You sure you actually ordered that pair of shoes? Here’s how to recognize and avoid package-delivery scams.
Do you order cartons of strawberries, flat-screen TVs, running shoes, and light bulbs online? You’re far from alone. Oberlo reported that in 2023, the number of people who shop online rose to 2.64 billion worldwide. That’s equal to 33.3% of the globe’s population.
Spotting fake news in your feed has always been tough. Now it just got tougher, thanks to AI.
Fake news crops up in plenty of places on social media. And it has for some time now. In years past, it took the form of misleading posts, image captions, quotes, and the sharing of outright false information in graphs and charts. Now with the advent of AI, we see fake news taken to new levels of deception:
Deepfake videos that mimic the looks and parrot the words of well-known public figures.
AI-generated voice clones that sound spooky close to the voices they mimic.
Also, entire news websites generated by AI, rife with bogus stories and imagery.
All of it’s out there. And knowing how to separate truth from fact has never been of more importance, particularly as more and more people get their news via social media.
Pew Research found that about a third of Americans say they regularly get their news from Facebook and nearly 1 in 4 say they regularly get it from YouTube. Moreover, global research from Reuters uncovered that more people primarily get their news from social media (30%) rather than from an established news site or app (22%). This marks the first time that social media has toppled direct access to news.
Yet, you can spot fake news. Plenty of it.
The process starts with a crisp definition of what fake news is, followed by the forms it takes, and then a sense of what the goals behind it are. With that, you can apply a critical eye and pick out the telltale signs.
We’ll cover it all here.
What is fake news?
A textbook definition of fake news goes something like this:
A false news story, fabricated with no verifiable facts, and presented in a way to appear as legitimate news.
As for its intent, fake news often seeks to damage the reputation of an individual, institution, or organization. It might also spout propaganda or attempt to undermine established facts.
That provides a broad definition. Yet, like much fake news itself, the full definition is much more nuanced. Within fake news, you’ll find two categories: disinformation and misinformation:
Disinformation: This is intentionally misleading information that’s been manipulated to create a flat-out lie—typically with an ulterior motive in mind. Here, the creator knows that the information is false.
Example: As a bad joke, a person concocts a phony news story that a much-anticipated video game release just got canceled. However, the game will certainly see its release. In the meantime, word spreads and online fans whip up into a frenzy.
Misinformation: This simply involves getting the facts wrong. Unknowingly so, which separates itself from disinformation. We’re only human, and sometimes that means we forget details or recall things incorrectly. Likewise, when a person shares disinformation, that’s a form of misinformation as well, if the person shares it without fact-checking.
Example: A person sees a post that a celebrity has died and shares that post with their friends and followers—when in fact, that celebrity is still very much alive.
From there, fake news gets more nuanced still. Misinformation and disinformation fall within a range. Some of it might appear comical, while other types might have the potential to do actual harm.
Dr. Claire Wardle, the co-director of the Information Futures Lab at Brown University, cites seven types of misinformation and disinformation on a scale as visualized below:
Source – FirstDraftNews.org and Brown University
Put in a real-life context, you can probably conjure up plenty of examples where you’ve seen. Like clickbait-y headlines that link to letdown articles with little substance. Maybe you’ve seen a quote pasted on the image of a public figure, a quote that person never made. Perhaps an infographic, loaded with bogus statistics and attributed to an organization that doesn’t even exist. It can take all forms.
Who’s behind fake news? And why?
The answers here vary as well. Greatly so. Fake news can begin with a single individual, groups of like-minded individuals with an agenda, and it can even come from operatives for various nation-states. As for why, they might want to poke fun at someone, drive ad revenue through clickbait articles, or spout propaganda.
Once more, a visualization provides clarity in this sometimes-murky mix of fake news:
Source – FirstDraftNews.org and Brown University
In the wild, some examples of fake news and the reasons behind it might look like this:
Imposter sites that pose as legitimate news outlets yet post entirely unfounded pieces of propaganda.
Parody sites that can look legitimate, so much so that people might mistake their content for actual news.
AI deepfakes, images, recordings, and videos of public figures in embarrassing situations, yet that get presented as “real news” to damage their reputation.
Perhaps a few of these examples ring a bell. You might have come across some where you weren’t exactly sure if it was fake news or not.
The following tools can help you know for sure.
Spotting what’s real and fake in your social media feed.
Consider the source
Some of the oldest advice is the best advice, and that holds true here: consider the source. Take time to examine the information you come across. Look at its source. Does that source have a track record of honesty and dealing plainly with the facts?
For an infographic, you can search for the name of its author or the institution that’s attributed to it. Are they even real in the first place?
For news websites, check out their “About Us” pages. Many bogus sites skimp on information here, whereas legitimate sites will go to lengths about their editorial history and staff.
For any content that has any citation listed to legitimize it as fact, search on it. Plenty of fake news uses sources and citations that are just as fake too.
Check the date
This falls under a similar category as “consider the source.” Plenty of fake news will take an old story and repost it or alter it in some way to make it appear relevant to current events. In recent years, we’ve seen fake news creators slap a new headline on a new photo, all to make it seem like it’s something current. Once again, a quick search can help you tell if it’s fake or not. Try a reverse image search and see what comes up. Is the photo indeed current? Who took it? When? Where?
Check your emotions too
Has a news story you’ve read or watched ever made you shake your fist at the screen or want to clap and cheer? How about something that made you fearful or simply laugh? Bits of content that evoke strong emotional responses tend to spread quickly, whether they’re articles, a post, or even a tweet. That’s a ready sign that a quick fact check might be in order. The content is clearly playing to your biases.
There’s a good reason for that. Bad actors who wish to foment unrest, unease, or spread disinformation use emotionally driven content to plant a seed. Whether or not their original story gets picked up and viewed firsthand doesn’t matter to these bad actors. Their aim is to get some manner of disinformation out into the ecosystem. They rely on others who will re-post, re-tweet, or otherwise pass it along on their behalf—to the point where the original source of the information gets completely lost. This is one instance where people readily begin to accept certain information as fact, even if it’s not factual at all.
Certainly, some legitimate articles will generate a response as well, yet it’s a good habit to do a quick fact check and confirm what you’ve read.
Expand your media diet
A single information source or story won’t provide a complete picture. It might only cover a topic from a certain angle or narrow focus. Likewise, information sources are helmed by editors and stories are written by people—all of whom have their biases, whether overt or subtle. It’s for this reason that expanding your media diet to include a broad range of information sources is so important.
So, see what other information sources have to say on the same topic. Consuming news across a spectrum will expose you to thoughts and coverage you might not otherwise get if you keep your consumption to a handful of sources. The result is that you’re more broadly informed and can compare different sources and points of view. Using the tips above, you can find other reputable sources to round out your media diet.
Additionally, for a list of reputable information sources, along with the reasons they’re reputable, check out “10 Journalism Brands Where You Find Real Facts Rather Than Alternative Facts” published by Forbes and authored by an associate professor at The King’s College in New York City. It certainly isn’t the end all, be all of lists, yet it should provide you with a good starting point.
Let an expert do the fact-checking for you
De-bunking fake news takes time and effort. Often a bit of digging and research too. Professional fact-checkers at news and media organizations do this work daily. Posted for all to see, they provide a quick way to get your answers. Some fact-checking groups include:
Three ways to spot AI-generated fakes
As AI continues its evolution, it gets trickier and trickier to spot it in images, video, and audio. Advances in AI give images a clarity and crispness that they didn’t have before, deepfake videos play more smoothly, and voice cloning gets uncannily accurate.
Yet even with the best AI, scammers often leave their fingerprints all over the fake news content they create. Look for the following:
1) Consider the context
AI fakes usually don’t appear by themselves. There’s often text or a larger article around them. Inspect the text for typos, poor grammar, and overall poor composition. Look to see if the text even makes sense. And like legitimate news articles, does it include identifying information—like date, time, and place of publication, along with the author’s name.
2) Evaluate the claim
Does the image seem too bizarre to be real? Too good to be true? Today, “Don’t believe everything you read on the internet,” now includes “Don’t believe everything you see on the internet.” If a fake news story is claiming to be real, search for the headline elsewhere. If it’s truly noteworthy, other known and reputable sites will report on the event—and have done their own fact-checking.
3) Check for distortions
The bulk of AI technology still renders fingers and hands poorly. It often creates eyes that might have a soulless or dead look to them—or that show irregularities between them. Also, shadows might appear in places where they look unnatural. Further, the skin tone might look uneven. In deepfaked videos, the voice and facial expressions might not exactly line up, making the subject look robotic and stiff.
Be safe out there
The fact is that fake news isn’t going anywhere. It’s a reality of going online. And AI makes it tougher to spot.
At least at first glance. The best tool for spotting fake news is a fact-check. You can do the work yourself, or you can rely on trusted resources that have already done the work.
This takes time, which people don’t always spend because social platforms make it so quick and easy to share. If we can point to one reason fake news spreads so quickly, that’s it. In fact, social media platforms reward such behavior.
With that, keep an eye on your own habits. We forward news in our social media feeds too—so make sure that what you share is truthful too.
Be safe out there
Plenty of fake news can lure you into sketchy corners of the internet. Places where malware and phishing sites take root. Consider using comprehensive online protection software to keep safe. In addition to several features that protect your devices, privacy, and identity, they can warn you of unsafe sites too. While it might not sniff out AI content (yet), it offers strong protection against bad actors who might use fake news to steal your information or harm your data and devices.
Identity theft protection and privacy for your digital life
What does a hacker want with your social media account? Plenty.
Hackers hijack social media accounts for several reasons. They’ll dupe the victim’s friends and followers with scams. They’ll flood feeds with misinformation. And they’ll steal all kinds of personal information—not to mention photos and chats in DMs. In all, a stolen social media account could lead to fraud, blackmail, and other crimes.
Yet you have a strong line of defense that can prevent it from happening to you: multi-factor authentication (MFA).
What is multi-factor authentication (MFA)?
MFA goes by other names, such as two-factor authentication and two-step verification. Yet they all boost your account security in much the same way. They add an extra step or steps to the login process. Extra evidence to prove that you are, in fact, you. It’s in addition to the usual username/password combination, thus the “multi-factor” in multi-factor authentication.
Examples of MFA include:
Sending a one-time code via a text or phone call, often seen when logging into bank and credit card accounts.
Sending a one-time code to an authentication app, such as when logging into a gaming service.
Asking for the answer to a security question, like the name of your elementary school or the model of your first car.
Biometric information, like a fingerprint or facial scan.
With MFA, a hacker needs more than just your username and password to weasel their way into your account. They need that extra piece of evidence required by the login process, which is something only you should have.
This stands as a good reminder that you should never give out the information you use in your security questions—and to never share your one-time security codes with anyone. In fact, scammers cobble up all kinds of phishing scams to steal that information.
How to set up MFA on your social media accounts.
Major social media platforms offer MFA, although they might call it by other names. As you’ll see, several platforms call it “two-factor authentication.”
Given the way that interfaces and menus can vary and get updated over time, your best bet for setting up MFA on your social media accounts is to go right to the source. Social media platforms provide the latest step-by-step instructions in their help pages. A simple search for “multi-factor authentication” and the name of your social media platform should readily turn up results.
For quick reference, you can find the appropriate help pages for some of the most popular platforms here:
Another important reminder is to check the URL of the site you’re on to ensure it’s legitimate. Scammers set up all kinds of phony login and account pages to steal your info. Phishing scams like those are a topic all on their own. A great way you can learn to spot them is by giving our Phishing Scam Protection Guide a quick read. It’s part of our McAfee Safety Series, which covers a broad range of topics, from romance scams and digital privacy to online credit protection and ransomware.
MFA – a good call for your social media accounts, and other accounts too.
In many ways, your social media account is an extension of yourself. It reflects your friendships, interests, likes, and conversations. Only you should have access to that. Putting MFA in place can help keep it that way.
More broadly, enabling MFA across every account that offers it is a smart security move as well. It places a major barrier in the way of would-be hackers who, somehow, in some way, have ended up with your username and password.
On the topic, ensure your social media accounts have strong, unique passwords in place. The one-two punch of strong, unique passwords and MFA will make hacking your account tougher still. Wondering what a strong, unique password looks like? Here’s a hint: a password with eight characters is less secure than you might think. With a quick read, you can create strong, unique passwords that are tough to crack.
Lastly, consider using comprehensive online protection software if you aren’t already. In addition to securing your devices from hacks and attacks, it can help protect your privacy and identity across your travels online—both on social media and off.
Identity theft protection and privacy for your digital life
For decades, we were told tales of all-seeing, all-knowing hackers who use sophisticated social-engineering techniques — that is, manipulating folks into handing over secret information with neither threats of violence nor other maltreatment, or getting them to perform other reckless actions from an information security perspective.
The problem is, such tales can cloud one’s grasp on reality. Knowing so many stories about this technological voodoo, people should, you might think, be aware of such tricks. Sadly, this isn’t the case at all. Here are three high-profile cases of recent years showing that social engineering is still a potential threat, perhaps more so than ever.
Even a schoolboy can hack the director of the CIA
Let’s start with a story that could easily be taken for a Hollywood movie with the title, say, Hackers versus Spies; however, it would be less of an action thriller and more a satirical comedy.
In October 2015, a hacker group calling itself Crackas With Attitude used social engineering to gain access to the personal AOL account of CIA Director John Brennan. The hack was followed by a phone interview with the New York Post, in which one member of the group described himself as an American high-school student.
Although the CIA chief’s email was private, it revealed many interesting things related to his work: in particular, the social security numbers and other personal information of more than a dozen high-ranking US intelligence officers, as well as a 47-page application for top-secret security clearance filed by Brennan himself.
In November of that very same year, the story continued: this time hackers targeted the personal AOL accounts of another high-ranking official, FBI Deputy Director Mark Giuliano and his wife. On this occasion, the hackers’ haul, which they later made public, included the names, email addresses and phone numbers of 3500 US law enforcement agencies’ employees.
Just a couple months later, in January 2016, these same hackers got hold of a string of personal accounts belonging to Director of National Intelligence James Clapper. Finally, in February 2016, they publicly released the data of 9000 employees of the US Department of Homeland Security, plus 20,000 employees of the FBI, which the criminals claimed they’d obtained by hacking into the US Department of Justice.
That same month, one of the hackers was apprehended. He was indeed a high-school kid (though not American, but British), named Kane Gamble. As a result, the young hacker, aka Cracka, who was only fifteen when he committed his crimes, was named as the leader of the group and sentenced in the UK to two years in prison (of which he served eight months), with an internet ban for the same term (which he observed in full). A few months later, two other members of Crackas With Attitude were detained in the U.S. This time they were adults: Andrew Otto Boggs, 23, got two years in a U.S. jail, and Justin Gray Liverman, 25, got five.
During the trial, it transpired that for more than six months — from June 2015 to February 2016 — the young Gamble successfully pretended to be the director of the CIA and on his behalf defrauded passwords from employees of both call centers and hotlines. Using them, the group managed to gain access to highly sensitive documents relating to intelligence operations in Afghanistan and Iran. Who knows, would the hackers have been caught at all had they not decided to make a public mockery of the CIA chief, the FBI deputy chief, and the director of U.S. National Intelligence?
Hacking the Twitter accounts of Biden, Musk, Obama, Gates and others
The following incident took place on July 15, 2020, when a bunch of Twitter accounts began to spread similar message: “All bitcoins sent to the address below will be sent back doubled! If you send $1000, I will send back $2000. Only doing this for 30 minutes.” It looked like a typical Bitcoin scam that wouldn’t warrant a mention were it not for one nuance: all these accounts really did belong to famous people and major companies.
At first, the scam messages started appearing in Twitter accounts directly related to cryptocurrencies: the giveaway was “announced” by Binance founder Changpeng Zhao, and several other cryptoexchanges, including Coinbase, and the crypto news site CoinDesk. But it didn’t stop there, as, one after another, more and more accounts belonging to famous entrepreneurs, celebrities, politicians and companies began to join the jamboree: Apple, Uber, Barack Obama, Elon Musk, Kim Kardashian, Bill Gates, Joe Biden (who wasn’t yet president), Jeff Bezos, Kanye West; and the list went on.
Tweet from the hacked account of Elon Musk Source
In the few hours that saw Twitter trying to get to the root of the problem, the hackers managed to collect more than US$100,000 — a tidy sum, but nothing compared to the reputational blow suffered by the company. It soon became clear that the hackers had penetrated Twitter’s internal account management system. Initially it was assumed they did this with insider help.
However, that turned out not to be the case. The hackers were quickly found and arrested, and again the group leader was a school kid — this time an American, the then 17-year-old Graham Ivan Clark. He was handed down three years in jail and another three on probation. More importantly, however, the investigation established that the attack was carried out with no insider help. Instead, hackers used a mix of social engineering and phishing to dupe Twitter employees into giving them system access.
First, they studied LinkedIn profiles to identify employees likely to have access to the account management system. Next, using LinkedIn’s Recruiter feature, they collected their contact information, including cell phone numbers. The hackers then called these employees, pretending to be colleagues, and using the data persuaded them to visit a phishing site imitating Twitter’s internal login page. This way, the attackers obtained passwords and two-factor authentication codes allowing them to log into the Twitter account management system and take possession of dozens of accounts with millions of followers.
Again, who knows if they’d have been caught had they not targeted half of the world’s Top-10 rich list, plus other famous personalities and, most significantly, the Twitter accounts of a former and future U.S. president.
Sky Mavis and the half-billion-dollar heist
This is a story that took place in 2022. The starring yet unwanted role went to Sky Mavis, creator of the NFT game Axie Infinity. Let’s not delve into the game specifics — suffice it to say that players earn cryptocurrency in it. At one point, some residents of Southeast Asia worked there as if it were a proper job. At its peak, the game had a daily audience of up to 2.7 million people and weekly revenue of up to US$ 215 million.
However, in March 2022, even before the crypto crash, Sky Mavis found itself in serious trouble. During an attack on the Ronin Network, which underpins all cryptocurrency activity in Axie Infinity, hackers made off with 173,600 ETH and 25.5 million USDC from the company’s accounts, worth around US$540 million at the time of the attack.
The details of the heist emerged a few months later, in July. Through a fake company, the attackers had contacted Sky Mavis employees on LinkedIn and invited them to job interviews. Eventually they got to a senior engineer who, after several rounds of interviews, was made an extremely tempting job offer. The fake offer was sent in an infected PDF through which the hackers managed to gain access to the company’s internal network.
After that, armed with access to the corporate network, the hackers were able to get hold of the private keys for confirming transactions and then withdraw cryptocurrency. They laundered the stolen funds through a complex scheme involving two cryptomixers and around 12,000 intermediate cryptowallets, followed by conversion to bitcoin and a subsequent cashout.
Analysts who helped the U.S. investigators linked the attack to the North Korean group Lazarus. Only about 10% of the face value of the stolen coins could be recovered. Or about 5% if you count in dollars: in the six months after the robbery to the close of the investigation, the crypto market collapsed, causing the Ethereum exchange rate to nosedive.
How to guard against social engineering
Sure, no one wants to be on the receiving end of such attack. But the fact is that total protection against social engineering is near-impossible — because it targets people. For effective defense against social-engineering techniques, your company should focus on employee training. Our Kaspersky Automated Security Awareness Platform is perfect for this purpose. Through a combination of exercises and simulations, the solution raises staff awareness of a wide range of attack methods and ways to defeat them.