By Alvin Toh, Co-founder, Straits Interactive
The Cyber Security Agency of Singapore's (CSA) latest 2024 Public Awareness Survey paints a hopeful picture on the surface: an encouraging improvement in the adoption of essential cyber hygiene practices. More Singaporeans are installing cybersecurity apps, updating software, and enabling Two-Factor Authentication (2FA). These are commendable strides, and they signify a growing awareness of digital risks.
However, what truly caught my attention in the survey — and what concerns me deeply — is a pervasive and dangerous disconnect: the gap between our confidence in detecting cyber threats and our actual ability to do so. This isn't just a nuance. It signals a vulnerability in our collective cybersecurity posture, especially as threats like deepfakes and advanced scams become frighteningly sophisticated.
The Deepfake Deception: When Confidence Doesn't Equal Capability
The survey revealed a startling statistic: while 63% of respondents had heard about deepfakes and a significant 78% felt confident they could identify them, a stark reality emerged during testing – only 25% could actually distinguish between real and fake videos. This isn't a failure of intelligence – It's a testament to the rapid evolution of malicious AI.
Today's AI-generated video and voice technology, as demonstrated by advancements like Google’s VE03, produces incredibly realistic visuals and audio. We're talking perfect lip-syncing, nuanced emotional inflection, and an authenticity that was unimaginable just six months ago. Pre-recorded deepfakes, in particular, have become exceptionally difficult to detect. The old telltale signs – poor lip-syncing or flat expressions – are no longer reliable. While live deepfakes (like those used for face-swapping on video calls) still have some real-time processing limitations, they are improving at an alarming rate.
This mirrors what we see with phishing awareness. The survey states that 80% of Singaporeans now know what phishing is (up from 72% in 2022). Yet, when put to the test, only 1 in 10 could accurately distinguish between all phishing and legitimate content. Our perceived knowledge often far outstrips our practical discernment in the face of increasingly clever attacks.
Understanding the Nuance between Deepfakes vs. Scams for Better Defense
It's crucial to understand that a deepfake is a technology – a fabricated piece of media. A scam is a malicious act designed to defraud or deceive, and deepfakes are increasingly becoming a powerful tool in a scammer's arsenal.
Deepfakes (the tool): These are synthetic media designed to impersonate individuals. They can be used for various purposes, from entertainment to disinformation. The danger arises when they are employed with malicious intent.
What to do when you suspect a deepfake:
Be Skeptical (Especially of urgent or unusual requests): If a video or audio of someone you know makes an unusual request (e.g., asking for money, private information, or an immediate action) or seems out of character, your alarm bells should ring.
Cross-Verify Through Other Channels: Call the person directly on a known number, or text them. Use a different communication method to confirm the validity of the request. Do not reply through the same channel the suspicious content came through.
Look for Inconsistencies: While harder now, still pay attention to subtle glitches, unnatural movements, or inconsistencies in lighting, shadows or sound quality. For voice calls, listen for robotic tones, unusual pauses, or a lack of natural inflection.
Consider the Context: Is it unusual for this person to contact you this way? Is the request something they would normally make?
Scams (the crime, often leveraging deepfakes): These are deliberate attempts to trick you into giving up money, information, or access. They can take many forms (phishing, vishing, malware, impersonation) and are now often enhanced by deepfake technology to appear more convincing.
What to do when you suspect a scam (regardless of deepfake involvement):
Never Click on Unsolicited Links or Download Attachments Blindly: This is paramount. Messages urging urgent action – "your account has been breached," "update your password immediately," "your package is delayed" – are classic scam tactics.
Verify the Source Independently: If you receive a suspicious message (email, call, text, or even a video/audio deepfake) from a bank, a service provider, or even a friend asking for money, do not use the contact information provided in the suspicious message. Instead, go directly to the official website by typing the URL yourself, or use a previously known and verified phone number to contact them.
Exercise Extreme Caution with New Apps: Before downloading any new application, especially from third-party app stores or via pop-up ads, do your due diligence. Check reviews, verify the developer, and understand what permissions the app requests. Many malicious apps are designed purely to harvest sensitive information.
The Sophistication of Modern Scams
The days of easily spotted, grammatically-incorrect phishing emails are largely behind us. Recent mega data breaches, such as the one impacting Qantas with 6 billion records, provide cybercriminals with a treasure trove of personal information. This data is then weaponised to craft highly convincing, personalised scam attempts.
These aren't just emails anymore; they manifest as phone calls, text messages, and even AI-generated videos seemingly from trusted contacts. Attackers are deploying sophisticated malware apps or creating fake websites designed to capture not just login credentials, but also two-factor authentication codes. If a user is tricked into installing malicious software, even their supposedly secure 2FA can be compromised. This highlights a critical point: the initial point of entry – our decision to click a link or download an unverified app – is often the most vulnerable.
Reassessing Our Cyber Defenses: Necessary but Not Foolproof
The CSA survey shows a positive trend in the adoption of core cyber hygiene practices, and these are indeed necessary foundations for online safety. Installing security apps, keeping software updated, and using 2FA are vital lines of defense.
However, from a data governance perspective, we must understand their limitations. These measures, while effective against common threats, can be circumvented by highly sophisticated attacks. Malware, once installed, can bypass many protective layers, capturing sensitive authentication details directly from a user's device. The critical vulnerability often lies not in the robustness of the security tool itself, but in the human element – the initial trust placed in a deceptive message or application.
Guide to Digital Defense: A Proactive Approach to Data Governance
Given this evolving threat landscape, what practical steps can we, as individuals and organisations, take to protect ourselves and our valuable data? It boils down to a shift from reactive measures to proactive skepticism and diligent verification:
Never Click on Links or Download Attachments from Unsolicited Messages: Especially those urging urgent action (e.g., password changes due to a breach). This remains the golden rule.
Always Verify Requests by Going Directly to the Official Source: Whether it's a call, email, or video, if someone is asking for sensitive information or action, independently confirm the request through known, official channels – not via contact info provided in the suspicious message.
Exercise Caution with New Apps: Be highly selective about what you install on your devices, as they may be designed to harvest sensitive information.
Embrace Healthy Skepticism with Any Unexpected Digital Communication: Assume that what you see and hear online, particularly from unfamiliar sources or in unexpected contexts, could be fabricated.
Continuous Education and Vigilance is Required
The fight against cyber threats is a continuous learning process. The rapid advancements in AI mean that our intuitive ability to detect fakes is increasingly outmatched. We need ongoing education that doesn't just teach us about existing threats but also fosters a deep skepticism towards unsolicited requests and emphasises the critical importance of independent verification.
Our digital safety hinges not just on the tools we use, but on our collective ability to adapt, question, and verify in an increasingly complex and deceptive online world.
