2024 - Page 2 of 3

AI Sextortion: The Crime Affecting Every Business and Everyone in SO MANY Ways

June 14, 2024/in Artificial Intelligence /by Robert Siciliano

Sextortion is EVERYONES PROBLEM. This isn’t just a children and teens thing, it’s adults too. The FBI says year over year this crime is increasing. And it’s affecting families, their livelihoods, and their businesses. Make no mistake, Sextortion affects you, our government, your organization, its security, your employees, their productivity, whether or not they may embezzle money from your organization to pay for the scammers demands and SO much more.

Sextortionist: “I Own You. I’m GoIng to RUIN you. I’m Publishing Your NOODS!”

The level of desperation in which the victims elevate to has resulted in multiple suicides. If a victim of sextortion is that distraught, that desperate, what other measures might they take? Where else might desperation direct them? How else might it mess with their lives? We’ve seen dozens, if not hundreds of examples of desperate people doing desperate things.

This author is in the new Netflix Series ASHLEY MADISON; Sex Lies & Scandal Episode 2 “We Got Hacked” @ 25:30 as an expert discussing the data breach on FOX NEWS. The show is trending on Netflix! I’m also briefly in episode three and in the credits. Whether or not you’re into these “juicy” salacious shows, my brief contribution is professional, and it demonstrates my expertise very well.

I bring up Ashley Madison because that site along with Grindr, Instagram, Facebook, and just about any other site, where human contact begins, and could result in nude photos being exchanged, are being targeted by criminals. Heck, it’s even beginning with the stupid lame text messages were getting now.

What is Sextortion?

Sextortion is a form of online sexual exploitation where a perpetrator threatens to share intimate or sexually explicit images or videos of a victim unless they comply with certain demands. These demands can range from extorting money to coercing the victim into producing more explicit content or engaging in other sexual acts.

Sextortion typically begins when a perpetrator gains access to sensitive images or videos of a victim, often through hacking, social engineering, or by convincing the victim to share the content themselves. The perpetrator then uses these materials as leverage to blackmail and exploit the victim.

The threats made by sextortionists can be severe, including publicly releasing the compromising content, sharing it with the victim’s family, friends, or employer, or even threatening physical harm. This creates an environment of fear and coercion, where victims feel compelled to comply with the demands to avoid the devastating consequences of having their private content exposed.

Artificial intelligence (AI) has exacerbated the severity of sextortion in several ways. The “victim” doesn’t even need to be “nude” to be a victim.

Artificial Intelligence Role in Sextortion

1. Creation of Realistic Fake Explicit Images: AI technology, particularly generative AI models can be used to create highly realistic and convincing fake explicit images of victims. These AI-generated images can be indistinguishable from real photographs, making the threats of releasing them more credible and increasing the leverage over victims.

2. Increased Reach and Scalability: AI can automate and scale up sextortion operations, allowing perpetrators to target a larger number of victims simultaneously. AI-powered tools can scrape social media for potential targets, generate fake profiles for grooming, and even automate the extortion process itself.

3. Targeting Minors: AI has made it easier for perpetrators to create fake explicit images of minors, putting underage victims at heightened risk of exploitation and severe psychological trauma. The FBI has reported an alarming increase in sextortion cases involving minors, with AI playing a significant role.

4. Deepfake Technology: AI-powered deepfake technology can be used to create realistic fake videos by superimposing a victim’s face onto explicit content, further increasing the credibility of the threats and the potential for harm.

5. Difficulty in Detection and Removal: AI-generated explicit content can be challenging to detect and remove from the internet, as it may not be flagged by traditional content moderation systems designed to detect real explicit material. This increases the potential for widespread dissemination and long-lasting reputational damage.

By leveraging AI, sextortionists can create more convincing and credible threats, target a broader range of victims, including minors, and operate at a larger scale, amplifying the psychological and emotional impact on victims and making it more difficult to combat this form of online exploitation.

Common Sextortion Tactics

Sextortionists employ various tactics to lure and manipulate their victims, including:

1. Hacking and Malware: Perpetrators may hack into the victim’s devices or accounts to steal private images or videos, or use malware to gain remote access and control over their webcams or files.

2. Catfishing and Online Relationships: Sextortionists may create fake online personas and engage in romantic or friendly conversations with the victim, gradually building trust and convincing them to share explicit content.

3. Impersonation and Deepfakes: In some cases, perpetrators may use deepfake technology to create realistic but fabricated explicit images or videos of the victim, which they then use for blackmail.

4. Sextortion Scams: Victims may receive unsolicited emails or messages claiming that the perpetrator has compromising videos or images of them, demanding payment to prevent the content from being released, even if no such content exists.

Victims of Sextortion

While anyone with a digital presence can potentially become a victim of sextortion, certain groups are more vulnerable:

Minors and Young Adults: Sextortionists often target minors and young adults, who may be more susceptible to online manipulation and less aware of the risks involved in sharing explicit content.

LGBTQ+ Individuals: Members of the LGBTQ+ community may be specifically targeted due to the potential for increased stigma and discrimination if their private content is exposed.

Public Figures and Celebrities: High-profile individuals, such as celebrities or politicians, can be lucrative targets for sextortionists seeking financial gain or leverage.

Consequences of Sextortion

Sextortion can have severe and long-lasting consequences for victims, including:

Emotional Trauma: Victims often experience significant emotional distress, anxiety, depression, and feelings of shame and humiliation.

Reputational Damage: The release of private content can lead to damage to the victim’s personal and professional reputation, as well as strained relationships with family and friends.

Financial Loss: Victims may face financial losses due to extortion demands or the need to seek legal assistance and counseling.

Legal Implications: In some cases, the production or distribution of explicit content involving minors can lead to criminal charges, even if the victim was coerced or unaware.

Preventing and Responding to Sextortion

Preventing sextortion requires a multi-faceted approach, including:

1. Education and Awareness: Raising awareness about sextortion tactics and the risks of sharing explicit content online can help individuals make informed decisions and recognize potential threats.

2. Cybersecurity Measures: Implementing strong cybersecurity practices, such as using secure passwords, enabling two-factor authentication, and keeping software and devices up-to-date, can help protect against hacking and unauthorized access.

3. Reporting and Support: Victims of sextortion should report the incident to the appropriate authorities, such as law enforcement agencies or cybercrime units, and seek support from counseling services or victim advocacy organizations.

4. Legal Action: In some cases, legal action may be necessary to hold perpetrators accountable and seek justice for the harm caused.

Sextortion is a serious form of online exploitation that can have devastating consequences for victims. It is important that we have “uncomfortable” conversations with each other about this crime and how it affects us and raise awareness to stop it from happening. By raising awareness, implementing preventive measures, and providing support and resources for victims, we can work towards combating this insidious crime and protecting individuals from falling prey to sextortionists.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, and the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.

How and Why “Fun” AI Generated Spam On Social Media Will Manipulate the 2024 Election

May 31, 2024/in Artificial Intelligence /by Robert Siciliano

The primary intention behind artificial intelligence (AI) generated spam on social media appears to be financial gain through deceptive means. Facebook algorithms are suggesting users to visit, view and like pages that are 100% artificially intelligent generated photos of people, places, and things that are simply not real.

The content includes too good to be true pictures of everyday people, their projects that are to most of us “extraordinary” in their nature. This might include a crudites made to look like the face of Jesus. Or someone crocheting a child’s amazing sweater, or something as simple as 103 year old woman’s birthday celebration. All fake, all designed to engage us. And that engagement is 100% trickery.

AI Enables High Volume of Engaging Content

AI tools like text and image generators allow spammers to produce large volumes of visually appealing and engaging content cheaply and quickly. This AI-generated content draws attention and interactions (likes, comments, shares) from users, signaling to social media algorithms to promote it further.

Driving Traffic for Monetary Gain

The engaging AI posts often contain links or lead to external websites filled with ads, allowing spammers to generate ad revenue from the traffic. Some spammers use AI images to grab attention, then comment with spam links on those posts. The ultimate goal is to drive traffic to these ad-laden websites or promote dubious products/services for profit. This same content can be directed towards the election process and fake websites containing photos, videos, and content to manipulate hearts and minds on why and who they should vote for.

Circumventing Detection

AI allows spammers to generate unique content at scale, making it harder for platforms to detect patterns and filter out spam. As AI language models improve, the generated content becomes more human-like, further evading detection.

Spreading Misinformation

While profit is the primary motive with social media related spam, AI-generated spam can also be leveraged to spread misinformation and false narratives on social media. Automated AI bots can amplify misinformation campaigns by flooding platforms with synthetic content.

In essence, AI provides spammers with powerful tools to create deceptive, viral content that circumvents detection while enabling them to monetize through dubious means like ad farms, product promotion, or even misinformation in election campaigns.

And spreading misinformation is exactly how generated artificially intelligent spam “socializes” the process of election manipulation. Over decades and decades, we have come to believe most if not everything we see, everything we read, and therefore we go deeper into the rabbit hole of fakery.

Joe Biden Deepfake in New Hampshire

In May 2024, a New Hampshire man named was fined $6 million by the Federal Election Commission for creating and distributing a deep fake audio clip that falsely portrayed President Joe Biden making controversial statements.

The man used advanced AI technology to generate a synthetic version of Biden’s voice, making it appear the President said things he never actually said. The deep fake audio was released online just weeks before the election and quickly went viral on social media.

The FEC determined the mans actions constituted an “expensive virtual disinformation campaign” aimed at undermining the election process. His $6 million fine is the largest ever levied by the FEC for such a violation of election laws prohibiting the distribution of disinformation and deep fakes intended to sway voters.

This case highlights the growing threat of deep fake technology being weaponized to mislead the public and interfere in U.S. elections. It has prompted calls for stricter regulations around the creation and dissemination of synthetic media.

Is There Any Way to Stop It?

There are several measures that can be taken to prevent AI from being used to spread misinformation during elections:

AI System Design

· Implement robust fact-checking and verification processes into AI systems to ensure they do not generate or amplify false or misleading information.

· Train AI models on high-quality, fact-based data from reliable sources to reduce the risk of learning and propagating misinformation.

· Build in safeguards and filters to flag potential misinformation and disinformation attempts.

Regulation and Oversight

· Enact laws and regulations governing the use of AI in elections and political campaigns to prohibit manipulative tactics.

· Establish independent oversight bodies to audit AI systems for fairness, accuracy and resistance to misinformation.

Public Awareness

· Increase public education about AI capabilities and limitations to raise awareness of artificial intelligence and deepfakes potential misuse.

· Promote media literacy to help people identify misinformation and verify information sources.

Collaboration

· Foster collaboration between AI developers, election officials, fact-checkers and civil society to share best practices.

· Support research into AI-powered misinformation detection and prevention methods.

Ultimately, a multi-stakeholder approach involving responsible AI development, strong governance, public engagement and cross-sector partnerships will be crucial to mitigating the risks of AI-enabled misinformation during elections.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

Artificial Intelligence and Organized Crime Sitting In a Tree…

May 14, 2024/in Artificial Intelligence /by Robert Siciliano

K.I.S.S.I.N.G. First came love, then came marriage, then came the baby in the baby carriage! Sucking his thumb, wetting his pants, doing the hula – hula dance! And the BABY is a Boy!

The Yahoo Boys.

The Yahoo Boys are a notorious group of cyber criminals operating out of West Africa, primarily Nigeria. While most scammers try to stay under the radar, the Yahoo Boys are brazen – they openly advertise their fraudulent activities across major social media platforms like Facebook, WhatsApp, Telegram, TikTok, and YouTube.

An analysis by WIRED uncovered a vast network of Yahoo Boy groups and accounts actively sharing scamming techniques, scripts, and resources. There are nearly 200,000 members across 16 Facebook groups alone, not to mention dozens of channels on WhatsApp, Telegram, TikTok, YouTube, and over 80 scam scripts hosted on Scribd. And this is likely just scratching the surface.

The Yahoo Boys aren’t a single organized crime syndicate, but rather a decentralized collective of individual scammers and clusters operating across West Africa. Their name harks back to the notorious Nigerian prince email scams, originally targeting users of Yahoo services. But their modern scamming operations are vast – from romance fraud to business email compromise and sextortion.

The scams themselves are getting more psychologically manipulative and technologically advanced. Classic romance scams now incorporate live deepfake video calls, AI-generated explicit images, even physical gifts like food deliveries to build trust with victims. One particularly disturbing trend is the rise in sextortion schemes, with cases linked to dozens of suicides by traumatized victims.

Artificial intelligence (AI) is being exploited by cybercriminals such as the Yahoo Boys to automate and enhance various aspects of social engineering scams.

Here are some ways AI is being used in social engineering attacks:

1. Natural Language Generation: AI models can generate highly convincing and personalized phishing emails, text messages, or social media posts that appear to come from legitimate sources. These AI-generated messages can be tailored to specific individuals or organizations, making them more believable and increasing the likelihood of success.

2. Voice Cloning: AI can be used to clone or synthesize human voices, allowing scammers to impersonate trusted individuals or authorities over the phone. This technique, known as voice phishing or “vishing,” can trick victims into revealing sensitive information or transferring funds.

3. Deepfakes: AI-powered deepfake technology can create highly realistic video or audio content by manipulating existing media. Cybercriminals can use deepfakes to impersonate individuals in video calls or create fake videos that appear to be from legitimate sources, adding credibility to their social engineering attempts.

4. Sentiment Analysis: AI can analyze the language, tone, and sentiment of a victim’s responses during a social engineering attack, allowing the attacker to adapt their approach and increase the chances of success.

5. Target Profiling: AI can analyze vast amounts of data from various sources, such as social media profiles, public records, and online activities, to create detailed profiles of potential victims. These profiles can be used to craft highly personalized and convincing social engineering attacks.

6. Automated Attacks: AI can automate various aspects of social engineering campaigns, such as identifying potential victims, generating and sending phishing emails or messages, and even engaging in real-time conversations with targets.

While AI can be a powerful tool for cybercriminals, it is important to note that these technologies can also be used by security researchers and organizations to detect and mitigate social engineering attacks. However, the ongoing advancement of AI capabilities poses a significant challenge in the fight against social engineering and requires vigilance and continuous adaptation of security measures.

Insidious Meets Prolific

What makes the Yahoo Boys particularly insidious is their bold presence on mainstream social platforms. They use these as virtual “office spaces,” sharing step-by-step scripts, explicit images and videos of potential victims, fake profiles, even tutorials on deploying new AI technologies like deepfakes and voice cloning for their scams. It’s a massive con operation happening in plain sight.

Despite social media’s stated policies against fraud and illegal activities, the companies have struggled to keep up with the Yahoo Boys’ prolific output. Although the major platforms removed many of the specific groups and accounts identified by WIRED, new ones continue popping up daily, exploiting gaps in moderation and content policies.

Cybersecurity experts are sounding the alarm that social platforms are providing safe harbor for these transnational cyber criminal gangs to recruit, share resources, and execute increasingly sophisticated frauds with global reach and real-world consequences. While the “Yahoo Boy” monikers imply a relatively harmless group of young tricksters, the reality is a vast and dangerous network of techno-savvy con artists causing significant financial and psychological harm on an industrial scale.

Law enforcement and the tech giants are struggling to get a handle on this viral scamming epidemic. As new AI capabilities get folded into the Yahoo Boys’ arsenal of malicious tools and tactics, the need for a coordinated global crackdown is becoming more urgent. No longer just a nuisance of sketchy email schemes, this criminal community represents an escalating threat operating in the open on our most popular social media platforms.

I personally am getting ready to crawl under a rock, and maybe move into a cave deep in the woods of Montana to escape the onslaught of artificial intelligence scams. But maybe you are tougher than I am. If you are, I suggest adhering to these tips:

Here are 11 tips to protect yourself from AI-powered social engineering scams:

1. Be wary of unsolicited communication, even if it appears to come from a trusted source. Verify the authenticity of the message or request through official channels. You know, pick up the phone. Send them a text message. Meet them in person.

2. Enable multi-factor authentication for your accounts and devices to add an extra layer of security beyond just passwords. This has nothing to do with artificial intelligence scams. You should just do it because it makes you a tougher target.

3. Keep your software and operating systems up-to-date with the latest security patches to mitigate vulnerabilities that could be exploited. Same, just do it.

4. Be cautious of urgent or high-pressure requests, as these are common tactics used in social engineering attacks. This goes for all social engineering scams.

5. Scrutinize the language and tone of messages for inconsistencies or anomalies that may indicate AI-generated content. If you feel your blood pressure going up, it’s fraud. It’s always fraud.

6. Verify the authenticity of voice calls or video conferences, especially if they involve requests for sensitive information or financial transactions. Again, pick up the phone, be persistent, meet them in person and verify the authenticity not just by yourself, get others involved.

7. Be skeptical of overly personalized or tailored messages, as AI can analyze your online presence to craft convincing lures. Every communication from a scammer is designed to get you to trust them. Do everything in your power to be skeptical.

8. Educate yourself and stay informed about the latest AI-powered social engineering techniques and scams. Yeah, just read my newsletter. I’ll keep you up to speed.

9. Implement robust security measures, such as email filtering, web content filtering, and endpoint protection, to detect and block potential threats. Your IT people should have systems in place. But even those systems can be compromised by human hacking.

10. Report any suspected social engineering attempts to the relevant authorities and organizations to help identify and mitigate emerging threats. Those relevant authorities start with your internal people.

11. Cyber security awareness training educates employees about threats, best practices, and their role in protecting company data and systems. It reduces human error, promotes a security-conscious culture, mitigates risks, and enhances an organization’s overall cyber resilience.

By staying vigilant, verifying information, and implementing appropriate security measures, you can significantly reduce your risk of falling victim to AI-powered social engineering scams.

Why EVERYONE is Resistant to Engaging in Security Practices and How to Fix It

May 3, 2024/in security /by Robert Siciliano

It’s everyone. (It’s you too. Just read.) Security goes against our core beliefs. Security is not natural, it’s not normal, it means that we don’t trust others. However, we trust by default. Not trusting others is actually a learned behavior. Security means that you are aware that there are others out there that may choose you as their target. That’s not normal. It’s not natural. No-one wants to think they are a target.

What’s normal is that we live happily ever after, we live together as one species in harmony. We trust each other, we are good to each other, we treat others as we want to be treated. We don’t hit, hurt, harm or take from one another. We are civilized creatures.

However, there is a small percentage of predators, uncivilized beings, we call them sociopaths, psychopaths, and hard-core narcissists. They are the criminal hackers, the serial killers, the rapists. They are a minority, and we choose to think they don’t exist. Or at least we deny they would choose us. We resist security practices, because it goes against what it means to be a civilized being.

Therefore, in addition to the above, consumers (you) may be resistant to cybersecurity awareness training for several reasons:

1. Perceived inconvenience. Some may view cybersecurity training as an additional task or inconvenience, especially if they believe it interrupts their regular activities. Which is all nonsense. If you thought your bank was being targeted, would you do something about it? Of course. Beyond the perceived inconvenience, we are tired, lazy and selfish. That’s actually normal too.

2. Lack of perceived relevance. Some individuals may not see the immediate relevance of cybersecurity to their daily lives, leading them to ignore or resist training efforts. This is frustrating for your IT directors, and it is also frustrating for your government who see you, and I, as part of the problem regarding our critical infrastructure being vulnerable. Cyber security is relevant if you want to keep the lights on, have clean water, and heat your home.

3. Overwhelm. The complexity of cybersecurity topics can overwhelm consumers, making them feel incapable of understanding or implementing the necessary precautions. I blame pretty much every cyber security awareness training company out there. It’s not all about phishing simulation training. None of these companies have a clue when it comes to teaching individuals about risk. It’s not “do this, don’t do that” they have forgot what it means to be human.

4. Denial. Some people may deny the importance of cybersecurity or believe that they won’t be targeted by cyber threats, leading them to dismiss training efforts. Denial is more natural and more normal than recognizing risk. Denial is comfortable, it’s soothing, and it allows us to avoid the anxiety of “it really can happen to me”

5. Fear of technology. Individuals who are not confident in their technological abilities may feel intimidated by cybersecurity training, leading them to avoid it altogether. This, of course makes total sense. How many times have you gone in a vicious circle, a constant loop of not being able to log into an account because of two factor authentication not working or something else out of whack? Technology can be frustrating. If security is not easy, people aren’t going to do it.

6. Lack of awareness. Some consumers may simply not be aware of the risks posed by cyber threats, leading them to underestimate the importance of cybersecurity training. This is a real problem. This lack of attention to what your options are regarding anything security is common. Part of that lack of awareness stems from disbelief these things can happen to us, denial we can be targeted, and a relative “pacifist” attitude.

Addressing these barriers requires organizations to tailor their cybersecurity awareness training programs to be engaging, relevant, and accessible to all consumers. This can involve using clear language, providing real-life examples, and offering support for individuals who may struggle with technology or cybersecurity concepts. It also means getting “real”. And cyber security awareness training companies aren’t going to do that, nor are their 2 dimensional employees, and most of them don’t have the ability to get down and dirty and speak “holistically” about life and security in the same sentence.

Encouraging computer users to engage in cybersecurity awareness training involves several strategies:

1. Relevance. Highlight the relevance of cybersecurity to their personal and professional lives. Emphasize how it can protect their data, finances, and privacy.

2. Interactive Training. Offer engaging and interactive training modules that include simulations, quizzes, and real-life scenarios to make the learning experience more enjoyable and practical.

3. Incentives. Provide incentives such as certifications, badges, or rewards for completing cybersecurity training. Recognition for their efforts can motivate users to participate.

4. Customization. Tailor training content to the specific needs and interests of different user groups. For example, employees in finance may require different training than those in marketing.

5. Regular Updates. Keep the training content up-to-date with the latest cybersecurity threats and best practices. This demonstrates the importance of ongoing learning in an ever-evolving digital landscape.

6. Leadership Support. Gain support from organizational leaders and managers to promote the importance of cybersecurity training. When leadership emphasizes its importance, employees are more likely to prioritize it.

7. Accessibility. Make training accessible by offering multiple formats such as online courses, in-person workshops, and mobile-friendly materials. This accommodates different learning preferences and schedules.

8. Feedback and Support. Provide avenues for users to ask questions, seek clarification, and provide feedback on the training materials. Addressing their concerns and offering support can increase engagement.

By implementing these strategies, organizations can create a culture of cybersecurity awareness where users are motivated and empowered to protect themselves and their data online.

Be aware of Artificial Intelligence Voice Cloning

April 26, 2024/in Artificial Intelligence /by Robert Siciliano

The proliferation of AI technologies like voice cloning and caller ID spoofing has opened up new avenues for fraudsters to exploit. By mimicking voices and masking their true caller identities, scammers can launch highly convincing social engineering attacks over the phone. This potent combination poses serious risks to individuals and organizations alike.

However, we aren’t defenseless against these emerging threats. Biometric voice authentication solutions that analyze unique voice characteristics like pitch, tone, and speech patterns can detect synthetic voices and unmask deepfakes. Additionally, advanced caller ID intelligence services cross-reference numbers against databases of known fraudulent callers to flag suspicious calls.

We are hardly not out of the woods though.

A gym teacher is accused of using AI voice clone to try to get a high school principal fired.

Worried About AI Voice Clone Scams? Create a Family Password.

Voice cloning technology has made it alarmingly easy for scammers to carry out voice fraud or “vishing” attacks. With just a few seconds of audio, criminals can generate highly convincing deepfake voices. When combined with caller ID spoofing to mask their real numbers, fraudsters can impersonate trusted entities like banks or family members on a massive scale and at little cost.

Voice cloning technology, powered by artificial intelligence, has opened up new avenues for fraud. One example involves impersonating someone’s voice to authorize fraudulent transactions. For instance, a scammer could clone the voice of a company executive to trick employees into transferring funds or disclosing sensitive information.

Another example is using voice cloning to create convincing fake audio recordings for political or social manipulation. By imitating the voices of public figures, AI-generated content can spread misinformation, manipulate public opinion, or even incite unrest. Such fraudulent activities undermine trust in media and institutions, leading to widespread confusion and division. These examples highlight the potential dangers of AI voice cloning in the wrong hands.

No one is immune – even highly rational individuals have fallen prey to elaborate ruses involving fictitious identity theft scenarios and threats to their safety.

As generative AI capabilities advance, audio deepfakes will only become more realistic and accessible to criminals with limited skills. Worryingly, over half of people regularly share voice samples on social media, providing ample training data for voice cloning models.

I recently presented to a large financial services firm, and one of the questions I was asked, was in regards to whether or not they should have their photos and their emails on their contact us page. My response was, not only should they scrub their photos and emails from their contact page, they should also change any voicemail messages and use a computer generated message, and then go to their social media pages and scrub any video they have in their personal or professional lives.

And while, that certainly appears to be “alarmist” this author is completely freaked out by the advancement of AI voice clone technology, and how effective it has become and how vulnerable we are as a result.

Just listen to this OpenAI that mimics human voices on CNN. It’s alarmingly perfect.

Businesses, especially those relying on voice interactions like banks and healthcare providers, are also high-value targets. A single successfully manipulated employee could inadvertently disclose seemingly innocuous information that gets exploited for broader access.

Fortunately, regulators globally are waking up to the threat and implementing countermeasures. This includes intelligence sharing, industry security standards, obligations on telcos to filter spoofed calls, and outright bans on using AI-generated voices for robocalls. We are still a long ways away, if ever , from preventing AI fraud.

Technological solutions like voice biometrics, deepfake detectors, anomaly analysis and blockchain are also emerging. All combined with real-time caller risk assessment provides a multi-layered defense. Deploying these countermeasures is crucial for safeguarding against the devious fusion of AI and traditional phone scams. With the right tools and vigilance, we can stay one step ahead of the fraudsters exploiting cutting-edge technologies for nefarious gains. However, scammers continually evolve their tactics, so a multipronged strategy with security awareness training is crucial for effective defense.

Businesses must enhance their cybersecurity capabilities around telecom services, instituting clear policies like multi-factor voice authentication. Regular employee training and customer education to identify vishing tactics are vital too. Collective action between industry, government and individuals will be key to stemming the rising tide of AI-enabled voice fraud.

By leveraging technology to combat technology-enabled fraud, organizations can mitigate risks and individuals can answer calls with greater confidence. In the AI age, fighting voice fraud requires an arsenal of innovative security solutions.

Surf Safely: Armoring Your Digital Life on Public Wi-Fi Waves

April 10, 2024/in Hotspot Sheild, wifi /by Robert Siciliano

Protecting one’s data and devices on public Wi-Fi goes beyond protecting oneself on just the Wi-Fi aspect. Cyber security is holistic in its nature, meaning the devices hardware, software, and various forms of access control all need consideration.

I hear all the time that criminal hackers are so “sophisticated”. I suppose they are, but what they really are is organized, and they treat fraud like a business. Do you know who’s really sophisticated? White hat hackers also known as penetration testers. These are the security experts deployed to seek out vulnerabilities in your networks and to offer recommendations to tighten them up.

And for you laypersons, I’m going to let you in on a little secret that both criminal hackers, and the good guy hackers know: there are very basic, user-friendly tools that hackers on both sides of the fence use to “hack us” on public Wi-Fi:

The top three software tools that penetration testers commonly use to infiltrate and test the security of insecure Wi-Fi connections are:

Aircracking: This is a comprehensive suite of tools for auditing wireless networks. It can monitor traffic, crack WEP and WPA/WPA2-PSK keys after capturing data packets, and check for vulnerabilities in wireless access points.
Kismet: A wireless network detector, sniffer, and intrusion detection system. It can passively collect packets from both hidden and non-hidden networks, detect wireless access points and associated clients, and identify networks by probing them.
Wireshark: A popular network protocol analyzer that can capture and inspect wireless traffic. It helps identify potential security issues by analyzing the data packets traveling over the Wi-Fi network.

These tools allow penetration testers to scan for and identify nearby wireless networks, capture network traffic, crack encryption keys, and exploit vulnerabilities in wireless access points and devices connected to the network. They are essential for comprehensively assessing the security posture of Wi-Fi networks during penetration testing engagements.

Keep in mind, anyone, and everyone, both good and bad have access to these software programs.

There are a number of vulnerabilities requiring consideration including:

Man-in-the-Middle (MITM) attacks: Hackers can position themselves between your device and the network, intercepting all your internet traffic to steal sensitive data like passwords, financial information, etc.

Malware distribution: Public Wi-Fi can be used to spread malware that infects connected devices, allowing hackers to access files, spy on activities, or render devices unusable.

Unencrypted connection: Many public Wi-Fi networks lack encryption, allowing anyone on the network to easily snoop on your online activities and data transmissions.

Rogue hotspots: Cybercriminals can set up fake Wi-Fi access points with legitimate-sounding names to lure users and monitor their traffic.

Snooping and sniffing: Hackers can use tools to eavesdrop on Wi-Fi signals and capture data like webpages visited, login credentials, and more.

Malicious hotspots: Hackers create malicious hotspots with similar names to legitimate ones to trick users into connecting, enabling MITM attacks.

Lack of authentication: Most public Wi-Fi is open with no authentication required, allowing anyone to join and potentially launch attacks.

The key risks involve exposing your private data and online activities to malicious actors exploiting the lack of security on public wireless networks.

Here are 10 ways to lock down your data and prepare yourself on free open public Wi-Fi:

Verify the wireless network is in fact legitimate. Confirm the network name with staff at the municipality, airport, or wherever, or seek out posted signage before connecting. Wi-Fi hackers can create fake hotspots often known as “evil twins” with similar names to trick Wi-Fi users.
Avoid accessing sensitive information. If possible, avoid logging into sensitive accounts such as online banking or entering passwords on public Wi-Fi as your data can be intercepted. Save the critical and sensitive data processing for at home or at work on a secure Wi-Fi connection.
Use a VPN. A virtual private network encrypts your internet traffic, protecting it from snooping on public networks. The VPN software is free to a small fee, and is your best defense against digital Wi-Fi snooping.
Enable two-factor authentication. Any and all Critical accounts need additional password protection and this is done generally via your mobile phone as a second form of authentication receiving a one time pass code via text. This extra login step code sent to your phone for accounts that offer it, prevents unauthorized access even if your password is compromised.
Keep software updated. Install the latest operating system and software app updates which often include security patches to protect against vulnerabilities. Outdated software creates vulnerabilities that Wi-Fi hackers can seek out.
Use antivirus software. Paid antivirus comes with antivirus, anti-spyware, anti-phishing, and a firewall. Antivirus programs are designed to detect and block malicious software that spies on you and can infect your device on unsecured public Wi-Fi networks.
Log out after use. When finished on critical websites, log out of websites and shut down tabs or even your whole browser, and disconnect from the Wi-Fi network to minimize exposure.
Enable firewall. By default, your firewall should be turned on. Keep your device’s firewall enabled to block unauthorized access while on public networks. The devices operating system should come equipped with a built-in, firewall, or do a search engine query for the name of the operating system in the word firewall for instructions on how to enable it.
Avoid auto-connecting. In your devices Wi-Fi settings, you should be able to toggle off various known Wi-Fi hotspots. Disabling automatic Wi-Fi connection on your devices prevents joining rogue hotspots that may be set up as “evil twins”.
Browse securely. By default, your browser should let you know if a particular website is at risk. Only visit HTTPS encrypted websites which are more secure than unencrypted HTTP sites when on public Wi-Fi.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon.com author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

12 of the Nastiest Tax Scams and How to Prevent Them

April 5, 2024/in Tax Scam /by Robert Siciliano

Lets agree on this: Most of what’s written below will NEVER happen to you. Why? Because you are a subscriber to this newsletter and your propensity to consume security related content keeps you current on fraud prevention tactics.

12 of the Nastiest Tax Scams and How to Prevent Them

So, this means you have a responsibility as a security conscious citizen to spread the prevention message below and make sure to specifically inform those in your life who are a bit more vulnerable. K?

Text message tax scams

Text message tax scams are a common form of phishing where scammers impersonate the IRS or other tax authorities to trick victims into revealing personal or financial information. Here’s how these scams typically work:

The scammer sends a text message claiming to be from the IRS, stating that the recipient has an outstanding tax bill, is owed a refund, or needs to verify information. The message often includes a link or phone number to call for more details.

If the victim clicks the link, they are directed to a fake website designed to steal login credentials, credit card numbers, or other sensitive data. If they call the number, they may be asked to provide personal information or make a payment over the phone.

These scam texts aim to create a sense of urgency and fear by threatening consequences like account freezes or legal action if the recipient doesn’t respond quickly. However, the IRS does not initiate contact with taxpayers via text messages, emails, or social media.

Key things to remember:

The IRS will never demand immediate payment, threaten arrest, or ask for credit/debit card numbers over the phone.
The IRS initiates most contacts through regular mail delivered by the United States Postal Service.
Never click on links or call numbers provided in unsolicited texts claiming to be from the IRS.
Report suspected tax scams to the IRS by forwarding the text to 202-552-1226.

By being aware of how these scams operate and the IRS’s actual practices, taxpayers can avoid falling victim to text message tax fraud attempts.

Tax scam extortion phone calls

Tax scam extortion phone calls are a common fraudulent tactic where scammers impersonate government agencies like the IRS or law enforcement to trick victims into paying fictitious tax debts or fines. Here’s how these scams typically work:

The scammer calls the victim claiming they owe back taxes or penalties to the IRS or other tax authority.
They use aggressive tactics like threats of arrest, deportation, or having the police sent to the victim’s home to create a sense of fear and urgency.
The caller demands immediate payment via wire transfer, prepaid debit cards, gift cards, or even cryptocurrencies to resolve the fake tax debt.
They often provide a fake case number, badge number, or callback number to appear legitimate.

Key things to remember:

The IRS will never demand immediate payment over the phone, threaten arrest for not paying, or request payment via gift cards or wire transfers.
The IRS initiates most contacts through regular mail, not by phone calls.
Scammers often spoof caller ID to make it appear the call is from a real IRS or law enforcement number.
They may use personal information obtained illegally to make the call seem more credible.

If you receive one of these calls, hang up immediately. Do not provide any personal information or make any payments. Report the call to the Treasury Inspector General for Tax Administration and the Federal Trade Commission.

By recognizing the telltale signs of these extortion scams and knowing the IRS’s actual practices, taxpayers can avoid falling victim to these fraudulent threats and demands for payment.

10 More NASTY Tax Scams

Phishing Scams: Fraudsters often send phishing emails or text messages posing as the Internal Revenue Service (IRS) or tax preparation companies. These messages may claim you owe money or are eligible for a refund, and they typically include a link to a fake website designed to steal your personal and financial information.
Ghost Preparers: Some unscrupulous tax preparers don’t sign the returns they prepare, making it difficult for the IRS to track them down if there are any issues with the return. These “ghost” preparers may also manipulate income figures and claim fake deductions to increase refunds, leaving the taxpayer liable for penalties and interest.
Identity Theft: Identity thieves may use your Social Security number to file a fraudulent tax return and claim a refund in your name. This can delay your legitimate refund and create a mess to untangle with the IRS.
Fake Charities: Scammers often try to take advantage of people’s generosity by setting up fake charities and soliciting donations, especially during tax season when people are looking for deductions.
Inflated Refund Claims: Some unethical tax preparers may promise inflated refunds by claiming credits or deductions you don’t qualify for, leading to potential audits, penalties, and interest charges.
Impersonation Scams: Fraudsters may call or send emails pretending to be IRS agents or other government officials, demanding immediate payment for alleged back taxes or threatening arrest if you don’t comply.
Affinity Fraud: Scammers often target specific communities or groups, exploiting the trust and relationships within those circles to perpetrate tax-related fraud or investment schemes.
Tax Preparer Fraud: Some dishonest tax preparers may alter returns without the taxpayer’s knowledge to claim improper deductions or credits, pocketing a portion of the inflated refund for themselves.
Employment Scams: Unscrupulous employers may pay workers under the table or misclassify them as independent contractors to avoid payroll taxes, leaving employees liable for additional taxes and penalties.
Cryptocurrency Scams: With the rise of cryptocurrency, scammers may try to exploit the relative anonymity and complexity of these transactions to facilitate tax evasion or other fraudulent activities.

To avoid falling victim to these scams, it’s crucial to be vigilant, verify the legitimacy of any communications from the IRS (they ONLY send letters) or tax preparers, and never provide personal or financial information unless you’ve initiated the contact and confirmed the recipient’s authenticity.

Now share this. Please.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon.com author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

TOP 10 Vital Strategies for Healthcare (or ANY) Organizations to Prevent Ransomware Attacks

March 6, 2024/in healthcare, Ransomware /by Robert Siciliano

Change Healthcare, a major U.S. healthcare company, reportedly paid $22 million to the BlackCat ransomware group after a cyberattack disrupted services nationwide. However, the cybercriminal who facilitated the attack claims they were cheated out of their share of the ransom, leaving sensitive data intact.

According to researchers, a hacker forum post suggested that UnitedHealth Group paid $22 million to regain access to data and systems encrypted by the “Blackcat” ransomware gang. While neither UnitedHealth nor the hackers have commented on the alleged payment, a cryptocurrency tracing firm partly supported the claim.

It’s common for large companies hit by ransomware attacks to pay hackers to restore control, especially after significant disruptions. The forum post, implicated a Blackcat partner in the intrusion into UnitedHealth and included a link showing the transfer of about 350 bitcoins, valued at around $23 million, between digital wallets.

The attack has caused financial strain for medical providers, leading to challenges such as delaying treatments and struggling to cover expenses. Lawmakers and industry leaders are pressuring the government for relief measures, including accelerated payments for Medicare providers.

Despite these efforts, the shutdown of Change Healthcare’s operations has left providers without vital insurance approvals and payments, exacerbating financial pressures. UnitedHealth Group, which owns Change Healthcare, has not provided a timeline for restoring operations, and the attack highlights the vulnerability of patient data in interconnected healthcare systems.

While some operational challenges have been addressed, the prolonged shutdown has left providers grappling with unpaid claims and uncertainty about the future.

The hospital industry has called for emergency funding, criticizing United’s response and government initiatives like loan programs as insufficient. Providers, such as therapists and cancer centers, are facing financial strain and uncertainty as they seek alternative payment clearinghouses and struggle to cover expenses.

Lawmakers are advocating for additional support to ensure providers can continue offering comprehensive care amid the ongoing disruption.

In an era of increasing cyber threats, healthcare organizations are particularly vulnerable to ransomware attacks due to the sensitive nature of patient data and the criticality of uninterrupted services. Ransomware attacks can disrupt operations, compromise patient confidentiality, and result in significant financial losses. However, with proactive measures and robust cybersecurity practices, healthcare organizations can strengthen their defenses against ransomware threats. Here are ten essential tips for preventing ransomware attacks:

1. Implement Comprehensive Security Awareness Training: Educate all staff members about the risks associated with ransomware attacks and the importance of cybersecurity best practices. Regular training sessions should cover topics such as identifying phishing emails, avoiding suspicious links and attachments, and reporting potential security incidents promptly.

2. Keep Software and Systems Up to Date: Regularly update all software, operating systems, and firmware to patch known vulnerabilities. Outdated software and systems are often exploited by cybercriminals to gain unauthorized access to healthcare networks. Implement automated patch management systems to ensure timely updates across all devices and endpoints.

3. Deploy Next-Generation Antivirus Solutions: Traditional antivirus software may not offer sufficient protection against evolving ransomware threats. Invest in next-generation antivirus solutions that utilize advanced threat detection techniques, such as behavior analysis, machine learning, and endpoint detection and response (EDR) capabilities. These solutions can detect and mitigate ransomware attacks in real-time.

4. Implement Least Privilege Access Controls: Restrict user privileges to the minimum level necessary for performing job functions. Limiting access rights reduces the likelihood of ransomware spreading laterally across the network in the event of a breach. Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to prevent unauthorized access to sensitive data and systems.

5. Enable Network Segmentation: Segment the network into distinct zones or segments to contain the spread of ransomware in the event of a breach. Implement strict access controls and firewall rules to regulate traffic between network segments. Isolate critical systems and sensitive data to minimize the impact of ransomware attacks on essential healthcare services.

6. Regularly Back Up Data: Maintain regular backups of critical data and systems to facilitate timely recovery in the event of a ransomware attack. Backups should be stored securely offline or in a separate, isolated network environment to prevent them from being compromised by ransomware. Test backup and recovery procedures regularly to ensure their effectiveness.

7. Conduct Regular Vulnerability Assessments and Penetration Testing: Identify and remediate security vulnerabilities proactively through regular vulnerability assessments and penetration testing. Assess the security posture of networks, systems, and applications to identify weaknesses that could be exploited by ransomware attackers. Address identified vulnerabilities promptly to reduce the risk of exploitation.

8. Develop and Test an Incident Response Plan: Establish a comprehensive incident response plan that outlines procedures for responding to ransomware attacks and other security incidents. Define roles and responsibilities, escalation procedures, and communication protocols to ensure a coordinated response. Conduct tabletop exercises and simulated drills to test the effectiveness of the incident response plan.

9. Monitor Network Activity and Anomalies: Implement robust monitoring tools and security information and event management (SIEM) solutions to monitor network activity and detect anomalous behavior indicative of ransomware activity. Configure alerting mechanisms to notify security teams of potential security incidents in real-time. Investigate and respond to alerts promptly to mitigate threats effectively.

10. Foster a Culture of Cybersecurity Awareness and Vigilance: Cultivate a culture of cybersecurity awareness and vigilance among employees, encouraging them to remain vigilant against potential threats and report any suspicious activities promptly. Promote open communication channels for reporting security incidents and provide incentives for proactive security behavior.

By adopting these ten essential strategies, healthcare organizations can enhance their resilience to ransomware attacks and safeguard patient data, critical systems, and essential healthcare services. Proactive cybersecurity measures, combined with comprehensive training, regular updates, and robust incident response capabilities, are key to mitigating the risk of ransomware threats in the healthcare OR ANY sector.

The Top 10 Tax Scams of 2024

February 22, 2024/in Tax Scam /by Robert Siciliano

1. Phishing Scams: Cybercriminals send fake emails or create fake websites pretending to be from the IRS or tax preparation companies. They often request personal information, such as Social Security numbers or financial details, which they then use for identity theft or fraudulent tax filings.

2. Identity Theft: This scam involves stealing someone’s personal information, such as their Social Security number, to file a tax return and claim a fraudulent refund. Scammers may also use stolen identities to apply for jobs, credit cards, or other benefits.

3. Fake Charities: Scammers set up fake charities or impersonate legitimate organizations to solicit donations from unsuspecting taxpayers. They often use emotional appeals or fake testimonials to trick people into giving money, which they then pocket for themselves.

4. Tax Preparer Fraud: Some tax preparers may engage in fraudulent activities, such as claiming false deductions or credits on their clients’ tax returns to inflate refunds. Taxpayers should be cautious when choosing a tax preparer and ensure they are reputable and trustworthy.

5. Social Security Number Scams: Scammers may call taxpayers claiming to be from the IRS or Social Security Administration and threaten legal action if they do not provide their Social Security number or other personal information. The IRS and SSA will never call taxpayers to demand immediate payment or personal information over the phone.

6. Fake IRS Letters: Scammers send fake letters or notices purportedly from the IRS demanding immediate payment or threatening legal action if the recipient does not comply. These letters often contain grammatical errors or inconsistencies that can help identify them as fraudulent.

7. Tax-Related Identity Theft: This scam involves using stolen personal information to file a tax return and claim a refund before the legitimate taxpayer has a chance to do so. Victims may not realize they are victims until they try to file their own tax return and discover that one has already been filed using their information.

8. Inflated Refund Claims: Some tax preparers may promise taxpayers inflated refunds in exchange for a fee or a percentage of the refund. They may use tactics such as claiming false deductions or credits to artificially inflate the refund amount.

9. Falsifying Income: Taxpayers may attempt to lower their tax liability by underreporting or omitting income from their tax returns. This is illegal and can result in fines, penalties, or criminal prosecution if discovered by the IRS.

10. Abusive Tax Shelters: Some taxpayers may be lured into investing in abusive tax shelters that promise to reduce or eliminate their tax liability. These schemes often involve complex financial transactions or legal structures that are designed to exploit loopholes in the tax code. However, the IRS actively investigates and penalizes taxpayers who participate in abusive tax shelters.

It’s important for taxpayers to remain vigilant and be aware of these scams to avoid becoming victims. They should never provide personal information or payment to anyone claiming to be from the IRS without verifying their identity and legitimacy. Additionally, taxpayers should report any suspected scams or fraudulent activity to the IRS or appropriate authorities.

Here are the top 10 tips to prevent tax-related scams:

1. Be Wary of Suspicious Emails and Phone Calls: The IRS does not initiate contact with taxpayers via email, text messages, or social media channels to request personal or financial information. Be cautious of unsolicited communications claiming to be from the IRS or tax authorities, especially if they ask for sensitive information or demand immediate action.

2. Verify the Identity of Tax Preparers: Before hiring a tax preparer, research their credentials and reputation. Look for certified public accountants (CPAs), enrolled agents, or other professionals with a valid Preparer Tax Identification Number (PTIN). Avoid tax preparers who promise unusually high refunds or charge fees based on a percentage of your refund.

3. Protect Personal Information: Safeguard your Social Security number, financial account numbers, and other sensitive information. Only provide this information to trusted entities when necessary, such as legitimate tax preparers or government agencies. Be cautious when sharing personal information online and use secure methods for transmitting sensitive data.

4. File Early: Filing your tax return early can help prevent tax-related identity theft. By submitting your return before potential scammers, you reduce the risk of someone fraudulently filing a return using your information. Monitor your mailbox for any tax-related documents and file promptly to minimize the window of opportunity for identity thieves.

5. Use Secure Websites for Online Filing: When e-filing your tax return or making electronic payments, ensure you are using a secure and reputable website. Look for “https” in the website URL and a padlock icon in the browser address bar, indicating that the site is encrypted and secure. Avoid using public Wi-Fi networks or unsecured computers for sensitive transactions.

6. Review Your Credit Report Regularly: Monitor your credit report regularly for any suspicious activity or unauthorized accounts. Identity thieves may use stolen personal information to open credit accounts or loans in your name. By reviewing your credit report periodically, you can detect and address any fraudulent activity before it escalates.

7. Be Skeptical of Promises of Large Refunds: Be cautious of tax preparers or schemes that promise unusually large refunds or guaranteed refunds without reviewing your financial information. While legitimate deductions and credits can reduce your tax liability, exaggerated claims or fraudulent tactics may attract unwanted attention from the IRS and lead to penalties or legal consequences.

8. Educate Yourself About Common Scams: Stay informed about common tax-related scams and tactics used by fraudsters. The IRS regularly updates its list of tax scams and issues alerts to warn taxpayers about emerging threats. By familiarizing yourself with these scams, you can recognize warning signs and take proactive steps to protect yourself against fraud.

9. Secure Your Devices and Personal Information: Keep your computer, smartphone, and other devices secure by using up-to-date antivirus software, firewalls, and encryption tools. Enable multi-factor authentication for online accounts and use strong, unique passwords for each account. Avoid clicking on suspicious links or downloading attachments from unknown sources, as they may contain malware or phishing attempts.

10. Report Suspicious Activity: If you encounter a potential tax-related scam or identity theft, report it to the appropriate authorities immediately. Contact the IRS Identity Protection Specialized Unit at 1-800-908-4490 or visit the IRS website for guidance on reporting identity theft and fraudulent activity. Additionally, notify your financial institutions and credit bureaus to protect your accounts and credit information.

By following these tips and remaining vigilant against tax-related scams, you can minimize the risk of falling victim to fraudsters and protect your personal and financial information during tax season and throughout the year. Remember to stay informed, verify the legitimacy of tax-related communications, and take proactive measures to safeguard your identity and assets.

YOU WILL Get Suckered By An AI-enabled Deep Fake

February 14, 2024/in online safety, online scams, online security /by Robert Siciliano