by Alain Filotto | Jan 20, 2026 | Uncategorized
For decades, passwords have been the primary way we protect our online accounts. Unfortunately, they’ve also become one of the weakest links in cybersecurity. Phishing emails, fake login pages, data breaches, reused passwords, and simple human error all make traditional passwords easy targets for criminals.
This is where passkeys come in.
What Is a Passkey?
A passkey is a modern, password-less way to sign in to websites and apps. Instead of typing a password, you authenticate using something you already have and trust — such as your fingerprint, face scan, or device PIN.
Passkeys are already supported by major platforms including Apple, Google, Microsoft, and many banks and online services.
Importantly, a passkey is not something you remember. It’s something that is securely stored on your device.
How Passkeys Work (Without the Technical Jargon)
When you create a passkey for a website:
- Your device generates a pair of cryptographic keys
- One key stays securely on your device
- The other key is stored by the website
- When you log in:
- The website sends a challenge to your device
- Your device proves it has the correct private key
- You confirm the login using Face ID, Touch ID, or a PIN
At no point is a password typed, transmitted, or stored on the website.
Why Passkeys Are More Secure Than Passwords
Passkeys solve many of the problems that passwords create:
1. No Phishing
If you’re tricked into visiting a fake website, your passkey will not work. Passkeys are tied to the exact website domain, so even a perfect copy of a login page can’t steal your credentials.
2. Nothing to Reuse
People often reuse passwords across multiple sites. Passkeys are unique per site, so a breach of one service cannot be used to access another.
3. Nothing Stored That Hackers Can Steal
Websites do not store your secret login credential — only a public key. Even if the website is breached, there is no usable credential for attackers to take.
4. Easier for Users
Logging in with a fingerprint or face scan is faster and more convenient than remembering complex passwords.
Are Passkeys Perfect?
Passkeys are a significant improvement, but they are not magic.
Some considerations include:
- Device dependency: If you lose your device, account recovery depends on the service’s backup and recovery process.
- Adoption is ongoing: Not all websites support passkeys yet.
- User understanding: People still need to understand how account recovery works and keep devices secure.
That said, passkeys eliminate entire categories of attacks that passwords simply cannot defend against.
Are Passkeys Really Better Than Passwords?
From a cybersecurity and digital evidence perspective, the answer is yes.
Passkeys:
- Cannot be guessed
- Cannot be phished
- Cannot be reused
- Are not stored in databases as secrets
Passwords fail regularly because they rely on human memory and behavior. Passkeys rely on strong cryptography and device-level security instead.
The Bottom Line
Passwords are not disappearing overnight, but their days are numbered.
Passkeys represent a major shift toward stronger, simpler, and safer authentication. As more services adopt them, users will see fewer phishing attacks, fewer account takeovers, and fewer breaches caused by stolen credentials.
If you have any questions or want to book a free consultation, contact me on LinkedIn. It is the best place to reach me.
https://www.linkedin.com/in/alain-filotto
by Alain Filotto | Jan 14, 2026 | Forensics
Images located in cache directories on computers and mobile devices are frequently misunderstood in legal proceedings. From a digital forensics perspective, the presence of images in cached locations is highly significant when assessing knowledge and control, yet those locations are often mischaracterized as evidence of deliberate possession.
What Is a Cache and Why Does It Exist?
A cache is a storage area used by operating systems and applications to temporarily save data—most commonly images—to reduce load times and improve user experience. The concept of caching predates modern high-speed internet.
Having used computers for over 30 years, I recall when internet connections relied on dial-up modems over telephone lines. At that time, downloading data was slow and expensive. Caching images locally allowed websites to load faster during repeat visits and reduced data usage by avoiding repeated downloads of the same content.
Although today’s internet connections are significantly faster and data plans far larger, caching remains a core function of modern operating systems and applications. Its technical purpose remains unchanged, even if its necessity is arguably less critical than it once was.
The Meaning of “Cache”: Designed to Be Hidden
The word cache originates from the French verb “cacher,” meaning “to hide.”
Outside of computing, a cache is commonly understood as a hidden pirate treasure—intentionally concealed and difficult to locate unless one knows exactly where to look.
This definition is directly relevant in a forensic context.
Cache locations on computers and mobile devices are not designed for user access. They are intentionally hidden from normal view, buried deep within system or application directories, and inaccessible to the average user without specialized knowledge or forensic tools.
In other words, the very purpose of a cache is concealment, not user awareness or interaction. Expecting a typical user to know what is stored in a cache is comparable to expecting someone to know the contents of a hidden treasure chest they were never told existed and were never meant to open.
Automatic Creation Without User Knowledge
By design, caching occurs automatically and without user awareness or input. The only action required by the user is to visit a web page or open an application.
A web page is essentially a long digital document that may contain dozens or hundreds of embedded images. A user cannot view the entire page unless they scroll through it from top to bottom. Despite this, all images associated with the page are typically downloaded and cached by the device, regardless of whether the user ever sees them.
In practice, most users view only the portion of a page that is immediately visible on the screen. This effect is compounded when users visit multiple pages or open multiple applications, often viewing only the first screen of content before moving on. Nevertheless, the operating system or application continues to download and store images in cache locations in the background.
While a user must turn on a device and open an app or browser, the caching process itself occurs without the user’s knowledge, intent, or control.
Cached Locations and Their Forensic Meaning
Directories such as:
tmp folders- “shared” folders
- application-specific “network cache” locations
all function in the same manner as traditional caches. Their role is technical efficiency, not user-driven storage.
When a page or website is visited, all associated content may be downloaded to the device, including images the user never viewed, searched for, or knew existed.
Based on testing conducted on my own device, I estimate that I had personally seen approximately 5% of the images found within cached locations. The remainder were images I encountered for the first time during forensic examination. I had no prior knowledge of their existence and exercised no control over their creation or storage.
Implications for Legal Analysis
From a forensic standpoint, the same reasoning applies to any accused person’s device. The mere presence of images in cached locations does not automatically establish:
- knowledge of the images,
- intent to acquire them, or
- control over their storage.
Cached data is a byproduct of automated software behavior. Without corroborating evidence—such as deliberate saving, organizing, repeated targeted access, or user-generated file paths—cached images alone provide limited probative value regarding intent or knowledge.
Conclusion
Cached images are created automatically by operating systems and applications for performance reasons, not as a result of deliberate user action. The term cache itself literally means to hide, and cache locations are intentionally concealed from users.
As a result, cached images should be interpreted with caution. In many cases, they reflect incidental and unavoidable background processes rather than knowing possession or control.
For legal professionals, understanding the hidden and automated nature of cached data is essential when evaluating digital evidence and forming defensible conclusions about knowledge and intent.
If you have any questions or want to book a free consultation, contact me on LinkedIn. It is the best place to reach me.
https://www.linkedin.com/in/alain-filotto
by Alain Filotto | Jan 7, 2026 | Uncategorized
Saviez-vous que tous les services offerts par ALPHAFOX Forensics Ltd. 🦊. sont disponibles en français ? Cela inclut les rapports d’analyse et les rapports d’expertise pour les procédures judiciaires. Profitez de mon expérience au sein de la GRC, où j’ai travaillé sur tous types d’enquêtes, y compris l’exploitation sexuelle des enfants sur Internet, les crimes commerciaux, le crime organisé et la sécurité nationale.
Pendant trois ans, j’étais sergent au détachement de Montréal, au sein de l’unité intégrée des crimes technologiques (GICT). Nous étions responsables du soutien de toutes les enquêtes menées au Québec, au niveau fédéral. Cela m’a permis d’acquérir une grande aisance dans le travail en français avec des enquêtes très techniques. La chose la plus difficile que j’ai dû apprendre? La différence entre un fichier (file) et un dossier (folder)! J’avoue que je les confonds encore parfois! 😅
Pour toute question ou pour réserver une consultation gratuite, contactez-moi sur LinkedIn. C’est le meilleur moyen de me joindre.
https://www.linkedin.com/in/alain-filotto
by Alain Filotto | Dec 17, 2025 | Uncategorized
If you’ve ever looked at your phone and seen a familiar name, a local number, or even a government agency appear on your call display, you probably felt safe answering. Scammers know this — and they exploit it.
This tactic is known as call display spoofing, and it’s one of the most common tricks used in phone scams today.
What Is Call Display Spoofing?
Call display spoofing simply means that the information shown on your phone screen is not telling the truth.
When someone calls you, your phone usually shows a phone number or name. Scammers can manipulate this information so it looks like the call is coming from someone else, such as:
- Your bank or credit card company
- A government agency
- A local business
- A police service
- Even your own phone number
In reality, the call is coming from somewhere completely different.
How Can They Fake the Call Display?
You don’t need to understand the technology to understand the risk.
Think of call display like the return address on a piece of mail. Most of the time it’s accurate — but there’s nothing stopping someone from writing a fake return address on an envelope.
Phone systems work in a similar way. When a call is made, the caller provides the information that appears on your screen. Many phone networks do not automatically verify that this information is real. Scammers take advantage of this gap.
As a result, your phone trusts what it’s told — and displays it.
Why Scammers Use Call Display Spoofing
Scammers know that trust is their biggest obstacle.
If you see an unfamiliar number, you might ignore it. But if the call display shows:
- Your bank’s name
- A government department
- A local number from your area
…you’re much more likely to answer.
Once you pick up, the scammer may:
- Claim there is a problem with your account
- Say you owe money or are entitled to a refund
- Create urgency by warning of legal trouble or account suspension
- Ask you to confirm personal or financial information
The fake call display helps lower your guard.
Why Local Numbers Are So Effective
Many people feel safer answering calls that appear to come from their own city or area code. Scammers exploit this by making the call display show a local number, even though the call may be coming from another country.
In some cases, the number shown actually belongs to an innocent person or business. This can lead to confusion when victims try calling the number back — only to reach someone who has no idea their number was used.
Important Things to Remember
- Call display cannot be trusted on its own
- A familiar name or number does not guarantee the caller is legitimate
- Scammers rely on urgency, fear, and authority
Legitimate organizations rarely demand immediate action over the phone, especially when it involves payments, passwords, or personal information.
How to Protect Yourself
Here are some simple steps anyone can take:
- Be skeptical of unexpected calls, even if the call display looks legitimate
- Do not share personal or financial information over the phone
- Hang up and contact the organization directly using a number from their official website or a statement
- Let unknown calls go to voicemail
If a call feels suspicious, trust your instincts.
Final Thoughts
Call display spoofing is effective because it plays on human trust — not technical weakness. Scammers don’t need to hack your phone; they just need you to believe what’s on the screen.
Understanding that call display can be faked is one of the simplest and most powerful ways to protect yourself and others.
Awareness is your best defence.
If you have any questions or want to book a free consultation, contact me on LinkedIn. It is the best place to reach me.
https://www.linkedin.com/in/alain-filotto
by Alain Filotto | Dec 10, 2025 | Uncategorized
Over the last several months, a surge of Business Email Compromise (BEC) attacks has been hitting organizations of all sizes. One of the most common variants looks harmless at first glance:
an email claiming you have a new voicemail message, with a big “Play Now” or “Listen” button.
If you’ve received an email like this, you are not alone—and you need to be cautious. This is not a real voicemail. It is a phishing attack designed to steal your Microsoft 365 credentials and ultimately divert money to criminals.
Let’s break down exactly how this scam works and what happens after someone falls for it.
Step 1: The Fake Voicemail Email Arrives
The victim receives an email that appears professional and urgent:
- “You have a new voicemail message.”
- “Click here to listen.”
- “You missed a call.”
The email includes a button or link that looks legitimate. The branding often mimics Microsoft, Teams, Zoom, or a corporate phone system.
This is the bait.
Step 2: The “Play Now” Button Leads to a Fake Microsoft Login Page
When the user clicks the button, they are sent to a website that looks identical to the real Microsoft 365 login page.
Logos, fonts, and layout are copied perfectly.
But it’s not Microsoft.
This page is controlled by cybercriminals. When the victim enters their email and password, the credentials are instantly captured and sent directly to the attacker.
Most victims don’t even realize anything unusual happened, because the page often redirects to a real Microsoft page afterward—so it looks like maybe nothing loaded, or the voicemail simply wasn’t available.
The attacker, however, now has full access to the victim’s business inbox.
Step 3: Attackers Log Into the Victim’s Email Account
Once the credentials are stolen, the attacker logs in—often within minutes.
From there, they typically:
- Search for invoices, contracts, financial data, or ongoing business transactions
- Monitor email conversations silently
- Create mailbox rules to hide their activity (e.g., forwarding certain emails into the “Archive” or “RSS Feeds” folder)
- Study how the company communicates
BEC attacks are not quick smash-and-grab crimes. These criminals are patient, organized, and focused on financial gain.
Step 4: The Attacker Executes the Scam
After observing ongoing email threads—especially those involving payments, purchases, or invoices—the attacker steps in.
Here’s what they usually do:
- They impersonate a trusted business contact, such as:
- A supplier
- A partner
- A law firm
- A customer
- Even an internal employee
- They send an email from the compromised account, making the message look completely legitimate.
- They change the banking information on an invoice, or claim that “our bank details have recently changed.”
- They direct the victim to send money to the attacker’s bank account instead of the real business.
Because the email comes from a legitimate business address—and the writing style, signature, and conversation history are all genuine—many organizations fall for it.
This is how companies lose tens or even hundreds of thousands of dollars in a single transfer.
Step 5: The Victim Realizes Too Late
In most cases, the fraud is discovered days or weeks later—usually when the real business reaches out asking about an unpaid invoice.
By then:
- The attacker has withdrawn or transferred the funds
- The bank cannot reverse the transaction
- The email inbox has often been wiped of evidence
- The organization is left to deal with financial loss, insurance claims, and forensic investigations
How the Compromised Business Gets Tricked Into Sending Money to the Wrong Account
In many Business Email Compromise (BEC) attacks, the company whose email was hacked is not the one that loses the money. Instead, the attacker uses the compromised inbox to trick another business—usually a client, supplier, or partner—into paying a fake invoice.
But in this variant, the compromised business itself becomes the victim and ends up sending money to criminals. Here is how that happens:
Step-by-Step: How Attackers Trick the Compromised Business Into Paying the Wrong Account
1. The attacker gains access to the business’s email account
This usually happens through the fake voicemail phishing email, credential harvesting page, or another common phishing lure.
Once inside the inbox, the attacker studies:
- Vendor relationships
- Unpaid invoices
- Recurring payments
- Accounts payable workflows
- Finance staff roles
Their goal is to identify who the victim pays and how payments are normally approved.
2. The attacker impersonates one of the business’s suppliers or partners
Using information found in the compromised mailbox—such as real invoices, contracts, or past conversations—the attacker crafts a very convincing email pretending to be a legitimate vendor.
This impersonation often does not come from a hacked vendor account. Instead, it may come from:
- A look-alike domain (e.g., “@supplier-canada.com” instead of “@suppliercanada.com”)
- A spoofed email address
- A newly created account with a similar name
But the contents of the email are incredibly believable because the attacker uses real data stolen from the compromised inbox.
They may even reply to an existing email thread using “Reply-All,” making it look like normal business communication.
3. The fraudulent email requests a payment or claims new banking details
Typical messages include:
- “Please send payment for invoice #4573 to our new bank account.”
- “Our banking details have recently changed—please update the payment information.”
- “We need urgent confirmation of the transfer due today.”
Because the attacker has read genuine conversations, the tone, signature, invoice numbers, and amounts all appear legitimate.
4. The finance department of the compromised business believes the request is legitimate
Here’s why the scam works:
- The email matches real ongoing business transactions.
- The attacker includes accurate amounts and invoice numbers.
- The victim has a real relationship with the supposed vendor.
- The email may even appear within an existing thread.
- The attacker often uses pressure or urgency to prevent verification.
To the accounts payable team, nothing seems suspicious.
5. The compromised business sends the payment to the attacker’s bank account
This is the moment the money is lost.
Funds are transferred to:
- Offshore bank accounts
- Cryptocurrency exchange accounts
- Money mule accounts in the same country
- Prepaid business accounts
Once the transfer is completed, the attackers rapidly move or withdraw the money, making recovery extremely difficult.
6. The real vendor eventually asks about the unpaid invoice
This is when the victim realizes something is wrong.
When the legitimate supplier reaches out asking why a payment hasn’t been received, the business discovers:
- They sent the money to the wrong account
- The emails requesting the payment were fraudulent
- Their email account was previously compromised
- Mail rules may have hidden the attacker’s activity
At this point, the financial damage has already occurred.
Why This Scam Works So Well
This tactic is highly effective because the attackers:
- Use real business information stolen from the inbox
- Impersonate a real vendor with an active invoice
- Insert themselves into real email conversations
- Create a sense of urgency, discouraging verification
- Abuse normal business workflows that rely on email trust
The victim business believes they are paying a legitimate invoice—because every piece of information in the email looks authentic.
How to Protect Yourself and Your Business
1. Be skeptical of unexpected “voicemail” emails
If you were not expecting a voicemail notification, do not click.
2. Always verify the URL before entering your credentials
Microsoft login pages always use:
https://login.microsoftonline.com
https://microsoft.com
3. Enable Multi-Factor Authentication (MFA)
Even stolen credentials are much less useful with MFA turned on.
4. Educate staff on BEC red flags
If your organization handles payments or invoices, everyone should be trained to recognize these scams.
5. Always verify banking changes with a phone call
Never rely on email alone when money is involved.
Final Thoughts
Business Email Compromise is one of the most financially damaging cybercrimes in the world today. The “new voicemail” phishing scam is just one of the many ways attackers trick users into giving up their credentials.
By understanding how these attacks work—and what happens after a user clicks the link—you can protect your organization from expensive and devastating losses.
If you’d like help assessing your organization’s email security or conducting training for your staff, feel free to reach out.
If you have any questions or want to book a free consultation, contact me on LinkedIn. It is the best place to reach me.
https://www.linkedin.com/in/alain-filotto
