What’s wrong with Location History?

Location History lets you easily view the places a user visited and when they did so. You can use it for all kinds of things: remembering the name of that beach or restaurant you went to while on vacation two years ago, finding the address of a place your better half often goes to after work, getting new bar suggestions based on the ones you’ve been to, locating the florist that delivered the surprise bouquet for a party, and many more. The different ways this feature both benefits and harms Google account holders are commonly reported. Little wonder then that many — even those with a clean consciences — often want to turn it off completely.

Regrettably, Google has often been caught abusing its Location History setting. Even if explicitly disabled, Location History was still collected under “Web & App Activity”. This led to a series of lawsuits, which Google lost. In 2023, the company was ordered to pay $93 million under one suit, and a year earlier $392 million under another. These fines were but a pinprick to a corporation with hundreds of billions of dollars in revenue, but at least the court had Google revise its location tracking practices.

The combined legal and public pressure apparently led to the company announcing at the end of 2023 a drastic change: now, according to Google, Location History will be collected and stored on users’ devices only. But does that make the feature any more secure?

How does Location History (supposedly) work in 2024?

First of all, check that the feature has been updated on your device. As is wont with Google, updates for the billions of Android devices roll out in waves, and to relatively recent OS versions only. So, unless you see an alert that looks like the one below, it’s likely your device hasn’t received the update, and enabling Location History will save the data on Google’s servers.

Unless Google has explicitly warned you that your Location History will be stored on your device, it’s likely to continue being saved to Google’s servers

If your Location History is now stored locally, however, Google Maps will offer options for centralized management of your “places”. By selecting a point on the map, such as a coffee shop, and opening its description, you’ll see all the times you visited the place in the past, all searches for the place on the map, and other things like that. One tap on the location card can delete all of your activity associated with the place.

Google says it will store the history for each place for three months by default and then delete it. To change this setting or disable history, simply tap the blue dot on the map that shows your current location and turn off Location History in the window that pops up.

Options for configuring and disabling Location History

An obvious downside to offline Location History is that it won’t be accessible to the user on their other devices. As a workaround, Google suggests storing an encrypted backup on its servers.

Keep in mind that what we’re discussing here is the new implementation of Location History as described by Google. Detailed analysis of how this new pattern actually works may reveal pitfalls and caveats that no one except Google’s developers knows about at this point.

What threats does this update eliminate?

Although the new storage method improves the privacy of location data, it can’t be considered a one-size-fits-all solution to all existing issues. So how does it affect various hypothetical threat scenarios?

• Tracking you to customize ads. This is unlikely to be affected in any way: Google can continue to collect data on places you visit in an anonymized, generalized form. You’ll keep seeing ads linked to your current or past locations unless you disable either that or all targeted ads entirely. Remember that Google isn’t the only one out there tracking your location. Other apps and services have been found guilty of abusing this data as well; here are a few examples: one, two, and three.
• Evil hackers and cyberspies. These malicious groups typically use commercial spyware (stalkerware) or malicious implants, so the changes to Google’s Location History will hardly affect them.
• Jealous partner or prying relative. It’ll be harder to use a computer on which you’re signed in to your Google account to track your location. Someone could still quietly snoop on your phone while it’s unlocked, as well as secretly install commercial spyware such as stalkerware, which we mentioned above. Therefore, it’s general steps to protect smartphones from mobile spyware, not the updates to Google Maps, that are crucial to addressing this.
• Law enforcement. This isn’t likely to change much, as, in addition to asking Google, the police can request your location data from the mobile carrier or deduce it from surveillance camera footage, which is both easier and faster.

So, the update doesn’t help user privacy all that much, does it? We’re afraid not.

How do I effectively protect my location data?

You’re limited to fairly drastic options these days if you want to prevent location tracking. We list these here in ascending order of extremity.

• Use comprehensive security on all your devices, including phones and tablets. This will reduce the likelihood of being exposed to malware, including stalkerware.
• Disable Google Location History and Web & App Activity, avoid giving location permissions to any apps except navigation apps, turn off personalized ads, and use a DNS service that filters ads.
• Turn off all geo-tracking features (GPS, Google location services, and others) on your smartphone.
• When on an especially important trip, activate flight mode for an hour or two, or just turn off your smartphone.
• Ditch smartphones in favor of the most basic dumbphones.
• Ultimately, stop carrying around any kind of phone at all.
• Live 100% off-grid; e.g., in a cave.

Cloud threats

The most popular AI assistants run on the cloud infrastructure of large companies. It’s efficient and fast, but your data processed by the model may be accessible to both the AI service provider and completely unrelated parties, as happened last year with ChatGPT.

Such incidents present varying levels of threat depending on what these AI assistants are used for. If you’re generating cute illustrations for some fairy tales you’ve written, or asking ChatGPT to create an itinerary for your upcoming weekend city break, it’s unlikely that a leak will lead to serious damage. However, if your conversation with a chatbot contains confidential info — personal data, passwords, or bank card numbers — a possible leak to the cloud is no longer acceptable. Thankfully, it’s relatively easy to prevent by pre-filtering the data — we’ve written a separate post about that.

However, in cases where either all the correspondence is confidential (for example, medical or financial information), or the reliability of pre-filtering is questionable (you need to process large volumes of data that no one will preview and filter), there’s only one solution: move the processing from the cloud to a local computer. Of course, running your own version of ChatGPT or Midjourney offline is unlikely to be successful, but other neural networks working locally provide comparable quality with less computational load.

What hardware do you need to run a neural network?

You’ve probably heard that working with neural networks requires super-powerful graphics cards, but in practice this isn’t always the case. Different AI models, depending on their specifics, may be demanding on such computer components as RAM, video memory, drive, and CPU (here, not only the processing speed is important, but also the processor’s support for certain vector instructions). The ability to load the model depends on the amount of RAM, and the size of the “context window” — that is, the memory of the previous conversation — depends on the amount of video memory. Typically, with a weak graphics card and CPU, generation occurs at a snail’s pace (one to two words per second for text models), so a computer with such a minimal setup is only appropriate for getting acquainted with a particular model and evaluating its basic suitability. For full-fledged everyday use, you’ll need to increase the RAM, upgrade the graphics card, or choose a faster AI model.

As a starting point, you can try working with computers that were considered relatively powerful back in 2017: processors no lower than Core i7 with support for AVX2 instructions, 16GB of RAM, and graphics cards with at least 4GB of memory. For Mac enthusiasts, models running on the Apple M1 chip and above will do, while the memory requirements are the same.

When choosing an AI model, you should first familiarize yourself with its system requirements. A search query like “model_name requirements” will help you assess whether it’s worth downloading this model given your available hardware. There are detailed studies available on the impact of memory size, CPU, and GPU on the performance of different models; for example, this one.

Good news for those who don’t have access to powerful hardware — there are simplified AI models that can perform practical tasks even on old hardware. Even if your graphics card is very basic and weak, it’s possible to run models and launch environments using only the CPU. Depending on your tasks, these can even work acceptably well.

Examples of how various computer builds work with popular language models

Choosing an AI model and the magic of quantization

A wide range of language models are available today, but many of them have limited practical applications. Nevertheless, there are easy-to-use and publicly available AI tools that are well-suited for specific tasks, be they generating text (for example, Mistral 7B), or creating code snippets (for example, Code Llama 13B). Therefore, when selecting a model, narrow down the choice to a few suitable candidates, and then make sure that your computer has the necessary resources to run them.

In any neural network, most of the memory strain is courtesy of weights — numerical coefficients describing the operation of each neuron in the network. Initially, when training the model, the weights are computed and stored as high-precision fractional numbers. However, it turns out that rounding the weights in the trained model allows the AI tool to be run on regular computers while only slightly decreasing the performance. This rounding process is called quantization, and with its help the model’s size can be reduced considerably — instead of 16 bits, each weight might use eight, four, or even two bits.

According to current research, a larger model with more parameters and quantization can sometimes give better results than a model with precise weight storage but fewer parameters.

Armed with this knowledge, you’re now ready to explore the treasure trove of open-source language models, namely the top Open LLM leaderboard. In this list, AI tools are sorted by several generation quality metrics, and filters make it easy to exclude models that are too large, too small, or too accurate.

List of language models sorted by filter set

After reading the model description and making sure it’s potentially a fit for your needs, test its performance in the cloud using Hugging Face or Google Colab services. This way, you can avoid downloading models which produce unsatisfactory results, saving you time. Once you’re satisfied with the initial test of the model, it’s time to see how it works locally!

Required software

Most of the open-source models are published on Hugging Face, but simply downloading them to your computer isn’t enough. To run them, you have to install specialized software, such as LLaMA.cpp, or — even easier — its “wrapper”, LM Studio. The latter allows you to select your desired model directly from the application, download it, and run it in a dialog box.

Another “out-of-the-box” way to use a chatbot locally is GPT4All. Here, the choice is limited to about a dozen language models, but most of them will run even on a computer with just 8GB of memory and a basic graphics card.

If generation is too slow, then you may need a model with coarser quantization (two bits instead of four). If generation is interrupted or execution errors occur, the problem is often insufficient memory — it’s worth looking for a model with fewer parameters or, again, with coarser quantization.

Many models on Hugging Face have already been quantized to varying degrees of precision, but if no one has quantized the model you want with the desired precision, you can do it yourself using GPTQ.

This week, another promising tool was released to public beta: Chat With RTX from NVIDIA. The manufacturer of the most sought-after AI chips has released a local chatbot capable of summarizing the content of YouTube videos, processing sets of documents, and much more — provided the user has a Windows PC with 16GB of memory and an NVIDIA RTX 30^th or 40^th series graphics card with 8GB or more of video memory. “Under the hood” are the same varieties of Mistral and Llama 2 from Hugging Face. Of course, powerful graphics cards can improve generation performance, but according to the feedback from the first testers, the existing beta is quite cumbersome (about 40GB) and difficult to install. However, NVIDIA’s Chat With RTX could become a very useful local AI assistant in the future.

The code for the game “Snake”, written by the quantized language model TheBloke/CodeLlama-7B-Instruct-GGUF

The applications listed above perform all computations locally, don’t send data to servers, and can run offline so you can safely share confidential information with them. However, to fully protect yourself against leaks, you need to ensure not only the security of the language model but also that of your computer – and that’s where our comprehensive security solution comes in. As confirmed in independent tests, Kaspersky Premium has practically no impact on your computer’s performance — an important advantage when working with local AI models.

So, how do you use AI without regretting it later?

Filter important data

The privacy policy of OpenAI, the developer of ChatGPT, unequivocally states that any dialogs with the chatbot are saved and can be used for a number of purposes. First, these are solving technical issues and preventing terms-of-service violations: in case someone gets an idea to generate inappropriate content. Who would have thought it, right? In that case, chats may even be reviewed by a human. Second, the data may be used for training new GPT versions and making other product “improvements”.

Most other popular language models — be it Google’s Gemini, Anthropic’s Claude, or Microsoft’s Bing and Copilot — have similar policies: they can all save dialogs in their entirety.

That said, inadvertent chat leaks have already occurred due to software bugs, with users seeing other people’s conversations instead of their own. The use of this data for training could also lead to a data leak from a pre-trained model: the AI assistant might give your information to someone if it believes it to be relevant for the response. Information security experts have even designed multiple attacks (one, two, three) aimed at stealing dialogs, and they’re unlikely to stop there.

So, remember: anything you write to a chatbot can be used against you. We recommend taking precautions when talking to AI.

Don’t send any personal data to a chatbot. No passwords, passport or bank card numbers, addresses, telephone numbers, names, or other personal data that belongs to you, your company, or your customers must end up in chats with an AI. You can replace these with asterisks or “REDACTED” in your request.

Don’t upload any documents. Numerous plug-ins and add-ons let you use chatbots for document processing. There might be a strong temptation to upload a work document to, say, get an executive summary. However, by carelessly uploading of a multi-page document, you risk leaking confidential data, intellectual property, or a commercial secret such as the release date of a new product or the entire team’s payroll. Or, worse than that, when processing documents received from external sources, you might be targeted with an attack that counts on the document being scanned by a language model.

Use privacy settings. Carefully review your large-language-model (LLM) vendor’s privacy policy and available settings: these can normally be leveraged to minimize tracking. For example, OpenAI products let you disable saving of chat history. In that case, data will be removed after 30 days and never used for training. Those who use API, third-party apps, or services to access OpenAI solutions have that setting enabled by default.

Sending code? Clean up any confidential data. This tip goes out to those software engineers who use AI assistants for reviewing and improving their code: remove any API keys, server addresses, or any other information that could give away the structure of the application or the server configuration.

Limit the use of third-party applications and plug-ins

Follow the above tips every time — no matter what popular AI assistant you’re using. However, even this may not be sufficient to ensure privacy. The use of ChatGPT plug-ins, Gemini extensions, or separate add-on applications gives rise to new types of threats.

First, your chat history may now be stored not only on Google or OpenAI servers but also on servers belonging to the third party that supports the plug-in or add-on, as well as in unlikely corners of your computer or smartphone.

Second, most plug-ins draw information from external sources: web searches, your Gmail inbox, or personal notes from services such as Notion, Jupyter, or Evernote. As a result, any of your data from those services may also end up on the servers where the plug-in or the language model itself is running. An integration like that may carry significant risks: for example, consider this attack that creates new GitHub repositories on behalf of the user.

Third, the publication and verification of plug-ins for AI assistants are currently a much less orderly process than, say, app-screening in the App Store or Google Play. Therefore, your chances of encountering a poorly working, badly written, buggy, or even plain malicious plug-in are fairly high — all the more so because it seems no one really checks the creators or their contacts.

How do you mitigate these risks? Our key tip here is to give it some time. The plug-in ecosystem is too young, the publication and support processes aren’t smooth enough, and the creators themselves don’t always take care to design plug-ins properly or comply with information security requirements. This whole ecosystem needs more time to mature and become securer and more reliable.

Besides, the value that many plug-ins and add-ons add to the stock ChatGPT version is minimal: minor UI tweaks and “system prompt” templates that customize the assistant for a specific task (“Act as a high-school physics teacher…”). These wrappers certainly aren’t worth trusting with your data, as you can accomplish the task just fine without them.

If you do need certain plug-in features right here and now, try to take maximum precautions available before using them.

• Choose extensions and add-ons that have been around for at least several months and are being updated regularly.
• Consider only plug-ins that have lots of downloads, and carefully read the reviews for any issues.
• If the plug-in comes with a privacy policy, read it carefully before you start using the extension.
• Opt for open-source tools.
• If you possess even rudimentary coding skills — or coder friends — skim the code to make sure that it only sends data to declared servers and, ideally, AI model servers only.

Execution plug-ins call for special monitoring

So far, we’ve been discussing risks relating to data leaks; but this isn’t the only potential issue when using AI. Many plug-ins are capable of performing specific actions at the user’s command — such as ordering airline tickets. These tools provide malicious actors with a new attack vector: the victim is presented with a document, web page, video, or even an image that contains concealed instructions for the language model in addition to the main content. If the victim feeds the document or link to a chatbot, the latter will execute the malicious instructions — for example, by buying tickets with the victim’s money. This type of attack is referred to as prompt injection, and although the developers of various LLMs are trying to develop a safeguard against this threat, no one has managed it — and perhaps never will.

Luckily, most significant actions — especially those involving payment transactions such as purchasing tickets — require a double confirmation. However, interactions between language models and plug-ins create an attack surface so large that it’s difficult to guarantee consistent results from these measures.

Therefore, you need to be really thorough when selecting AI tools, and also make sure that they only receive trusted data for processing.

Complicating matters is the heightened uncertainty about the identity of your virtual conversational partner, and the disconcerting possibility of digital stalking.

In fact, we recently commissioned a report on digital stalking to ascertain the reality of these risks and concerns. We engaged with over 21,000 participants to cast light on the alarming prevalence of digital abuse experienced by those in pursuit of love.

Revelations from the survey

As per our survey findings, 34% of respondents believe that googling or checking social media accounts of someone they’ve just started dating is a form of “due diligence”. While seemingly harmless, 23% reported encountering some form of online stalking from a new romantic interest, suggesting that some individuals may take a swift Google search a bit too far.

Furthermore, and somewhat alarmingly, over 90% of respondents expressed a willingness to share or consider sharing passwords that grant access to their location. While seemingly innocuous on the surface, there can loom there specter of stalkerware: silent software capable of continuously tracking user whereabouts and spying on messages.

How to protect yourself? Tips from the experts

We’ve compiled advice from leading online security, dating, and safety experts to help you navigate the waters of love safely this Valentine’s Day!

Enhanced password safety measures

• Create complex passwords using a mix of letters, numbers, and symbols.
• Never reuse passwords across different sites and apps; keep them private.
• Use two-factor authentication for an added layer of security.
• Change your password immediately if you’ve shared it with someone you’ve been dating but are no longer in touch with.
• Use a password manager to keep all your passwords strong and safe.

Proactive verification techniques of online dating profiles

• Run a reverse-image search for that profile; if it appears on multiple pages under various names, it’s likely a catfisher.
• Look for inconsistencies in daters’ stories and profile details.
• Be wary of sudden, intense expressions of love, or requests for money.
• Use video calls to verify a dater’s identity before meeting in person.

Maximizing online dating profile security:

• Conduct your own privacy audit of your social media accounts to understand what’s publicly visible.
• Customize your privacy settings to control who can see your posts and personal information.
• Regularly review your friends/followers list to ensure you know who has access to your information.

Strategic sharing guidelines:

• Avoid posting details that could disclose your location, workplace, or routines.
• Think twice before sharing emotionally charged or intimate content.
• Be mindful of metadata or other identifiable clues in photos (like geotags) that can reveal your identity, location, or details you’d rather keep private.
• Set personal boundaries on the type of information you share early on in a relationship; only reveal personal details gradually as trust builds over time.
• Listen to your instincts – if something feels off, take a step back and give yourself a moment.
• Consider how the data you share could be used to piece together a profile or compromise your physical safety.

Comprehensive safety plan for offline meetings:

• Choose well-lit, public places for initial meetings.
• Avoid sharing or displaying personal items that might reveal your address or sensitive information.
• Arrange your own transportation to and from the meeting place.
• Have a check-in system with a friend or family member.

As we embrace the possibilities for romance and connection in the digital age, let’s not forget the importance of our safety and wellbeing. By implementing these strategies, you can confidently explore the world of online dating while safeguarding both your digital and physical self. For more details, please take a look at our safe dating guide. And our premium security solution with identity protection and privacy features can help you keep calm and carry on… dating!

There are three reasons why this situation might occur:

1. A hacking attempt. Hackers have somehow learned, guessed, or stolen your password and are now trying to use it to access your account. You’ve received a legitimate message from the service they are trying to access.
2. Preparation for a hack. Hackers have either learned your password or are trying to trick you into revealing it, in which case the OTP message is a form of phishing. The message is fake, although it may look very similar to a genuine one.
3. Just a mistake. Sometimes online services are set up to first request a confirmation code from a text message, and then a password, or authenticate with just one code. In this case, another user could have made a typo and entered your phone/email instead of theirs — and you receive the code.

As you can see, there may be a malicious intent behind this message. But the good news is that at this stage, there has been no irreparable damage, and by taking the right action you can avoid any trouble.

What to do when you receive a code request

Most importantly, don’t click the confirmation button if the message is in the “Yes/No” form, don’t log in anywhere, and don’t share any received codes with anyone.

If the code request message contains links, don’t follow them.

These are the most essential rules to follow. As long as you don’t confirm your login, your account is safe. However, it’s highly likely that your account’s password is known to attackers. Therefore, the next thing to do is change the password for this account. Go to the relevant service by entering its web address manually — not by following a link. Enter your password, get a new (this is important!) confirmation code, and enter it. Then find the password settings and set a new, strong password. If you use the same password for other accounts, you’d need to change the password for them, too — but make sure to create a unique password for each account. We understand that it’s difficult to remember so many passwords, so we highly recommend storing them in a dedicated password manager.

This stage — changing your passwords — is not so urgent. There’s no need to do it in a rush, but also don’t postpone it. For valuable accounts (like banking), attackers may try to intercept the OTP if it’s sent via text. This is done through SIM swapping (registering a new SIM card to your number) or launching an attack via the operator’s service network utilizing a flaw in the SS7 communications protocol. Therefore, it’s important to change the password before the bad guys attempt such an attack. In general, one-time codes sent by text are less reliable than authenticator apps and USB tokens. We recommend always using the most secure 2FA method available; a review of different two-factor authentication methods can be found here.

What to do if you’re receiving a lot of OTP requests

In an attempt to make you confirm a login, hackers may bombard you with codes. They try to log in to the account again and again, hoping that you’ll either make a mistake and click “Confirm”, or go to the service and disable 2FA out of annoyance. It’s important to keep cool and do neither. The best thing to do is go to the service’s site as described above (open the site manually, not through a link) and quickly change the password; but for this, you’ll need to receive and enter your own, legitimate OTP. Some authentication requests (for example, warnings about logging into Google services) have a separate “No, it’s not me” button — usually, this button causes automated systems on the service side to automatically block the attacker and any new 2FA requests. Another option, albeit not the most convenient one, would be to switch the phone to silent or even airplane mode for half-an-hour or so until the wave of codes subsides.

What to do if you accidentally confirm a stranger’s login

This is the worst-case scenario, as you’ve likely allowed an attacker into your account. Attackers act quickly in changing settings and passwords, so you’ll have to play catch-up and deal with the consequences of the hack. We’ve provided advice for this scenario here.

How to protect yourself?

The best method of defense in this case is to stay one step ahead of the criminals: si vis pacem, para bellum. This is where our security solution comes in handy. It tracks leaks of your accounts linked to both email addresses and phone numbers, including on the dark web. You can add the phone numbers and email addresses of all your family members, and if any account data becomes public or is discovered in leaked databases, Kaspersky Premium will alert you and give advice on what to do.

Included in the subscription, Kaspersky Password Manager will warn you about compromised passwords and help you change them, generating new uncrackable passwords for you. You can also add two-factor authentication tokens to it or easily transfer them from Google Authenticator in a few clicks. Secure storage for your personal documents will safeguard your most important documents and files, such as passport scans or personal photos, in encrypted form so that only you can access them.

Moreover, your logins, passwords, authentication codes and saved documents will be available from any of your devices — computer, smartphone or tablet — so even if you somehow lose your phone, you’ll lose neither your data nor access, and you’ll be able to easily restore them on a new device. And to access all your data, you only need to remember one password — the main one — which isn’t stored anywhere except in your head and is used for banking-standard AES data encryption.

With the “zero disclosure principle”, no one can access your passwords or data — not even Kaspersky employees. The reliability and effectiveness of our security solutions have been confirmed by numerous independent tests, with one recent example being our home protection solutions having received the highest award — Product of the Year 2023 — in tests run by the independent European laboratory AV-Comparatives.

What a crypto (wallet) drainer is

A crypto drainer — or crypto wallet drainer — is a type of malware that’s been targeting crypto owners since it first appeared just over a year ago. A crypto drainer is designed to (quickly) empty crypto wallets automatically by siphoning off either all or just the most valuable assets they contain, and placing them into the drainer operators’ wallets.

As an example of this kind of theft, let us review the theft of 14 Bored Ape NFTs with a total value of over $1 million, which occurred on December 17, 2022. The scammers set up a fake website for the real Los Angeles-based movie studio Forte Pictures, and contacted a certain NFT collector on behalf of the company. They told the collector that they were making a film about NFT. Next, they asked the collector if they wanted to license the intellectual property (IP) rights to one of their Bored Ape NFTs so it could be used in the movie.

According to the scammers, this required signing a contract on “Unemployd”, ostensibly a blockchain platform for licensing NFT-related intellectual property. However, after the victim approved the transaction, it turned out that all 14 Bored Ape NFTs belonging to them were sent to the malicious actor for a paltry 0.00000001 ETH (about US¢0.001 at the time).

What the request to sign the “contract” looked like (left), and what actually happened after the transaction was approved (right). Source

The scheme relied to a large extent on social engineering: the scammers courted the victim for more than a month with email messages, calls, fake legal documents, and so on. However, the centerpiece of this theft was the transaction that transferred the crypto assets into the scammers’ ownership, which they undertook at an opportune time. Such a transaction is what drainers rely on.

How crypto drainers work

Today’s drainers can automate most of the work of emptying victims’ crypto wallets. First, they can help to find out the approximate value of crypto assets in a wallet and identify the most valuable ones. Second, they can create transactions and smart contracts to siphon off assets quickly and efficiently. And finally, they obfuscate fraudulent transactions, making them as vague as possible, so that it’s difficult to understand what exactly happens once the transaction is authorized.

Armed with a drainer, malicious actors create fake web pages posing as websites for cryptocurrency projects of some sort. They often register lookalike domain names, taking advantage of the fact that these projects tend to use currently popular domain extensions that resemble one another.

Then the scammers use a technique to lure the victim to these sites. Frequent pretexts are an airdrop or NFT minting: these models of rewarding user activity are popular in the crypto world, and scammers don’t hesitate to take advantage of that.

These X (Twitter) ads promoted NFT airdrops and new token launches on sites that contain the drainer. Source

Also commonplace are some totally unlikely schemes: to draw users to a fake website, malicious actors recently used a hacked Twitter account that belonged to a… blockchain security company!

X (Twitter) ads for a supposedly limited-edition NFT collection on scam websites. Source

Scammers have also been known to place ads on social media and search engines to lure victims to their forged websites. In the latter case, it helps them intercept customers of real crypto projects as they search for a link to a website they’re interested in. Without looking too closely, users click on the “sponsored” scam link, which is always displayed above organic search results, and end up on the fake website.

Google search ads with links to scam websites containing crypto drainers. Source

Then, the unsuspecting crypto owners are handed a transaction generated by the crypto drainer to sign. This can result in a direct transfer of funds to the scammers’ wallets, or more sophisticated scenarios such as transferring the rights to manage assets in the victim’s wallet to a smart contract. One way or another, once the malicious transaction is approved, all the valuable assets get siphoned off to the scammers’ wallets as quickly as possible.

How dangerous crypto drainers are

The popularity of drainers among crypto scammers is growing rapidly. According to a recent study on crypto drainer scams, more than 320,000 users were affected in 2023, with total damage of just under $300 million. The fraudulent transactions recorded by the researchers included around a dozen — worth more than a million dollars each. The largest value of loot taken in a single transaction amounted to a little over $24 million!

Curiously, experienced cryptocurrency users fall prey to scams like this just like newbies. For example, the founder of the startup behind Nest Wallet was recently robbed of $125,000 worth of stETH by scammers who used a fake website promising an airdrop.

How to protect against crypto drainers

• Don’t put all your eggs in one basket: try to keep only a portion of your funds that you need for day-to-day management of your projects in hot crypto wallets, and store the bulk of your crypto assets in cold wallets.
• To be on the safe side, use multiple hot wallets: use one for your Web3 activities — such as drop hunting, use another to keep operating funds for these activities, and transfer your profits to cold wallets. You’ll have to pay extra commission for transfers between the wallets, but malicious actors would hardly be able to steal anything from the empty wallet used for airdrops.
• Keep checking the websites you visit time and time again. Any suspicious detail is a reason to stop and double-check it all again.
• Don’t click on sponsored links in search results: only use links in organic search results – that is, those that aren’t marked “sponsored”.
• Review every transaction detail carefully.
• Use companion browser extensions to verify transactions. These help identify fraudulent transactions and highlight what exactly will happen as a result of the transaction.
• Finally, be sure to install reliable security on all devices you use to manage crypto assets.

How protection from crypto threats works in Kaspersky solutions

By the way, Kaspersky solutions offer multi-layered protection against crypto threats. Be sure to use comprehensive security on all your devices: phones, tablets, and computers. Kaspersky Premium is a good cross-platform solution. Check that all basic and advanced security features are enabled and read our detailed instructions on protecting both hot and cold crypto wallets.

What is Facebook link history?

Facebook mobile apps come with a built-in browser. Whenever you follow an external link posted on Facebook, it opens in this very browser. Recently the social network decided to start collecting the history of all the links you click, and to use this data to show you targeted ads.

Why does Facebook need it? Because it’s not just the largest social network in the world, but also one of the most powerful global advertising platforms — second only to Google in terms of scale and capabilities. Previously, to collect data on user interests and show targeted ads based on it, Facebook used third-party cookies. However, support for third-party cookies is being phased out in the world’s most popular browser — Google Chrome.

Google has devised its own mechanism for tracking users and targeting ads — known as Google Ad Topics. To collect data, this technology makes active use of the Google Chrome browser and the Android operating system. Not so long ago, we explained how to opt out of this Google tracking.

Now Facebook has decided to track users through the browser built into its various mobile app versions. That’s how the link-history feature was born. But it offers no additional benefits to regular users — despite Facebook trumpeting the convenience of being able to find any link you ever opened at any moment. But if you don’t like the idea of Facebook tracking your every move, it’s best to turn off the feature; thankfully, it’s easy to do.

How to turn off Facebook link history

First, let’s clarify that link history is only available in Facebook mobile apps. The feature is missing when you use the web version of the social network. It’s also neither available in Facebook Lite (if only because this app has no built-in browser), nor (at least for now) in the Messenger app.

The first time a user opens an external link posted on the social network after Facebook introduced link history, they’re asked for their consent to use the feature.

The screen requesting permission to turn on link history is only shown once

As you’d probably expect, link history is enabled by default. So most users likely give consent without too much thought — just to get Facebook off their backs and to show the page they want.

If you’ve already opted in to link history and now want to turn it off, there are two easy ways to do so.

The first way to turn off link history

• In the Facebook app, open Menu by tapping the hamburger icon (the three lines in the upper-right corner on Android), or the Profile icon in the lower-right corner on iOS.
• Go to Settings & privacy — the easiest way is by tapping the gear icon.
• Scroll down to Browser and tap it.
• In the window that opens, toggle Allow link history
• Also, while you’re at it, tap the Clear button next to Link history.

Turning off Facebook link history through Settings & privacy on Android

The second way to turn off link history

• In the app, tap any link posted on Facebook. This will open the app’s built-in browser.
• In it, tap the ellipsis icon (upper-right corner on Android, lower-right on iOS).
• Select Go to Settings.
• In the window that opens, toggle Allow link history off and tap the Clear button next to Link history.

Turning off Facebook link history through the built-in browser on iOS

All done. Facebook will no longer collect your link history. While you’re at it, don’t forget to stop Google tracking you by disabling Google Ad Topics. To avoid online tracking in general, use the Private Browsing feature in Kaspersky applications.

Therefore, it’s crucial for parents to stay informed about the latest cybersecurity threats targeting kids to better protect them from potential harm. In this post, my colleague, Anna Larkina, and I explore some of the key cybersecurity trends that parents should be aware of and provide tips on how to safeguard their children’s online activities.

AI threats

AI is continuing to revolutionize various industries, and its daily use ranges from chatbots and AI wearables to personalized online shopping recommendations — among many other common uses. And of course, such global trends pique the interest and curiosity of children, who can use AI tools to do their homework or simply chat with AI-enabled chatbots. According to a UN study, about 80 percent of youths that took part in its survey claimed that they interact with AI multiple times a day. However, AI applications can pose numerous risks to young users involving data privacy loss, cyberthreats, and inappropriate content.

With the development of AI, numerous little-known applications have emerged with seemingly harmless features such as uploading a photo to receive a modified version — whether it be an anime-style image or simple retouching. However, when adults, let alone children, upload their images to such applications, they never know in which databases their photos will ultimately remain, or whether they’ll be used further. Even if your child decides to play with such an application, it’s essential to use them extremely cautiously and ensure there’s no personal information that may identify the child’s identity — such as names, combined with addresses, or similar sensitive data — in the background of the photo, or consider avoiding using such applications altogether.

Moreover, AI apps – chatbots in particular – can easily provide age-inappropriate content when prompted. This poses a heightened risk as teenagers might feel more comfortable sharing personal information with the chatbot than with their real-life acquaintances, as evidenced by instances where the chatbot gave advice on masking the smell of alcohol and pot to a user claiming to be 15. On an even more inappropriate level, there are a multitude of AI chatbots that are specifically designed to provide an “erotic” experience. Although some require a form of age verification, this is a dangerous trend as some children might opt to lie about their age, while checks of real age are lacking.

It is estimated that on Facebook Messenger alone, there are over 300,000 chatbots in operation. However, not all of them are safe, and may carry various risks, like the ones mentioned earlier. Therefore, it is extremely important to discuss with children the importance of privacy and the dangers of oversharing, as well as talking to them about their online experiences regularly. It also reiterates the significance of establishing trusting relationships with one’s children. This will ensure that they feel comfortable asking their parents for advice rather than turning to a chatbot for guidance.

Young gamers under attack

According to statistics, 91 percent of children in the UK aged 3-15 play digital games on devices. The vast world of gaming is open to them — also making them vulnerable to cybercriminals’ attacks. For instance, in 2022, our security solutions detected more than seven million attacks relating to popular children’s games, resulting in a 57 percent increase in attempted attacks compared to the previous year. The top children’s games by the number of users targeted even included games for the youngest children — Poppy Playtime and Toca Life World — which are designed for children 3-8-years old.

What raises even more concerns is that sometimes children prefer to communicate with strangers on gaming platforms rather than on social media. In some games, unmoderated voice and text chats form a significant part of the experience. As more young people come online, criminals can build trust virtually, in the same way as they would entice someone in person — by offering gifts or promises of friendship. Once they lure a young victim by gaining their trust, cybercriminals can obtain their personal information, suggesting they click on a phishing link, download a malicious file onto their device disguised as a game mod for Minecraft or Fortnite, or even groom them for more nefarious purposes. This can be seen in the documentary series “hacker:HUNTER“, co-produced by Kaspersky, as one of the episodes revealed how cybercriminals identify skilled children through online games and then groom them to carry out hacking tasks.

The number of ways to interact within the gaming world is increasing, and now includes voice chats as well as AR and VR games. Both cybersecurity and social-related threats remain particular problems in children’s gaming. Parents must remain vigilant regarding their children’s behavior and maintain open communication to address any potential threats. Identifying a threat involves observing changes, such as sudden shifts in gaming habits that may indicate a cause for concern. To keep your child safe by stopping them downloading malicious files during their gaming experience, we advise installing a trusted security solution on all their devices.

Fintech for kids: the phantom menace

An increasing number of banks are providing specialized products and services designed for children — including bank cards for kids as young as 12. This gives parents helpful things like the ability to monitor their child’s expenditures, establish daily spending limits, or remotely transfer funds for the child’s pocket money.

Yet, by introducing banking cards for children, the latter can become susceptible to financially motivated threat actors and vulnerable to conventional scams, such as promises of a free PlayStation 5 and other similar valuable devices after entering card details on a phishing site. Using social engineering techniques, cybercriminals might exploit children’s trust by posing as their peers and requesting card details or money transfers to their accounts.

As the fintech industry for children continues to evolve, it’s crucial to educate children not only about financial literacy but also the basics of cybersecurity. To achieve this, you can read Kaspersky Cybersecurity Alphabet together with your child. It’s specifically designed to explain key online safety rules in a language easily comprehensible for children.

To avoid concerns about a child losing their card or sharing banking details, we recommend installing a digital NFC card on their phone instead of giving them a physical plastic card. Establish transaction confirmation with the parent if the bank allows it. And, of course, the use of any technical solutions must be accompanied by an explanation of how to use them safely.

Smart home threats for kids

In our interconnected world, an increasing number of devices — even everyday items like pet feeders — are becoming “smart” by connecting to the internet. However, as these devices become more sophisticated, they also become more susceptible to cyberattacks. This year, our researchers conducted a vulnerability study on a popular model of smart pet feeder. The findings revealed a number of serious security issues that could allow attackers to gain unauthorized access to the device and steal sensitive information such as video footage — potentially turning the feeder into a surveillance tool.

Despite the increasing number of threats, manufacturers are not rushing to create cyber-immune devices that preemptively prevent potential exploits of vulnerabilities. Meanwhile, the variety of different IoT devices purchased in households continues to grow. These devices are becoming the norm for children, which also means that children can become tools for cybercriminals in an attack. For instance, if a smart device becomes a fully functional surveillance tool and a child is home alone, cybercriminals could contact them through the device and request sensitive information such as their name, address, or even their parents’ credit card number and times when their parents are not at home. In a scenario such as this one, beyond just hacking the device, there is a risk of financial data loss or even a physical attack.

As we cannot restrict children from using smart home devices, our responsibility as parents is to maximize the security of these devices. This includes at least adjusting default security settings, setting new passwords, and explaining basic cybersecurity rules to children who use IoT devices.

I need my space!

As kids mature, they develop greater self-awareness, encompassing an understanding of their personal space, privacy, and sensitive data, both offline and in their online activities. The increasing accessibility of the internet means more children are prone to becoming aware of this. Consequently, when a parent firmly communicates the intent to install a parenting digital app on their child’s devices, not all children will take it calmly.

This is why parents now require the skill to discuss their child’s online experience and the importance of parenting digital apps for online safety while respecting the child’s personal space. This involves establishing clear boundaries and expectations, discussing the reasons for using the app with the child. Regular check-ins are also vital, and adjustments to the restrictions should be made as the child matures and develops a sense of responsibility. Learn more in our guide on kids’ first gadgets, where, together with experienced child psychologist Saliha Afridi, our privacy experts analyze a series of important milestones to understand how to introduce such apps into a child’s life properly and establish a meaningful dialogue about cybersecurity online.

Forbidden fruit can be… malicious

If an app is unavailable in one’s home region, a child may start looking for an alternative, but this alternative is often only a malicious copy. Even if they turn to official app stores like Google Play, they still run the risk of falling prey to cybercriminals. From 2020 to 2022, our researchers found more than 190 apps infected with the Harly Trojan on Google Play, which signed users up for paid services without their knowledge. A conservative estimate of the number of downloads of these apps is 4.8 million, while the actual figure of victims may be even higher.

Children are not the only ones following this trend; adults are as well, which was highlighted in our latest consumer cyberthreats predictions report as a part of the annual Kaspersky Security Bulletin. That’s why it’s crucial for kids and their parents to understand the fundamentals of cybersecurity. For instance, it’s important to pay attention to the permissions that an app requests when installing it: a simple calculator, for instance, shouldn’t need access to your location or contact list.

How to keep kids safe?

As we can see, many of the trends that are playing out in society today are also affecting children, making them potential targets for attackers. This includes both the development and popularity of AI and smart homes, as well as the expansion of the world of gaming and the fintech industry. Our experts are convinced that protecting children from cybersecurity threats in 2024 requires proactive measures from parents:

• By staying informed about the latest threats and actively monitoring their children’s online activities, parents can create a safer online environment for their kids.
• It’s crucial for parents to have open communication with their children about the potential risks they may encounter online and to enforce strict guidelines to ensure their safety.
• With the right tools such as Kaspersky Safe Kids, parents can effectively safeguard their children against cyberthreats in the digital age.
• To help parents introduce their children to cybersecurity amid the evolving threat landscape, our experts have developed the above-mentioned Kaspersky Cybersecurity Alphabet, with key concepts from the cybersecurity industry. In this book, your child can get to know about new technologies, learn the main cyber hygiene rules, find out how to avoid online threats, and recognize fraudsters’ tricks. After reading this book together, you’ll be sure that your offspring knows how to distinguish a phishing website, how VPN and QR-codes work, and even what encryption and honeypots are and what role they play in modern cybersecurity. You can download the pdf version of the book and also the Kaspersky Cybersecurity Alphabet poster for free.

1. Delete unnecessary files

Let’s start with the basics: deleting files you no longer need. This stage might seem easy, but it can actually take a while — simply because we all have an awful lot of files. So, it’s important not to get overwhelmed by the task. Try breaking it down into small steps, for example, deleting 10, 20 or 50 files each day — or even several times a day.

The main places to look for junk files are:

• The desktop. An obvious candidate for where to begin your digital cleanup. Once you’ve cleared your desktop of ancient shortcuts and files, you’ll not only have more storage space, but should also gain a sense of order, which may boost your productivity, lift your spirits, and help you tackle the next steps of your digital cleanup!
• The “Old Desktop” folder. Most likely, you have such a folder somewhere on your computer’s SSD (or something similar, like “Old Disk Drive” or “Old Computer Files”). And inside it, there’s often another “Old Desktop”, and within that, another, and so on. It may seem daunting, but time has come to finally deal with this abyss of nested directories.

Get rid of the Old Desktop nested folders

• The downloads folder. Ancient documents, installation files from long-deleted programs, saved images dating back a decade, and other digital relics — chances are you no longer need them and can simply delete them all. And, don’t forget to clean the downloads folder not only on your computer but also on your smartphone (and on your tablet if you have one).
• Your smartphone’s photo gallery. If you delete all duplicate photos, screenshots taken for unclear reasons, and videos your pocket decided to take all on its own, you might find you can postpone buying a new smartphone with more memory for another year or two. Special apps come to the rescue here, seeking either exact duplicates or similar files — for example, a series of identical shots, of which you only need to keep one or two. Look for them in app stores using the keyword “duplicate”.
• Your cloud storage. This similar to the Old Desktop folder, but in the cloud. Sure, you can pay for extra disk space and accumulate files for a few more years. But might it be better to just get rid of them?
• Large files and duplicates on your computer. If you need to quickly free up space on your hard drive/SSD, the easiest way is to either delete a few large-sized files or get rid of identical files, thoughtfully scattered across different folders. To automatically search for large files, you can use the Large Files feature on the Performance tab of the Kaspersky app. By specifying the minimum size and search area — the entire computer or selected folders — in a few minutes you’ll receive a complete list of files whose size exceeds the limit. Then, you can choose to delete them either in bulk or individually.

Also on the Performance tab, you can find and remove duplicate files. Used together, these features (available in Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscriptions) might save you from having to buy a new hard drive or SSD.

Once you’ve finished removing unnecessary files, don’t forget to empty the Recycle Bin — or the “Deleted photos” folder, if it’s your smartphone’s photo gallery.

2. Clean up your email and messengers

The next important stage in your digital cleanup is to sort out your email and messaging apps. This will reduce the amount of space your correspondence takes up and, most importantly, improve your experience of using your email and messengers. What to do first?

• Get rid of unread messages. Those scary numbers in red circles hovering above your messenger app icons can really get on your nerves and prevent you from dealing with new incoming messages on time. This could cause you to overlook something important, get your priorities wrong, miss a deadline or meeting, and so on. Like cleaning up files, sorting through unread emails and messages can take some time. That’s why a steady, systematic approach works best here: try to break the process up into small steps. And aim to always have fewer unread items at the end of each day — sooner or later, you’ll hit zero.

Looks familiar? Help yourself: try to gradually sort out all your unreads

• Unsubscribe from unnecessary email newsletters and messenger channels. This step can help you with the previous task, too. Weeding out unneeded information feeds will reduce the number of new unread items, so you can reach that golden zero even faster. You need to be decisive here: instead of simply ignoring another uninteresting message or email, unsubscribe immediately.
• Delete old messenger chats. Correspondence with a realtor about the apartment you moved out of three years ago, communication with couriers, and other similar priceless messages will some day form the basis of your memoirs. Just kidding, of course: delete all of it without hesitation.
• Delete emails with large attachments. Is your email provider sending you annoying messages telling you you’re about to run out of storage space? The easiest way to quickly clean up your inbox is to delete old emails with large attachments. Most providers and email programs allow you to find them without much difficulty. It’s easiest with Gmail — to find all emails bigger than 10 megabytes, just enter “size:10000000” in the search bar.

The easiest way to quickly clean up your inbox: find and delete all large emails

• Clear out the spam folder. Individual spam emails typically don’t take up much space. But if you haven’t checked your spam folder in a while, you might have accumulated a ton of messages. Deleting them will push you away from your mailbox limit even further.

3. Close old tabs

Now it’s time to deal with the program we all use the most: your browser. Old tabs left open for months, if not years, not only eat through your device’s memory, but also make it difficult to find the relevant information you actually need. Moreover, an abundance of tabs can pose a serious obstacle to updating the browser — which, by the way, is one of the most important digital hygiene procedures there is.

So try to get rid of unnecessary tabs in all the browsers you use — including on your smartphone. There are two approaches here: either act quickly and decisively, ruthlessly closing all tabs without concern for what they contain; or do it gradually and cautiously, closing tabs in batches of 10–20 at a time and checking along the way if there’s anything important among them. You can add the ones you actually need to bookmarks or tab groups.

Close all unnecessary tabs in your browser — it’ll be easier to find important ones

And while we’re still on about the browser, also clear its cache. If you haven’t done this before, you’ll be surprised at how much space it takes up. Also, it’s a good idea to review all the extensions installed in your browser: if you’re not using something, now’s the perfect time to remove it.

4. Cancel unnecessary subscriptions

Almost every online service nowadays offers some type of paid subscription — if not several. And these subscriptions can start to pile up beyond all reasonable limits. How much does it all cost? Who knows?! Seriously, people often have no idea about how much they pay for all their digital subscriptions, typically underestimating the total expenses several times compared to reality.

So not only does canceling unnecessary subscriptions bring immediate financial benefit — but this benefit is probably greater than you imagine. On the other hand, the task isn’t that simple: you need to remember all your subscriptions, gather and organize information about them, sort out what’s what — and only then will you understand what you should unsubscribe from. There also might be family subscriptions, with duplicates on the various devices of your family members.

The good news is that there’s a special app for managing subscriptions: SubsCrab. It can organize information about all your subscriptions, calculate monthly expenses, show you a handy schedule and warn you about payment days in advance, tell you what needs to be done to cancel a particular subscription, and even propose alternative subscription options or promo codes and discounts for renewals.

The SubsСrab app will help sort out paid subscriptions and cancel unnecessary ones

5. Remove unused applications

You probably have apps on your smartphone that you haven’t used in over a year. Or maybe even ones you’ve never opened at all. Not only do they take up your device’s memory, but they can also slowly consume internet traffic and battery power and, most importantly, they clog up your interface and may continue to collect data about your smartphone — and you.

It’s time to finally get rid of them! If you delete at least one unused app a day, within a month or so they’ll all be gone, and order will be restored on your smartphone’s home screen.

However, there is a way to immediately detect all unnecessary apps — both on Windows computers and Android smartphones — with the help of the Unused Apps feature included in Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscriptions. It will show you the apps you rarely use and allow you to delete them all in one fell swoop.

There are some protected Android apps which are impossible to uninstall, even if you don’t need them at all — all due to the whim of the smartphone manufacturer. These may include a proprietary browser or an unused social network client. However, there are special methods to uninstall such apps, which we’ve covered in detail in this comprehensive guide.

6. Turn off unnecessary notifications

One of the main obstacles to digital peace of mind can be the endless stream of notifications flowing from almost every app these days — whether it’s a fitness tracker or a calculator. But, fortunately, we’re not at the mercy of our phones in this case. So go through the list of apps that are allowed to send notifications and thin it out.

Notification settings and Focus mode in Android

There are two possible solutions here. The first one is radical: disable notifications for all apps except the most essential ones — banking apps, work tools, and messengers. The second is moderate: identify apps that blatantly abuse notifications — firing them out for no good reason — and disable these pests.

It’s also helpful to disable notifications in messengers for less important contacts, channels, and chats. Also, take a closer look at the focus mode settings. They’re available in all modern operating systems — such as Android, iOS/iPadOS, Windows and macOS — and allow you to limit the number of notifications and other digital noise for a set period.

Notification settings and Focus mode in iOS

Also, don’t forget that these days it’s not just apps sending notifications; many websites use browser-integrated notification systems for this purpose, too. So make sure to disable all unnecessary notifications there as well. By the way, we have a separate guide on how to stop browsers from bothering you with trivial stuff.

7. Delete unused accounts

Accounts with online services — even the less important ones — always pose a potential risk. If an account gets hacked, it could be used for fraud, laundering stolen goods, attacks on other users, and more — and all in your name. And if a bank card is linked to such an account, there could be damaging consequences.

It’s therefore best not to leave your accounts to fate: if you no longer need a particular account, it’s wise to delete it. This part of the cleanup might be especially challenging: first, you’ll need to recall which accounts you’ve created, then remember your login credentials, and only then can you delete them. But it’s really worth doing!

To avoid getting overwhelmed, try deleting at least one unnecessary account per week. And while we’re at it, I recommend adding all your accounts to a password manager. That way, they’ll all be in one place, their passwords will be securely stored, and you’ll be able to log in with just a few clicks — so the next time you’re cleaning up, it won’t be such a hassle.

Plus, if any of the services you use is compromised, you’ll receive a notification from the password manager and can promptly take action — either by changing the password or by deleting the account.

8. Change unsafe passwords

If you enter your account details into Kaspersky Password Manager, the application shows you any passwords that might be unsafe, either due to data breaches, or because you use these passwords across multiple accounts at once.

Kaspersky Password Manager tells you which passwords are unsafe and need to be changed

The danger of the first scenario — when a password has already been compromised — goes without saying: if malicious actors know your password, the security of the corresponding account is directly threatened.

As for using the same password for different platforms, the risk here is that if one of these services is breached and attackers find out the password, they’ll certainly try to use it to access other accounts — a technique known as credential stuffing. Thus, using the same password everywhere puts you at risk of having multiple accounts hijacked at once — most unpleasant.

Unsafe passwords need to be changed, and the sooner the better. Passwords that have already been compromised should be replaced immediately. When changing passwords that you’re using in multiple places, you can afford to take the process step-by-step, editing a couple of accounts at a time.

By the way, Kaspersky Password Manager helps you create truly secure and unique character combinations using a random password generator (so you don’t have to come up with new complex passwords yourself), and stores them safely in encrypted form — synchronizing passwords across all your devices. The only password you’ll need to remember in this case is the main password for Kaspersky Password Manager: it encrypts the entire password database and isn’t stored anywhere except in your head.

And to streamline all these digital cleanup processes, we recommend using Kaspersky Premium, which includes comprehensive protection, productivity enhancement tools, a password manager, and many other features necessary for effective digital housekeeping across all your family’s devices.

Protect your finances

E-commerce and financial technologies continue to expand globally, and successful technologies are being adopted in new regions. Instant electronic payments between individuals have become much more widespread. And, of course, criminals are devising new ways to swindle you out of your money. This involves not only fraud using instant money-transfer systems, but also advanced techniques for stealing payment data on e-commerce sites and online stores. The latest generations of web skimmers installed by hackers on legitimate online shopping sites are almost impossible to perceive, and victims only learn that their data has been stolen when an unauthorized charge appears on their card.

What to do?

• Link your bank cards to Apple Pay, Google Pay, or other similar payment systems available in your country. This is not only convenient, but also reduces the likelihood of data theft when making purchases in stores.
• Use such systems to make payments on websites whenever possible. There’s no need to enter your bank card details afresh on every new website.
• Protect your smartphones and computers with a comprehensive security system like Kaspersky Premium. This will help protect your money, for example, from a nasty new attack in which the recipient’s details are replaced at the moment of making an instant money transfer in a banking app.
• Use virtual or one-time cards for online payments if your bank supports this option. If a virtual card can be quickly reissued in the app, change it regularly — for example, once a month. Or use special services to ‘mask’ cards, generating one-time payment details for each payment session. There are many of these for different countries and payment systems.

Don’t believe everything you see

Generative artificial intelligence has dominated the news throughout 2023 and has already significantly affected the job market. Unfortunately, it’s also been used for malicious purposes. Now, just about anyone can create fake texts, photos, and videos in a matter of minutes — a labor that previously required a lot of time and skill. This has already had a noticeable impact on at least two areas of cybersecurity.

First, the appearance of fake images, audio, and video on news channels and social media. In 2023, generated images were used for propaganda purposes during geopolitical conflicts in post-Soviet countries and the Middle East. They were also used successfully by fraudsters for various instances of fake fundraising. Moreover, towards the end of the year, our experts discovered massive “investment” campaigns in which the use of deepfakes reached a whole new level: now we’re seeing news reports and articles on popular channels about famous businessmen and heads of state encouraging users to invest in certain projects — all fake, of course.

Second, AI has made it much easier to generate phishing emails, social media posts, and fraudulent websites. For many years, such scams could be identified by sloppy language and numerous typos, because the scammers didn’t have the time to write and proofread them properly. But now, with WormGPT and other language models optimized for hackers, attackers can create far more convincing and varied bait on an industrial scale. What’s more, experts fear that scammers will start using these same multilingual AI models to create convincing phishing material in languages and regions that have rarely been targeted for such purposes before.

What to do?

• Be highly critical of any emotionally provocative content you encounter on social media — especially from people you don’t know personally. Make it a habit to always verify the facts on reputable news channels and expert websites.
• Don’t transfer money to any kind of charity fundraiser or campaign without conducting a thorough background check of the recipient first. Remember, generating heart-breaking stories and images is literally as easy as pushing a button these days.
• Install phishing and scam protection on all your devices, and enable all options that check links, websites, emails, and attachments. This will reduce the risk of clicking on phishing links or visiting fraudulent websites.
• Activate banner ad protection — both Kaspersky Plus and Kaspersky Premium have this feature, as do a number of browsers. Malicious advertising is another trend for 2023-2024.

Some experts anticipate the emergence of AI-generated content analysis and labeling systems in 2024. However, don’t expect them to be implemented quickly or universally, or be completely reliable. Even if such solutions do emerge, always double-check any information with trusted sources.

Don’t believe everything you hear

High-quality AI-based voice deepfakes are already being actively used in fraudulent schemes. Someone claiming to be your “boss”, “family member”, “colleague”, or some other person with a familiar voice might call asking for urgent help — or to help someone else who’ll soon reach out to you. Such schemes mainly aim to trick victims into voluntarily sending money to criminals. More complex scenarios are also possible — for example, targeting company employees to obtain passwords for accessing the corporate network.

What to do?

• Verify any unexpected or alarming calls without panic. If someone you supposedly know well calls, ask a question only that person can answer. If a colleague calls but their request seems odd — for example, asking you to send or spell a password, send a payment, or do something else unusual — reach out to other colleagues or superiors to double-check things.
• Use caller identifier apps to block spam and scam calls. Some of these apps work not only with regular phone calls but also with calls through messengers like WhatsApp.

Buy only safe internet-of-things (IoT) smart devices

Poorly protected IoT devices create a whole range of problems for their owners: robot vacuum cleaners spy on their owners, smart pet feeders can give your pet an unplanned feast or a severe hunger strike, set-top boxes steal accounts and create rogue proxies on your home network, and baby monitors and home security cameras turn your home into a reality TV show without your knowledge.

What could improve in 2024? The emergence of regulatory requirements for IoT device manufacturers. For example, the UK will ban the sale of devices with default logins and passwords like “admin/admin”, and require manufacturers to disclose in advance how long a particular device will receive firmware updates. In the U.S., a security labeling system is being developed that will make it possible to understand what to expect from a “smart” device in terms of security even before purchase.

What to do?

• Find out if there are similar initiatives in your country and make the most of them by purchasing only secure IoT devices with a long period of declared support. It’s likely that once manufacturers are obliged to ensure the security of smart devices locally, they’ll make corresponding changes to products for the global market. Then you’ll be able to choose a suitable product by checking, for example, the American “security label”, and buy it — even if you’re not in the U.S.
• Carefully configure all smart devices using our detailed advice on creating a smart home and setting up its security.

Take care of your loved ones

Scams involving fake texts, images, and voices messages can be highly effective when used on elderly people, children, or those less interested in technology. Think about your family, friends, and colleagues — if any of them may end up a victim of any the schemes described above, take the time to tell them about them or provide a link to our blog.

What to do?

• Don’t just give blanket information from our articles; look beyond our blog to find suitable cybersecurity lessons for your loved ones based on their age and temperament.
• Make sure that all your family’s computers and phones are fully protected. With Kaspersky Premium, you can protect as many devices as needed, on any popular platform — Windows, macOS, Android, or iOS.

Before we say goodbye and wish you a happy and peaceful 2024, one final little whisper — last year’s New Year’s resolutions are still very relevant: the transition to password-less systems is progressing at a swift pace, so going password-free in the New Year might be a good idea, while basic cyber hygiene has become all the more crucial. Oops; nearly forgot: wishing you a happy and peaceful 2024!…