October Cyber Security Awareness Month | Citizens Bank

Deepfake awareness

The New Face of Fraud

Have you ever wondered how easy it would be for someone to impersonate you online? With just a single photo and a few seconds of audio, someone can create a convincing digital version of you that's nearly impossible to tell from the real thing. And cybercriminals are already using this technology to target people just like you.

Deepfakes are getting harder to spot

Today, about 7 out of 10 deepfakes look real enough to fool the average person. That means a video call, a voicemail, or even a short clip online mightnot be what it seems. Imagine your boss asking you for a wire transfer on Teams, or a loved one calling you from the hospital in urgent need of money. These situations feel real, but they may actually be a scammer using deepfake technology. That’s why it’s so important to slow down, double-check, and verify before taking action.

One photo can become your “digital double”

It doesn’t take advanced tools or weeks of work — just one clear photo of you online can be enough to build a realistic talking version of your face. In under an hour, someone could make a deepfake of you giving instructions, resigning from a job, or saying things you’d never say. The photos we casually share on LinkedIn, Instagram, or other platforms can give attackers the keys to impersonate us.

Just 3 seconds of your voice is enough: Your voicemail greeting, a short social media clip, or even a few words captured in the background of a video can be cloned into a voice that sounds exactly like you. From there, a scammer could make “you” authorize a payment, confess to something you didn’t do, or damage your reputation. Every public word you’ve spoken online can be turned into material for fraud.

How to Protect Yourself: Deepfakes aren’t science fiction anymore — they’re here. The good news is that awareness is the first step in protecting yourself. Whenever something feels rushed, emotional, or urgent, pause and verify. A real request will wait; a fake one counts on you moving too fast.

Pause before reacting: Deepfake scams rely on panic and urgency. If something feels rushed or emotional, stop and give yourself a few minutes to think before responding.

Request a live interaction: Ask the person to do something spontaneous in real-time, like wave their hand, say a random word you choose, or turn their head to show their profile. Deepfakes struggle with unexpected requests.

Verify through another channel: If you get a strange request on Zoom, WhatsApp, or email, confirm it through a different method — like a direct phone call, text, or in-person check. Real people won’t mind the extra step.

As deepfake technology evolves, so must our awareness. Stay curious, stay cautious, and keep learning.

OSINT & Executive Security

OSINT is Open-Source Intelligence, which is the practice of collecting and analyzing information from publicly available sources to produce actionable intelligence. These sources can include websites, social media, news articles, public records, and satellite images.

Think you're sharing smart on social media?

Think again. There's a difference between connecting with your network and oversharing details that put you—and your organization—at risk. From posts that reveal travel plans to profile updates that map organizational relationships, the line between professional visibility and security vulnerability is thinner than you think.

Threat actors use publicly available information to target everyone from entry-level employees to C-suite executives. The more senior your role, the more valuable your information becomes—but everyone's digital footprint creates risk.

Let's explore how to maintain your professional presence without sharing too much, the risks of oversharing, and the smart habits that keep you connected and protected.

Smart professional presence means connecting without compromising security. Here's where sharing crosses the line into oversharing:

Personal details in posts - Sharing professional milestones is great, but including security question answers (first pet's name, childhood street) in your posts creates account vulnerabilities.
Real-time location sharing - Posting from conferences or vacation is engaging, but broadcasting you're away from home in real-time creates physical security risks. For executives and key personnel, it also signals when you're outside normal security controls.
Work-related information - Celebrating career achievements is natural, but sharing internal organizational details, reporting structures, or project information can expose your company to targeted attacks. Senior leaders are especially attractive targets for corporate espionage.
Unfiltered personal history - Nostalgic posts are engaging, but oversharing family details, background information, and personal connections gives attackers social engineering ammunition to impersonate colleagues or create convincing pretexts.

The goal isn't to stop sharing—it's to share thoughtfully. Smart sharing lets you stay connected and build your professional brand while staying secure.

How Oversharing Makes Attacks Easier

Your posts provide the puzzle pieces attackers need to target you more effectively. This matters for everyone, but the stakes increase dramatically for those in leadership roles who can approve transactions, access sensitive data, or represent the organization publicly.

Mining old posts for personal details - That throwback Thursday post about your first dog becomes ammunition for password reset attacks. Smart sharers can celebrate memories while being mindful of what details they include.
Mapping your professional network - Work-related posts help attackers understand company relationships for targeted business scams. For executives and managers, revealing organizational structure makes Business Email Compromise attacks more convincing. Smart sharers can celebrate career moments without revealing internal company structure.
Learning your patterns and routines - Check-ins and location patterns help criminals plan their timing. For high-value targets like executives, this creates windows for both physical security threats and digital attacks when you're traveling. Smart sharers can document experiences without creating predictable schedules.

Building social engineering profiles - Family photos, personal interests, and professional connections become the foundation for convincing scams. Executives are particularly vulnerable to whaling attacks that leverage this information. Smart sharers stay authentic while keeping key personal details private.

Human Risk in an ai world

Cyber security doesn’t stop when you leave your desk. From charging your phone at the airport to shopping online at home, everyday activities can open the door to cyber risks if you’re not careful. With this topic, we’ll explore the hidden threats in daily life and the simple habits that keep your information safe—wherever you are.

Threats You Might Not Recognize:

'Juice Jacking' at public charging stations

Hackers can tamper with public USB charging ports in airports, hotels, and cafes—using them to secretly install malware or steal your data.

Best practice: Skip USB ports entirely. Use AC wall outlets with your own charger and cable, bring a portable battery, or use a USB data blocker that prevents data transfer while allowing charging.

Fake Wi-Fi hotspots trick travelers

Cybercriminals often set up lookalike Wi-Fi networks in hotels, airports, and coffee shops to steal logins or spy on your activity. Even legitimate public networks can expose your data if they’re not properly secured.

Best practice: Avoid logging in to sensitive accounts or entering payment details on public Wi-Fi. If you must connect, use a VPN or stick to generalbrowsing only. Whenever possible, default to your cellular connection for safer access.

Smart devices leaking data

Internet-connected gadgets like smart TVs, doorbell cameras, and voice assistants can expose sensitive information if left unsecured. Many ship with weak default passwords like "admin" or "password123" that attackers can easily guess.

Best practice: Change all default passwords to strong, unique ones, and keep device software up to date. Review what data your devices can access and turn off unnecessary features that might compromise privacy.

Low-Lift, High-Impact Security

Not every defense requires advanced tools or hours of training. Some of the most powerful cybersecurity habits are the simplest—and they take just seconds to apply:

Turn on MFA (Multi-Factor Authentication) - Even if your password is stolen, MFA blocks most unauthorized logins. Use Strong, Unique Passwords, Don’t recycle the same password across accounts. A password manager can do the heavy lifting for you.
Lock Your Devices - Phones and laptops hold work and personal data. Set them to auto-lock after a short period of inactivity—and never leave them unsecured in a public place.
Power Up Safely - Use your own charging brick and cable instead of public USB ports.
Connection with Caution - Avoid public Wi-Fi for sensitive tasks. Use a hotspot or VPN when possible.
Shop Smart - Stick to trusted retailers, double-check URLs, and look for “https” before entering payment info—and only buy smart devices if you're sure they're secure.

These “low-lift” habits take almost no effort, but together they create a strong security baseline that frustrates attackers and protects you everywhere.

Cyber security isn’t just a workplace rule—it’s a life skill. Every device, every network, every purchase is a chance to practice safe habits. Security goes wherever you go.