When whole workforces transitioned from working in the office to working from home, straining the capacity of companies’ digital infrastructure in the process, many companies were unable to keep up with the security risks posed by working remotely. Working from home exposed businesses to new risk territories such as weak or no home Wi-Fi passwords, lack of firewalls, unsecure networks, patchy use of VPNs, lack of secure data backups and executing business transactions insecurely. These are the stuff of nightmares for many IT security professionals.
Recognize potential scams
Cybercriminals have seized on these vulnerabilities, along with the financial uncertainty caused by the pandemic. Ransomware, malware attacks, phishing scams and COVID-19 related scams show no signs of declining since the start of the pandemic. These are some common scams affecting workers and businesses in this pandemic.
Cybercriminals are exploiting the rise in unemployment cases to file claims for unemployment benefits using the names and personal data of people who have not filed claims. This is a form of identity thief and victims only learn about the fraud when they get a notice from their state unemployment benefits office about their supposed application for benefits.
SBA loan scams and fraud schemes
Targeting applicants of the SBA’s Economic Injury Disaster Loan Program, PPP program or SBA loans, victims are contacted by someone claiming to be from the SBA. The cybercriminal posing as an officer may promise approval of an SBA loan if the victim provides upfront payment or may offer a high interest bridge loan in the interim.
These are examples of scams because the SBA does not initiate contact on their SBA loans or disaster grants and limits the fees a broker can charge a borrower. Fraudsters may also send phishing emails or use fake websites utilizing the SBA logo to collect personal identifiable information and access to your business bank account.
Scams targeting Social Security benefits
Another common scam involves cybercriminals posing as Social Security Administration (SSA) officers and warning victims that their Social Security numbers have been suspended. The cybercriminal then asks the victims to reveal their social security number so that it can be reactivated or offer to issue the victim a new Social Security number for a fee. Alternatively, the cybercriminal posing as a SSA officer may inform the victim that his/her bank account is at risk due to illicit activity and offers to keep it safe for a fee.
These examples are just a ploy to collect money and personal data from the victim. The SSA will never initiate a call to ask for your Social Security number. And the SSA will certainly not ask you to pay for anything and threaten your benefits (e.g. arrest, suspension of benefits or your SS number) if you do not comply.
This is a form of identity theft that involves the cybercriminal stealing the victim’s personal identifying information such as Social Security number to commit fraud on the victim’s existing accounts. Cybercriminals may apply for a business loan or credit cards using the victim’s identity.
Phone scams and vishing
A rising form of fraudulent practice that hackers use to bait people into revealing personal information or giving money is phone scams and voice phishing or vishing. For instance, a caller might pretend to be from a tax collection agency and scare you into revealing your data.
When a phone call starts to feel out of place, simply stop and hang up. If you want to confirm if the phone call was legitimate, call the organization directly. Note that your bank will never ask you for your personal information or password. If a phone call is coming from someone you do not personally know, let the call go directly to voicemail.
Use caution with virtual assistants
Virtual assistants such as Echo or Google Home are cloud-based programs that have become commonplace across many households in the U.S. While such devices have made life more convenient during a time when many people are working from home, these devices are often vulnerable to hackers looking to gain access to your private data.
One of the main weakness of virtual assistants is their reliance on voice authentication, which is more easily accessible to hackers than other biometric information. Cybercriminals can obtain a sample of your voice through spam calls, social media messenger app, or any other platforms that store audio information.
Voice impersonation attacks should not be taken lightly during a time when more devices are connected to a network that rely on voice authentication technology. A voice impersonation attack that takes control over one device can allow the attacker to gain unauthorized access to multiple devices. To reduce exposure to data hacking through virtual assistants, remember to mute your device when you are not using it.
Manage passwords appropriately
One of the most common ways to gain access to your personal data is by taking advantage of user’s poor password management. Weak passwords can be cracked in a matter of seconds, giving cybercriminals access to your social media accounts, bank accounts, emails and other confidential and personal data. Fortunately, good password practices are also fairly simple to follow:
- Use multi-factor authentication with all your email/cloud/web accounts
- Use a password manager (e.g. IPassword, LastPass) and do not reuse password
- Have unique login and passwords for your work, bank and investment accounts to prevent a single data breach from compromising those accounts
- Do not share your password or store them down in easily accessible places
- Use long and complex passwords. Your password should be more than 12 characters. It should contain a combination of uppercase, lowercase, numbers, symbols and a string of unrelated words or numbers. Long and complex passwords make it harder for cybercriminals to guess or hack your password.
- Avoid using passwords that contain obvious information about you such as your birthday, anniversary, favorite sports team or the name of your high school or county you grew up in. Instead, use random words or a string of unrelated words for your password.
Be aware of what your browser is collecting
Your browser is your portal to the internet and another contributor to data build-up. You start leaving a trace of your browser fingerprint the moment you log on. Browsers can not only identify where you are in the world, but they collect a ton of other data using trackers owned by third party companies. Trackers can see all kinds of details about your browser and can then recognize the pattern as you and track your browsing habits.
You need access to the Internet but using a combination of preventative measures and making good choices online you can stay safe when browsing the web. No browser’s default privacy settings are private by default because most store cookies, as well as your browsing history, webform entries and other information. But Chrome, Chromium, Firefox and Safari all offer a special “Private” or “Incognito” browsing mode set to automatically delete your browsing history, cookies, temporary files and webform entries every time you close the browser.
Keep your browser updated to the latest version and minimize browser plugins or extensions. The more plugins you install, the more likely cybercriminals can find a vulnerability. In fact, many browser-based attacks these days target the plugins.
Furthermore, when accessing websites, be sure that the website is encrypted before you provide your password or any personal information.
The best defense is a good offense
Cybercriminals are becoming increasingly sophisticated, making it harder for victims to spot red flags or tell real from fake. While email is still a common entry point, cybercriminals are using other channels such as text messaging, phone calls, and fake websites to scam users into revealing their data or sending money. A common example is when you receive a text message that appears to be your bank asking you to verify information on your account. This is likely a scam because banks will not contact you to ask for your private information.
Another example is when you get calls, emails or text messages from a government agency stating that you received or need to repay benefits or monies you never applied for. This is likely a scam and you should verify this information with your state agency directly. Government agencies will not ask you to deposit or repay money via wire transfer, send cash or gift cards.
Individuals need to be more vigilant and verify everything – verify requests in person or by phone, check to see if the website is encrypted, and don’t follow links from messages that look suspicious. Just like your online accounts require two-factor authentication, apply that mindset to your life and you will significantly reduce the risk of being a victim of identity theft, scam and fraud.