Phishing Attacks and Deepfake Technique: A Growing Concern

In today's digital landscape, cyber threats continue to evolve, and it is crucial to stay vigilant and informed about the latest techniques used by cybercriminals. Two significant concerns in the realm of cybersecurity are phishing attacks and deepfake techniques. This article provides practical tips to address the growing threat of phishing attempts. 

Phishing attacks remain a prevalent threat and aim to deceive individuals into revealing sensitive information or performing malicious actions, while deepfake techniques involve the use of manipulated audio and video to create convincing impersonations.

These attacks can occur through various channels, such as email (including business and personal email), Short Message Service (SMS), and mobile messaging applications (e.g. WhatsApp, WeChat). The primary goal of phishing is to trick individuals into divulging sensitive information, such as passwords, credit card details, or personal identification. Phishing attacks often employ social engineering tactics, preying on human vulnerabilities to create a false sense of trust and urgency.

The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), which is the centre for coordination of computer security incident response for local enterprises and Internet users, handled a total of 7,752 security incidents in 2023. Notably, phishing incidents constituted a significant portion, representing nearly half of all cases with a count of 3,752 (48%). This demonstrates a substantial increase, surpassing previous years and setting a five-year record, as it marks a 27% rise from 2022 ^[1].

The real-life examples below serve as a reminder of how cybercriminals can leverage social engineering tactics to manipulate individuals.  

1. Deepfake Scams: The Arup Incident ^[2]
    
   

   One notable example of a deepfake scam is the Arup incident. UK multinational Arup has fallen victim to a sophisticated deepfake scam in which a digitally cloned version of its chief financial officer (CFO) was used to dupe an employee in its Hong Kong office into transferring HK$200 million to scammers. The hyper-realistic deepfake video, created using artificial intelligence, convinced the employee to make 15 transfers to five Hong Kong bank accounts. Arup confirmed that fake voices and images were used but clarified that its financial stability and business operations were not compromised, and none of its internal systems were breached. The scam, which was first revealed in February 2024, is described as one of the largest known deepfake scams and the first of its kind in Hong Kong. Investigations are ongoing, and no arrests have been made so far. Arup's global chief information officer highlighted the increasing threat of deepfake scams and hoped that this incident would raise awareness about the evolving techniques of bad actors.

2. Impersonation Incident: Mimic University Professor
   
   Another notable example is that a cybercriminal employed a phishing technique to impersonate a university professor and deceive a student. This scam did not involve the use of deepfake technology but relied on traditional social engineering tactics and email spoofing (pretend to send from [professor name]@gmail.com). The attacker created an email address that closely resembled the professor's official email and sent a phishing email to the student, posing as the professor. The phishing email was carefully crafted to mimic the professor's communication style and contained urgent language, requesting the student's assistance in purchasing gift cards for official purposes and emphasising the need for immediate action. The email provided specific instructions on how to proceed in a continuous conversation with the victim. Unfortunately, the student, believing the email was legitimate, followed the instructions and purchased the gift cards, resulting in financial loss.  
    
3. Phone-based Phishing: Direct Call to Targeted Person
   
   Another example of a fraudulent technique is phone-based phishing, also known as voice phishing or "vishing". For instance, the attacker directly called University staff and requested to provide sensitive information and perform certain actions such as opening email attachments. The attacker impersonated a trusted entity, such as a vendor or a tech support agent, and convinced the targeted staff to open an email attachment or click on a malicious link from the attacker. This phishing method has been on the rise, with phone numbers used for fraud accounting for over 20% of fraud-related assets identified by the Anti-Phishing Working Group in the first quarter of 2024. The increasing prevalence of vishing highlights the need for individuals to remain vigilant and exercise caution when receiving unexpected phone or video calls ^[3].

Tips to Protect Yourself from Phishing Attacks and Deepfake Techniques

1. Develop an aware mindset:  Be aware of unsolicited messages, unexpected requests, and urgent demands for personal information.
2. Verify the sender's identity: Before responding to any request, verify the sender's identity using alternative means of communication. For example, contact the person directly through a known phone number or meet in person if feasible. 
3. Think before clicking or sharing information: Avoid clicking on links or downloading attachments from unsolicited messages. Hover over links to preview the URL and ensure it matches the expected destination. 
4. Stay informed and educate yourself: Regularly update your knowledge about the latest phishing techniques and deepfake technology, such as reading this article.
5. Activate multi-factor authentication (MFA) for your accounts: Enable MFA whenever possible, especially for sensitive accounts such as email, banking, and social media. 
6. Keep your software up to date: Regularly update your operating system, applications, and security software. Software updates often include security patches that address known vulnerabilities that cybercriminals may exploit.

Conclusion

In conclusion, building security awareness serves as our last line of defence in the ever-evolving landscape of cyber threats. While technological advancements have provided us with numerous conveniences, they have also opened avenues for malicious actors to exploit our weaknesses. Remember, our last line of defence lies in our ability to stay informed, remain vigilant, and report suspicious activities. By staying one step ahead and building security awareness, we can safeguard our personal information, financial well-being, and overall online safety. 

Reference:

[1] https://www.hkcert.org/press-centre/hkcert-releases-annual-information-security-outlook-and-forecast-next-level-phishing-attacks-difficult-to-distinguish-hackers-exploit-ai-for-crimes-could-become-a-new-normal
[2] https://www.dezeen.com/2024/05/17/arup-victim-deepfake-video-scam/
[3] https://docs.apwg.org/reports/apwg_trends_report_q1_2024.pdf