It will be increasingly difficult to tell what is legitimate online
In Q1 of 2021, 4 in 10 people encountered an unsafe link while using their mobile devices – less than a year later, 5 in 10 people encountered threats in Q3 2021. This trend will only continue as text message, email and social media phishing scams surge.
Bad actors can send millions of messages to consumers very efficiently. Only a few people need to take the bait in order for this process to be profitable. And while some phishing scams are easy to detect, “spear phishing” - using pieces of your identity along with contextual information (e.g. using your name, and comes from what appears to be your bank) - can make it very difficult to discern whether messages are legitimate or not.
The phishing example from 2021, below, illustrates how difficult it can be to spot a legitimate website from a fake scam site. Phishing attacks can be so deceiving that only a third (33%) of consumers could reliably distinguish the real Google login website, below from the fake website.*
New technology has emerged enabling bad actors to alter photos & movies making it extremely difficult – even for the trained eye – to discern real from fake. “Deepfakes” are convincing fake images and videos made with A.I. software and can be produced with freely available software. One example of deepfake technology went mainstream this year when a graphic designer created a “Tom Cruise” deepfake video that went viral on TikTok. Millions of views later, it’s evident that, beyond entertainment, this technology holds great potential for tricking audience with digital manipulation. In fact, when consumers were shown a clip of a real Tom Cruise interview (option A), alongside an example of a “Deep Fake” Tom Cruise movie clip (option B, in the clip below), 61% of users were unable to correctly distinguish the real and fake Tom Cruise.*
Note, in the video clip above, “Option A” is REAL, and “Option B” is FAKE.
Deepfake technology has also started to be taken to greater extremes. This year, attackers pulled off a bank heist resulting in $35 million in stolen funds by using Deepfake technology to clone the voice of a bank CEO, tricking bank employees into handing them sensitive information. While attacks of this nature are not mainstream, it illustrates how this technology will increasingly call into question the authenticity of videos, images and news information, requiring greater security to protect consumers from both simple - and complex - scams in the future.
Your private data will be exposed, so securing your accounts will be critical
By October of this year, the number of data breaches that occurred in 2021 had already surpassed the total number in all of 2020, with nearly 281.5 million people affected. In 2021, consumers have had their personal details - including emails, passwords, and social security numbers - exposed as part of these massive corporate data breaches.
In 2018, 2.2 billion records were stolen as result of data breaches, and in 2017, the Equifax data breach alone compromised the sensitive information of 143 million Americans - almost half the nations’ population. Lookout’s data shows that, on average, 80% of consumers have had their emails leaked on the dark web, 70% have had their phone numbers compromised, 10% have had their driver’s license leaked and 7% have had their Social Security Number exposed online.
With over 80% of people’s emails exposed on the dark web - bad actors will increasingly steal important personal and financial information by compromising consumers’ online accounts. Account compromise occurs when an attacker gains access to an online account in a number of ways - including if the account password is weak, reused for other sites, or leaked as part of a data breach. And many people don’t take steps to protect their information in the best ways possible; in fact, 60% of people re-use passwords across multiple accounts.
Beyond re-using passwords, many people also use passwords that are associated with publicly available information posted on their personal social media profiles. In a recent Lookout survey, 26% of respondents claimed that they have their Facebook accounts public and post personal information on their profile, including 60% of people posting their birthday, 30% posting names and information about family members, and 47% listing their hometown.* Attackers can easily scrape this information from social media posts and use them to attempt to log in to accounts.
Bad actors are also using techniques to circumvent security tools that have been put in place to provide extra layers of online account protection. For instance, two-factor SMS verification code technology that sends a pin code to your mobile device to verify your identity before allowing access to online accounts can easily be spoofed by attackers. In a scheme called “Sim Swapping,” bad actors try to convince wireless carriers that they need to port over a phone number to another device - often with just a few key pieces identification, including a name and Social Security number (information that often is available on the dark web in the aftermath of data breaches), attackers can authorize the change and redirect the authorization code to their device. As we look to the future, bad actors will continue to implement techniques that evade security in order to gain unauthorized access to online accounts.
Cryptocurrency will become more mainstream and crypto-scams will follow
Over the past year, digital currencies like Bitcoin and Ethereum have grown in value and popularity. In a 12-month period, 13% percent of Americans bought or traded cryptocurrency, compared to 24% who invested in stocks over the same time period. The Staples Center, where the Los Angeles Lakers and Clippers play, will be renamed after a cryptocurrency exchange, showing just how mainstream cryptocurrency is becoming.
With cryptocurrency becoming more popular among new investors, crypto scams are also rising. According to the Federal Trade Commission, between October 2020 to May 2021, consumers reported losing more than $80 million to cryptocurrency investment scams - with a median loss of $1,900. Compared to the same period a year earlier, that equates to approximately 12 times the number of reports and nearly 1,000% more in reported losses. And younger people are falling victim to crypto schemes at a higher rate than other audiences. In fact, consumers aged 20 to 49 were more than five times more likely than older age groups to report losing money to these scams. As stories of individuals purchasing small quantities of once-obscure cryptocurrencies like Doge ($DOGE) and Shibhu Inu ($SHIB) becoming millionaires in a matter of months, novice investors will try to replicate their success and scam artists will try to take advantage of them. Squid Coin, taking advantage of the popularity of the Netflix original series Squid Game, successfully collected $3.4M in investor funds only to have the original creator run off with the money, leaving investors with nothing.
Crypto scams can come in different forms, including bad actors impersonating famous investors or celebrities on social media and tricking users into sending crypto to fake accounts. In one such example, fraudsters posing as Elon Musk on social media scamming people into giving away crypto currency valued at over $2 million dollars. In another crypto scam, a Coinbase customer received a phishing notification on their device - from what appeared to be Coinbase - alerting them that their account had been locked. The customer called the number in the notification and spoke with a representative to restore account access, however, within minutes they learned they had been scammed, with fraudsters stealing $11.6 million of their cryptocurrency.
Cryptocurrency is already the primary payment method of choice for enterprise ransomware campaigns. Consumer ransomware and scams usually try to convince users to buy Amazon and App Store gift cards to pay ransoms, so much so that retailers have taken steps to prevent individuals from buying large gift cards without explanation. As cryptocurrencies become easier for consumers to purchase and send, this will replace gift cards and become the primary payment method for consumer ransomware and scams as well.
As cryptocurrency accounts are not government-insured like U.S. dollars, and cryptocurrency payments are not reversible, the risk to consumers is particularly high. With people adopting crypto at great speed, scams will continue to grow in sophistication, prevalence and value as bad actors work to trick people into giving away their currency.
As IoT and “connected devices” surge, so too will privacy concerns from the data being collected
Today, there are more connected devices in the world than people and more than 77% of households with a Wi-Fi network reported owning at least one smart home device in 2021, compared with 65 percent just one year earlier, according to research firm IDC.
While IoT adoption has surged, and devices ranging from voice assistants to smart locks and cameras have made aspects of everyday life easier, this technology also presents unique security and privacy considerations for consumers. In fact, in a recent survey, nearly two-thirds of consumers said they find the way their connected devices collect data about their personal habits “creepy.”
In 2019, it was reported that Amazon employees were hired to listen to voice conversations to help improve Alexa’s “speech recognition and natural language understanding systems.” The fact that conversations could be captured without user consent drove heightened awareness and concern around just how trustworthy devices with ‘always-listening’ microphones may be.
Consumers’ security concerns were validated when, in August, 2021, a vulnerability was reported impacting 83 million connected devices including security cameras, enabling a bad actor to access video and audio and potentially taking remote control of these devices.
While manufacturers work to release updates to patch these vulnerabilities, the fixes often require users to manually update their software, or take days, weeks or months between the time a vulnerability is discovered and the time it is deployed - leaving consumers at risk of attack.
While video & voice connected devices heightened awareness regarding the sensitivity of consumer data being collected, a host of other IoT devices - in particular, medical devices - pose significant privacy concerns as well. At the end of 2020, there were an estimated 450 million connected medical devices in use around the world. This is expected to grow 10 percent year over year to more than 700 million by 2025.** These devices include traditional monitoring but also implant devices like wireless cardiac defibrillators, and orally ingestible microdevices. Security concerns are particularly heightened in the healthcare space where reliance on devices working as designed can become a matter of life or death. Safeguards to protect against both the hacking of an IoT device as well as protection for the underlying private data and analytics collected by these devices will be critical moving into 2021 and beyond.
Everyone is being tracked & people will want more anonymity
When you send an email, run an online search or share a photo on social media, you’re invariably leaving behind a trail of personal data that represents your ‘digital footprint.” The data includes the activities you perform in apps and online, but also includes ‘physical’ data - such as location - as we take our devices with us just about everywhere we go.
Technology companies collect data about their users to customize their experience and make it easier for people to navigate online activities. However, users aren’t always aware of - or comfortable with - just how much personal information is collected.
For example, your email provider has the ability to scan the contents of your private email messages, and your search provider can track your search history and the websites you visit. Further, once on a website, you are prompted to accept “cookies” which come in 2 flavors - first party and third party cookies. A “first party cookie” allows a site to observe your behavior and market specific content to you about their services. On the other hand, a “third party cookie” grants access to a host of other companies (including advertisers or analytics platforms) to gain insight about your browsing habits. When you accept a third party cookie, you immediately begin sharing information about yourself with external organizations - some of which are likely entirely unfamiliar to you.
All of this data - from your private email messages, search queries and location history and even how you’re sitting or walking - represents your “digital footprint” that provides for a highly accurate and invasive profile which many users are finding invasive and even creepy. As such, increasingly consumers are looking to protect their privacy by limiting third parties from tracking their activities so they can navigate the online world with greater freedom and anonymity.
In 2021, technology companies took significant steps to deliver new privacy features that help limit digital tracking, and give consumers more visibility and control. Apple started requiring user permission before allowing third-party cookies in its iOS 14.5 update and Google announced it plans to phase out cookies in its Chrome browser in the coming years. This trend will continue with other technology companies sure to follow as privacy becomes top of mind for consumers. In 2022, we expect to see a heightened focus on digital tracking and the need for solutions that offer greater privacy & anonymity for consumers.
To summarize, 2022 will usher in greater risks to our digital security, privacy and finances, as we live more of our lives online. But, there is good news: Consumers can take action to protect themselves:
1. Stay vigilant about online & crypto scams
Remember that not everything you see online is real. When an offer sounds too good to be true, it probably is. The same is true for alarming communication you receive. If a text message or email is written with extreme urgency, or asks you to send money or take action regarding your account, stop and go directly to the source to validate whether it is legitimate. Never send money (traditional or crypto currency) to sources that you can not confidently verify in person.
Phishing attacks are becoming increasingly hard to discern with the naked eye. Consider using advanced security - with malware and Safe Browsing protection - that will scan all apps & links you click & block threats before they do harm.
2. Secure your accounts from compromise
Always use strong and unique passwords. If your online account password is ever leaked as part of a data breach, change your password immediately.
Enable two-factor authentication (like Google Authenticator) rather than SMS validation to protect your accounts. Two-factor authentication helps protect your account even if your account credentials are compromised or your phone is targeted in a SIM swapping scam.
Finally, enable immediate breach alerts and personal identity monitoring that will alert you immediately when your information is leaked as part of a data breach and monitor your personal information into the future to protect your accounts from compromise and your identity from being stolen.
3. Guard your personal data & share information only when needed
Think twice before you share your personal data. Consider why a company is requesting your email address and what they might do with it before you enter it online. If a store asks for your birth date, driver’s license or phone number, you can decline to share that information.
You can also consider opting-out of allowing services to use your personal data for advertising purposes. Online services enable you to opt-out of allowing them to use your personal data for advertising purposes, including: YouTube, Amazon, Twitter, and LinkedIn.
* Lookout commissioned a survey to 2,000 consumers in November 2021.
** McKinsey & Company Report: The Internet of Things: Catching up to an accelerating opportunity (November 2021)