Greater digital risks loom over people with multiple devices
Digital risk can be defined as financial loss, disruption, or damage to the reputation of an individual or organisation as a result of digital attacks. The increase in digital attacks during the pandemic, especially on people possessing multiple devices, demonstrates a need for better mobile security.
One of the many types of digital attack that has skyrocketed since 2020 is SMS phishing (smishing) attacks. According to a recent report from Tessian, 56% of people who participated in their survey said they received a scam via text message in the last 12 months. A third of people (32%) who received one complied with the request — a higher percentage than those who clicked on a phishing email.
According to Tessian threat intelligence researcher Charles Brook, data breaches are "a significant contributor to the increase in phone and email phishing. Breaches from major social media sites contain aligned personal information like names, mobile phone numbers and email addresses for thousands of individuals".
"There is a good chance that cybercriminals will be collating or joining up the information from various data breaches to create an information-rich dataset of potential targets in order to make their scams as convincing as possible," he continues.
In SMS phishing, attackers trick their victims into installing malware or revealing account information by sending them a link to a fake website. This fake page mimics a legitimate website, with the exception that the false one promises victims a chance to win prizes in exchange for their personal data. There are security measures put in place against phishing links on major websites such as Gmail. With text messages, however, the situation can be tricky.
"The thing is that using phone numbers instead of URLs helps cybercriminals' messages bypass security measures or detection controls, as these are typically looking for URLs in messages as a core indicator of a scam," Brook explained.
Greater risks for people with multiple devices
As explained above, phishing attacks can be both a result of data breaches and a cause of data breaches. Either way, the risks of these are greater for people with multiple devices simply because new technologies are equipped with more and more connective features, such as password synchronisation across devices. This offers more routes from which data can be stolen and leaked.
Security is only as strong as its weakest link. Hackers and fraudsters can exploit the gaps and flaws in security measures to launch their attacks. For example, anti-virus company Kaspersky noted that many smart home products, in particular, lack features like proper encryption.
Fraudsters and scammers can also take advantage of any major global situation, including a deadly health crisis. In the chaos created by COVID-19, instances of stimulus checks and unemployment benefits being stolen were common. Other examples include tricks to lure people into raising funding for fake COVID-19 treatments and fraudulent charities. It was reported that the first half of 2020 alone recorded 1.1 billion fraud attacks. This was twice as high as that of the second half of 2019.
How to mitigate digital risks
The keys to mitigating digital risks are safe data storage and vigilance against potential frauds. It is important to make sure that your personal data is secure and that you are the only one who has direct access to them ‒ in other words, no-one should access them without your permission and authorisation.
It is also recommended that you put measures in place to ensure that you prevent personal information, particularly banking information, from being lost or stolen. For example, choose smart home products that use strong data encryption, as well as install anti-malware and anti-virus software on your personal devices.
Additionally, it’s essential to train yourself to recognise potential attacks. For example, if a link sent to your email appears suspicious, you should not follow it ‒ it’s easy for a hacker to make a false website that looks identical to an actual page. Generally, you should always be cautious when a link via email or SMS promises chances to win a prize, no matter how trivial the prize; you should be put on further alert if, upon clicking the link, the page automatically declares you the winner of the prize. Check whether the URL of the website is genuine by hovering over the link to see if it matches the address given
"If you receive a text message requesting that you follow a link, ignore it — at least until you've confirmed whether or not it's legitimate by contacting the company in question," Brook said. "Inspect the sender's phone number — unknown numbers or 11-digit long numbers starting with a local area code are often associated with scam texts. Large institutions will generally send text messages from short-code numbers."
Scam and fraud attacks can also be carried out through phone calls, although this type of attack typically targets older adults. You should always be careful about sharing your personal information via phone call, especially if the caller claims to be from a government agency or a financial institute such as your bank, and demands either payment or your bank account details.
Phone calls purporting to be from your bank or HM Revenue and Customs, for example, where the caller is asking for money or your personal information ‒ such as passwords, codes or bank details ‒ are usually scams. If you actually owe the government money because you have been avoiding paying your taxes, they will contact you via other methods.Key to remember, however, is that regulated institutions of every type will never ring, text or email you to ask for official or personal information.
"If there is ever any doubt about the legitimacy of a phone call you receive, just hang up," Brook continued. "Call back the company that the person is claiming to be from directly on a phone number you know and trust.
"Similarly, if you receive a suspicious email requesting you call a number, call the organisation directly via a trusted phone number that you've sourced from their website, rather than the phone number provided in the suspicious email."