Digital hygiene begins at home

The government’s annual cyber security breaches survey is just out, part of a sustained government campaign to raise awareness and improve UK cyber resilience.

Phishing - scam emails and texts - remain top of the leader board of attacks experienced by the businesses, charities and educational institutions surveyed. But as the recent ‘honeypot’ messaging entrapment of MPs shows, it is not only organisations which fall victim to cyber deception. Money, influence or plain vulnerability can make individuals targets too.

As organisations harden their cybersecurity defences, it is important not to overlook the online safety risks encountered by individual online users, the consequences of which range from the relatively benign to the physically and psychologically devastating. Understanding those risks and knowing how to tackle them can minimise the harm they cause.

An array of cyber threats

‘Age-gated’ activities such as buying alcohol and vapes have spawned illicit websites selling underage youths fake IDs. In most instances these cause nothing more than guilty teenage hangovers but they could easily result in online ID theft.

An altogether more serious hangover could result from becoming an online ‘money mule.’ In this pernicious practice the young and impecunious are approached by criminals on well-known social media and recruitment sites and, lured by offers of ‘easy money’, allow their bank accounts to be used by money launderers in return for a small ‘commission.’

Suspected money mules can have their bank accounts closed, a marker placed against their name on the Cifas fraud prevention database (dooming future credit hopes), and can be prosecuted for money laundering, with potentially heavy sentences.

Equally devastating are the risks posed by oversharing of images online. Dangers range from digital impersonation, a sinister practice in which family photos shared on social media are ‘hijacked’ by third parties and used to create an entirely fictitious existence, to the far more destructive use of photos shared online or via instant messaging to create naked images using ‘nudify’ apps.

Moreover, it is not only celebrities like Taylor Swift whose images have been manipulated by AI to create deepfake porn – for just $10 some sites offer to create pornographic videos of anyone using a handful of digital images ‘scraped’ from the internet.

As well as causing deep distress, lasting psychological damage and reputational harm for victims, in several cases online bullying and ‘sextortion’ involving intimate images of teenagers have led to tragic consequences.

Oversharing of personal information on social media also allows sophisticated criminals to identify, collect information about, and contact potential victims. This is known to have facilitated deeply disturbing ‘cyber kidnaps’ in which criminals use social engineering techniques and deepfake voices to persuade ‘hostages’ to isolate and send images of themselves to their families accompanied by ransom demands from kidnappers whom neither the hostage nor their families have ever met.

In January 2024, a terrified Chinese student was rescued by Utah police after he and his family fell victim to such a cyber kidnapping plot.

Given the role that deepfakes and other synthetic media can play in such scams, it is noteworthy that artificial intelligence developer, OpenAI announced in March it was delaying roll-out of its Voice Engine which boasts the ability to clone anyone’s voice with just 15 seconds of audio recording.

Legal protections

Through the Fraud Act and anti-money laundering legislation, UK criminal law has long sought to protect against cyber-enabled financial deception, but it is ‘playing catch-up’ where newer forms of online risk for individuals arise.

Until 2015, the sharing of private sexual photos or videos could only be prosecuted as harassment or as offences under communications legislation. In 2015, the non-consensual distribution or threatened distribution of private photographs or films featuring another person was criminalised, though prosecution rates remained low.

In January 2024, the Online Safety Act (OSA) ushered in new offences criminalising the sharing or threatened sharing of intimate photos or films without consent, the sharing of intimate photos or films without consent with intent to cause alarm, distress or humiliation, and the sharing of such photos or films without consent for the purpose of sexual gratification.

Crucially, with skyrocketing numbers of deepfake porn videos available online, the new offences capture photographs and films which show - or appear to show - another person in an intimate state. The courts may imprison those found guilty of these new offences.

The amendments introduced by the OSA are not a panacea but they go some way to addressing the problem. The government intends to go further, planning to outlaw the creation of sexually explicit deepfake images without consent, whether shared or not.

Other jurisdictions including the US, the EU and Australia, have either introduced legal measures against image-based sexual abuse of this kind or are considering doing so. But legal sanctions only deter if perpetrators fear apprehension, and the often cross-border nature of the offences, the ease with which criminals can avoid detection online, and the lack of law enforcement resources make the identification and prosecution of cyber criminals an uphill struggle.

Self-protection through good digital hygiene – adopting secure online habits - is therefore essential.

Reducing the risk

With most children accessing the internet through mobile devices, the government’s recent crackdown on mobile phones in schools is part of a wider move to shield children from online harms. Phone bans are already in place in parts of Europe and pro-ban campaigns are afoot in the US. Such measures offer some protection for particularly vulnerable age-groups, but online risks continue outside school hours, and extend beyond children and teenagers.

A vital foundation to staying safe online is raising awareness of the risks, for example, education about the dangers of online ‘easy money’ scams or sharing images and videos through social media and with friends. The National Cyber Security Centre has released guidance for high-risk individuals which has wider applicability.

The guidance recommends practical measures to protect electronic devices and online accounts, including maximising privacy settings, using ‘disappearing’ messages which automatically delete after viewing, and helping users of social media and professional networking sites identify malicious online actors. Confidential ‘safe-words’, a staple of Cold War espionage movies, have become sensible ‘trust but verify’ precautions against deepfake financial scams and cyber kidnapping attempts.

Technology too can be harnessed in the fight against forms of online harassment. Software exists which distorts the pixels of online images if ‘scraped’ from the internet and used to train artificial intelligence. Originally developed to protect artists’ copyright over their uploaded images, some commentators recommend that social media users deploy this ‘poison pill’ technique to protect their online photos against AI-generated deepfake porn.

Damage control

When risks materialise, damage control becomes necessary - planning ahead is key to ensuring the best possible outcome. When so many cyber threats depend on social engineering, promoting an open, ‘no shame’ culture encourages early threat reporting, reduces the emotional distress for victims, allows for swifter remedial steps, and undermines the risk of online extortion.

Posting non-consensual images online may breach the user guidelines of social media platforms as well as being a criminal offence. Urgent takedown demands to online platforms can then be issued, or the right of erasure invoked under the UK GDPR, de-listing a person’s images from search engines.

For those hit by online financial scams, help is potentially available. Victims of authorised push payment frauds (APP frauds) - where consumers are tricked into authorising payments to fraudsters – may already be entitled to reimbursement under the voluntary Contingent Repayment Model Code, to which a number of leading banks and other payment service providers belong. Later this year, reimbursement by payment service providers for APP frauds up to £415,000 will become mandatory in most circumstances.

The way forward

The internet and AI provide amazing opportunities for life-enhancing discovery. But as with all technological development, they can be misused.

Criminals are widely known as ‘early adopters’ of IT innovation, rapidly identifying the opportunities presented, and nostalgic longing for a pre-digital era will do nothing to tackle the problems of cyber-enabled crime and online abuse. Instead, law and regulation must catch-up with the scale of the problems now faced.

In the meantime, sharing information about emerging risks and adopting good cyber hygiene practices in response are the best means of protecting individuals’ safety online.