security software to protect against malware and phishing attempts.
9. Keep your operating system and other software updated to protect against security vulnerabilities.
10. Protect your online accounts with strong and unique passwords or passphrases and two-factor authentication.
11. If you encounter any suspicious activity, report the issue to the platform’s customer service.
12. If you suspect that your payment information has been compromised, inform your bank or credit card provider immediately.

Bon voyage!

BEFORE YOU GO: Going on vacation soon? Stay one step ahead of travel scams

Source: ESET WeLiveSecurity

Written by: Phil Muncaster

Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims

It’s every parent’s worst nightmare. You get a call from an unknown number and on the other end of the line hear your child crying out for help. Then their ‘kidnapper’ comes on the line demanding a ransom or you will never see your son or daughter again. Unfortunately, this is not an imagined scenario from a Hollywood film.

Instead, it’s a terrifying example of the lengths that scammers can now go to in order extort money from their victims, co-opting new technology for nefarious purposes. It also shows the quality of AI voice cloning technology that is now convincing enough to trick even close family members. Fortunately, the more people know about these schemes and what to look out for, the less likely phone-based fraudsters are to make any money.

How virtual kidnapping works

There are several key stages to a typical virtual kidnapping scam. Broadly speaking they are as follows:

1. The scammers research potential victims they can call up and try to extort money from. This stage could also be optimized with the use of AI tools (more of this later).
2. The scammers identify a ‘kidnapping’ victim – most likely the child of the person they identified in stage 1. They could do this by trawling through their social media or other publicly facing information.
3. The group then creates an imagined scenario, being sure to make it as harrowing as possible for the person they’re about to call. The more scared you are, the less likely you’ll be to make rational decisions. Like any good social engineering attempt, the scammers want to rush the victim’s decision making for this reason.
4. The fraudsters might then perform some more open source research to calculate when the best time to call would be. They may scour social media or other sources to work this out. The idea is to contact you at a time when your loved one is elsewhere, ideally on holiday, like the daughter of Jennifer DeStefano.
5. Now it’s time to create the audio deepfakes and put in the call. Using readily available software, the scammers will create audio with the victim’s ‘voice’ and use it to try and convince you that they have kidnapped a relative. They may use other information gleaned from social media to make the scam sound more convincing, for example by mentioning details about the ‘kidnappee’ that a stranger might not know.
6. If you fall for the scam, you will most likely be asked to pay in non-traceable way, like cryptocurrency.

Supercharging virtual kidnapping

There are variations on this theme. Most concerning is the potential for ChatGPT and other AI tools to supercharge virtual kidnapping by making it easier for fraudsters to find the ideal victims. Advertisers and marketers have for years been using “propensity modelling” techniques to get the right messages to the right people at the right time.

Generative AI (GenAI) could help scammers to do the same, by searching for those individuals most likely to pay up if exposed to a virtual kidnapping scam. They could also search for people within a specific geographical area, with public social media profiles and of a specific socio-economic background.

RELATED READING: Your voice is my password

A second option would be to use a SIM swapping attack on the ‘kidnappee’ to hijack their phone number ahead of the scam. This would add an unnerving legitimacy to the kidnapping phone call. Whereas DeStefano was eventually able to ascertain that her daughter was safe and well, and therefore hang up on her extortionists, this would be much harder to do if the victim’s relative is uncontactable.

What the future holds for voice cloning

Unfortunately, voice cloning technology is already worryingly convincing, as also our recent experiment proves. And it is increasingly accessible to scammers. An intelligence report from May warned of legitimate text-to-speech tools which could be abused, and a growing interest on the cybercrime underground in voice cloning-as-a-service (VCaaS). If the latter takes off it could democratize the ability to launch such attacks across the cybercrime economy, especially if used in combination with GenAI tools.

In fact, beside disinformation, deepfake technology is also being used for business email compromise (as tested by our own Jake Moore) and sextortion We are only at the start of a long journey.

How to stay safe

The good news is that a little knowledge can go a long way to diffusing the threat of deepfakes in general and virtual kidnapping in particular. There are things you can do today to minimize the chances of being selected as a victim and of falling for a scam call if one does occur.

Consider these high-level tips:

• Don’t overshare personal information on social media. This is absolutely critical. Avoid posting details such as addresses and phone numbers. If possible, don’t even share photos or video/audio recordings of your family, and certainly not details of loved ones’ holiday plans.
• Keep your social media profiles private in order to minimize the chances of threat actors finding you online.
• Be on the lookout for phishing messages that could be designed to trick you into handing over sensitive personal information, or logins to social media accounts.
• Get children and close family to download geolocation trackers such as Find My iPhone.
• If you receive a call, keep the ‘kidnappers’ talking. At the same time try to call the alleged kidnappee from another line, or get someone close by to.
• Stay calm, don’t share any personal info, and if possible get them to answer a question only the kidnappee would know and request to speak to them.
• Notify the local police as soon as possible.

Virtual kidnapping is just the start. But stay up to date with the latest scams and you stand a good chance of nipping attacks in the bud before they cause serious emotional distress.