The COVID crisis enforced millions of people to familiarise with online spaces. We figured out ways to remain sociable and maintain human communication, thus we became accustomed with online learning environments and teleconference platforms. Older generations learned to communicate with loved ones using voice over IP and video communication channels and professionals modernised their workflows utilising trusted collaboration tools, doing video meetings, team chats and collaborating with their teams in virtual ecosystems. This unfortunate event allowed us to recognise the necessity of doing things online - in the cyberspace - but also gave us the opportunity to evaluate the importance of being and working together in physical spaces. Inevitably, this massive turn in using online spaces and services was followed by a rise of cyber threats, as cyber criminals were now able to perform their attacks on larger pools of victims.

Cybercrime can be defined as any computer-based or computer-assisted crime that can occur on a personal computing device (e.g., mobile, desktop, etc.) or via a networked environment (including clouds). Cybercrime can also target small (e.g., home Internet-of-Things ecosystems) and larger infrastructure (e.g., Smart Grids and Industrial Systems). The European Union Agency for Cybersecurity (ENISA) in their latest “Threat Landscape 2022” report [1] identified the following prime threats for this year in the region: a) Ransomware, b) Malware, c) Social Engineering, d) Threats against data, e) Threats against availability: Denial of Service and Internet threats, f) Disinformation – misinformation, g) Supply-chain attacks. Moreover, they taxonomized cybersecurity threat actors in four major categories: i) State-sponsored actors, ii) Cybercrime actors, iii) Hacker-for-hire actors, iv) Hacktivists. They finally emphasised on the impact of geopolitics on the cybersecurity threat landscape, while stressing the increased capabilities of the threat actors, the rise of malware and ransomware, and the emergence of novel and hybrid threats (referring to the spyware proliferation and AI-enabled disinformation among others). According to the report, cybersecurity attacks continued to increase not only in terms of numbers and vectors, but in terms of impact as well. This rise in incidents affected multiple targets: from individuals to larger entities. An impact assessment reveals that the rise of cyber threats may have the following effects on individuals or larger organisations: 1) Reputational impact which is the potential negative publicity that might be stemmed from an attack; 2) Economic impact that might be incurred (e.g. financial loss); 3) Digital impact when the attack results in damaged systems, or unavailability in services, or data corruption; 4) Social impact which might occur after a major and widespread disruption; 5) Physical impact when an incident is directly linked to any kind of harm on individuals, e.g. to employees, or patients. Although the rise of cyber threats can eventually affect several entities (individually or in groups), the rest of this short article will focus on cyber threats affecting individuals, and further discusses what they can do to protect themselves from emerging threats.

Ransomware: In this type of attack, threat actors aim to control victims’ assets (e.g., folders in a hard drive) and demand a fee to be paid to unlock access to these assets. The attack is commonly achieved using phishing - a social engineering offensive method that targets individuals. Victims’ assets are locked (or encrypted) resulting in loss of availability and they are unlocked only if the individual pays a ransom. There is an ongoing conversation about victims’ reaction to such unfortunate events, i.e., whether they should pay the ransom, but the generic advice is to report cases where people have fallen victims of ransomware campaigns. According to ENISA’s report, some U.S. states prohibit agencies to pay ransom and it has been made mandatory to report ransomware attacks.

Malware: Malware is any unwanted or malicious software (or code) that can be installed and run in a computing device. Malware is often divided in distinct categories such as viruses, trojan horses, worms or other code-based instances that can affect a device (a host). Nowadays we can also include new categories of unwanted software: a) spyware, and b) adware. Spyware cases have been reported in the news lately affecting numerous (usually high profile) people in several countries. Pegasus [2] and Predator [3] are two dominant examples of spyware that was used by various entities lately targeting individuals from the political and business sector. Adware is another form of unwanted code (PUP: Potentially Unwanted Software); the software usually enables ads with an intrusive behaviour, that cause frustration to the users (e.g., pop ups or full screen ads in mobile operating systems). Malware in general is targeting users of popular operating systems (e.g., Windows and Android) because via these routes it will eventually infect more individuals. ENISA’s report mentions that malware attacks on IoT infrastructure have also increased this year.

Social Engineering: These methods attempt to exploit human behaviour and the attacker has the objective to get access basically to personal information and data. Attackers exploit users’ security fatigue or human error employing deceitful strategies (e.g., impersonation). They use numerous forms of manipulation to trick victims into making mistakes. Then victims hand over to them sensitive and personal information (e.g., names, dates of birth, passport data, bank details, etc.) without even realising it. Phishing is the most prominent term that is bound with social engineering attacks. With phishing attackers aim to steal personal information (e.g., passwords) from individuals usually through emails. These emails are sent to a massive number of individuals, and they usually contain links to external web sites that frequently mimic legitimate ones. Spear phishing is an alternative tailored method where attackers target specific individuals and/or organisations. When these individuals are high esteemed (or high calibre) people then we are talking about whaling attacks. Other categories of phishing include smishing which is a form of social engineering attack attempted via SMS messages (usually on mobile devices), and vishing which is a term derived from the combination of phishing and voice; this attack is usually performed over the phone.

Misinformation-disinformation: Most people nowadays tend to replace traditional media with online sources when they want to reach the news. New media generate income based on the number of clicks and views; therefore, they might attempt to lure users in clicking links in their websites following additional stories. These actions eventually provide more profit to online media. Subsequently, generated information might not be validated, either because there is not time for this (competition dictates the information to be circulated as fast as possible) or because these outlets aim to generate traffic neglecting validity. Thus, misinformation is any incorrect or misleading information that might derive from negligence or human error. Misinformation propagates through numerous channels (social media, online group discussions, the web). Disinformation on the contrary is any attempt to deceitfully produce fake information. The goals the drive disinformation campaigns vary. Attackers might want to cause reputation damage or reduce individual’s trustworthiness; they might aim to cause market distortion and affect brand reputation; they might aim to influence elections or spread fake news and propaganda manipulating and misleading public opinion. Moreover, the proliferation of Artificial Intelligence has made the production of Deep Fakes (i.e., technology that manipulates or fabricates videos containing famous people’s face and voice) a trivial task. Therefore, disinformation campaigns can now be easily enriched by fabricated content. These developments block humans’ ability to distinguish truthful and deceitful news and blur their perceptions about the world.

Threats against data and “insider threats”: Modern people produce humongous data while they use their personal devices. They log into numerous websites, and they often tend to share personal secrets with their loved ones (even though this is not a good practice). Moreover, some users store and share very personal moments with their partners assuming that there will always be a trusted connection between the two entities. However, it is possible that this bond of trust can be broken any time, making people vulnerable to revenge or other types of malicious attacks. Data leaks or/and data breaches are becoming a frequent phenomenon, thus personal data can be sold in dark web markets.

So, what can we do to protect ourselves and avoid being victimised by malicious attackers?

  • Be proactive: Update your operating system frequently and install any security updates. Mobile operating systems (e.g., Android) offer monthly security updates and traditional operating systems such as Windows and macOS frequently nudge users to download and install security updates. These updates most of the time do not cause a lot of frustration and they can effectively protect our devices. Also, try to download and install software from trusted sources. For example, the Play store for Android devices offers built-in protection, scanning apps for vulnerabilities and possible malicious extensions. These checks and controls are not always sufficient, but they offer a good level of resistance to malicious behaviours and actions. Additionally, the use of antivirus software is considered a good solution to assist you to proactively scan your device for potential threats.
  • Be vigilant: Do not click links in emails send from people or entities you do not know or trust. Do not download zip and other files that might be affected with viruses unless you totally recognise and trust the person that send the email. Do not click on links received via SMS messages. Be careful when you are approached by entities that claim you won something or that you can claim refunds etc. You should be mature enough to recognise that making money is a difficult process for a lot of us, so when other parties claim they can share some money with you, you should consider this as a red flag. Do not share personal information over the phone or via email. Banks will not request from you to provide credentials unless you log into their web sites. Be careful and validate the web addresses of the institutions. If a web address for a bank you trust does not seem to be the right one, question yourself if you are trying to log into a legitimate site.
  • Use multi factor authentication when you are provided with this choice: Multi-factor authentication (MFA) requires from the user to input more than one credentials to authenticate themselves. Users must provide a secret they know, a key they have (e.g., via a push notification on their mobile devices), or to use a trait that justifies their identity (e.g., face or fingerprint recognition). When MFA is not available, try to use strong passwords and aim not to reuse your passwords in various websites. Of course, try not to write down these passwords. Special software (namely password managers) is usually a good choice to manage access to several websites - although we have experienced lately attacks on these vendors as well.
  • Be careful: Do not share personal data with anyone. Your data are your treasure. Keep them for yourself. Evaluate how you interact with people you trust and question yourself if it is worth it to store on digital media very personal moments. Additionally, use this strategy when you are posting things online. Your public opinions might be used to profile you. Be careful about your public posts because they might be used by malicious actors to trick you. Moreover, know your rights! In Europe for example the General Data Protection Regulation attempts to protect European citizens from misuse of their data. Nevertheless, because your data is your treasure, ensure you keep regular backups of important data to protect from failures and potential ransomware attacks.
  • Be curious, protective, and transparent: Support cyber security awareness campaigns (in your school, or work environment) and learn about the current trends in cybercrime. Employ a people-centric approach to cyber security. Trust your people but first inform them about the risks that negligence entails. Enable parental controls on devices to protect children from accessing malicious and suspicious neighbourhoods on the internet. Use VPN services when you are not connected in trusted wireless networks. If you fall victim of an attack, call the correct people. The police usually have dedicated units that are able to assist you in case you have fallen victim of a cybercrime.

The web is just like any other known communal place. It gathers goodness and badness in one (digital) area. We should embrace the fact that the internet has simplified most aspects in our modern lifestyle. However, we should be informed, vigilant and aware of the risks that are bound with the unrestricted access to content and services provided on the web. A general rule that is common in both virtual and physical worlds would be: do not engage if you don’t trust the entity that attempts to establish some kind of communication with you. Another model that works in this setting is “trust but verify” when the communication attempted is by a source you know. Be engaged but stay alert.

[1] Enisa Threat Landscape 2022. ENISA. (2022, November 11). Retrieved November 20, 2022, from https:// www.enisa.europa.eu/publications/enisa-threat-landscape-2022

[2] Scott-Railton, J., Marczak, B., Poetranto, I., Razzak, B. A., Chanprasert, S., & Deibert, R. (2022, July 28). GeckoSpy: Pegasus spyware used against Thailand’s pro-democracy movement. The Citizen Lab. Retrieved November 20, 2022, from https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-againstthailands-pro-democracy-movement/

[3] Parsons, C., Molnar, A., Dalek, J., Knockel, J., Kenyon, M., Haselton, B., Khoo, C., & Deibert, R. (2019, June 12). The predator in your pocket: A multidisciplinary assessment of the stalkerware application industry. The Citizen Lab. Retrieved November 20, 2022, from https://citizenlab.ca/2019/06/the-predator-inyour-pocket-a-multidisciplinary-assessment-of-the-stalkerware-application-industry/