Cybercrooks dress up as wolf in sheep’s clothing (hidden malware), demand candy (ransoms/data) or else play a trick on everyone!

As the echoes of Halloween ‘horrors’ this year linger for just a while longer, cybercriminals take ‘trick-or-treating’ in their stride.

All year round, they have figuratively been ‘knocking on doors’ to see who is home, and then demanding a treat (monetizable data or ransoms) or a trick.

Here are some of scariest techniques and technologies cybercriminals use to steal your candy (personally identifiable data and login credentials).

    • The wolf in sheep’s clothing

      The online world can be a great space for finding friends, work and romance. But wolves can be lurking behind friendly chats and interactions. These types of attacks are quite sophisticated and usually take place over an extended period while the attacker wins the trust of their unsuspecting victims.

      The recent Netflix documentary Tinder Swindler shows how convincing and persistent these fraudsters can be. Therefore, when forming relationships online, it is important to remember that those on the other end of apps may not always be who they seem—before you share any sensitive information that could help them take over your online accounts.

    • The ghosts of Phishmas Past

      An email from “the bank” wanting to confirm your details. An SMS message from couriers asking you to reschedule a “failed” delivery. You may think you have seen and heard it all before, but these older, tried and tested phishing techniques are haunting us and are still by far the most effective. As the volume and quality of attacks continue to rise, the simplest of phishing and smishing could catch any of us out when we are distracted.

      Authorities across the region are doubling down on phishing scams. This should be a universal movement: control the use of SMS sender IDs (such as NETFLIX or YOURBANK); implement SMS anti-scam filtering solutions. While more can be done to protect end-users, this is a step in the right direction.

    • The Terminator

      This is one type of social engineering attack that should send shivers down your spine. Recent advances in AI and ML are enabling attackers to automate spear phishing—by data scraping and integrating convincing details like names, dates of birth and employer details into attacks.

      By revealing just enough legitimate information in their approach, cybercriminals are luring consumers into a false sense of security and become more likely to share credentials.

      This is one type of trick-or-treat attack that will become a mainstay if we do not find a strong enough defense.

No more passwords, no more candy

If our passwords and login credentials are like candy at our doors during Halloween, moving to something we simply cannot share—such as like cryptography-based sign-ins and on-device biometrics, tricksters will be foiled all year round. 

The good news is that we are getting there. Earlier this year, the world’s biggest platforms: Apple, Google and Microsoft committed to supporting a common passwordless standard, also known as passkeys.

This means we will soon be able to access passwordless sign-in technology with the same gestures we use daily on mobile devices, using biometrics or local PIN codes, across our most favored browsers and devices.