By Harrell Kerkhoff, Maintenance Sales News Editor
The global COVID-19 pandemic has brought a host of problems, issues and needed adjustments to the home and workplace. One problem has been a reported increase in ID theft, computer hacking and overall online thievery, according to Robert Siciliano, head of security awareness training at protectnowllc.com, and an experienced cyber security awareness expert.
“The ‘attack surface’ has dramatically expanded (during the COVID-19 pandemic),” Siciliano said. “Consider earlier in the year, most employees worked from a laptop or desktop in an office and in a controlled IT security environment. Today, many of those same employees — millions of them — are now working from a makeshift desk on their kitchen table, with little to no security, compared to what their corporate environment had provided.”
ID theft, hacking and overall security breaches were already major problems prior to 2020. They have simply intensified over time, and with no end in sight.
“Criminals are much more organized today. Hacking, identity theft and overall online fraud are now officially considered a ‘business,’ rather than a ‘boiler room’ operation. Many of those criminals have employees who report to work every day,” Siciliano said. “Some say by 2021, criminal hacking will be the third largest economy.”
There are ways, however, for companies and individuals to add “layers of protection” against ever-increasing sophisticated criminal activity.
“Security is all about adding layers of protection. The more layers you have, the more secure you are going to be,” Siciliano said. “In the simplest of terms, many computer users have a ‘free anti-virus’ program in place. That same program occasionally tries to upsell a ‘paid’ version that can include anti-spyware and anti-phishing programs, along with a firewall, a password manager and other ‘bells and whistles’ that are all collectively ‘layers’ of security.
“Then there is the act of updating an operating system, software and hardware to consider when looking to maintain robust security options. If a user is functioning at, say an old Windows 7 environment on an outdated laptop, he/she has next to zero layers of security.”
THE PASSWORD DILEMMA
One common problem in today’s high-tech world is that everything seems to require a password to gain entry. However, remembering passwords is difficult for many, and changing passwords on a regular basis is often simply not done. Many people use the same passwords for different accounts, and there are cases of people using very easy passwords to remember, such as “123456,” “ABCDEF” or, simply, “password.”
Gaining access to important and personal data is made easier thanks to the many deficiencies associated with passwords.
“If you are using the same password across multiple accounts, thieves have a better chance of gaining access to those accounts. They key is to not use the same password,” Siciliano said. “Many people use first names as passwords, usually the names of spouses, kids, other relatives or pets. All of that can be deduced with a little research conducted by a good hacker.
“Passwords can include uppercase and lowercase numbers and letters — anywhere from 8 to 14 characters in length. It’s important to never use the same password twice. That means every single account should have a different password.”
In order for that process to be followed, he added users can deploy a “password manager” program.
“Unless a person is a ‘savant’ and can remember dozens to hundreds of passcodes, he/she should look into using a password manager,” Siciliano said. “(Such an application) will not only assist in creating hard-to-crack passwords for all accounts, but will also properly store, remember and enter them.”
He added that not using any password is the worst thing a person can do when operating an electionic device.
“Some people don’t use a password for their desktop or laptop. If those devices are stolen, what kind of access would a thief get?” he said. “I also hope everyone’s mobile phones are password-protected. If not, the person who finds or steals that device will have access to all the information not only found on that phone, but the information that the same device connects to, such as social media and bank accounts.”
Siciliano also discussed the importance of identity theft protection firms available to consumers and companies. Such firms watch applications of credit in real time.
“If you are a client of one of those firms, and the firm’s representative sees an application of credit (in the client’s name), he/she is going to contact you to make sure you, or somebody with your company, has actually applied for the credit. If there is a problem, the firm will shut (the credit application or credit card) down,” Siciliano said.
Identity theft protection firms also watch to see if a client’s personal information appears on the “dark web.”
“They will let the client know if his/her information is up for sale or has been stolen. Their restoration agents will also work on your behalf to make the problem go away. That includes working with the IRS and law enforcement officials,” he said. “I believe in getting such theft protection. It’s basically an insurance policy that I don’t think we can live without today.
“It’s like anything else in life, you need to be educated and understand your options.”
WHAT IS SOCIAL ENGINEERING?
In the “good old days,” if someone wanted to take something of value from another individual, he/she usually had to either physically commit a burglary or confront the victim face-to-face, probably with gun or knife in hand. Today’s thieves don’t even have to get dressed for “work,” and their tricks of the trade often involve keyboards, computers and other electronic devices. Such thieves use various forms of “social engineering” to earn a living, at the expense of their unsuspecting victims.
Siciliano defined social engineering as “a collection of modern techniques used to manipulate people into performing actions or divulging confidential information.” While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and, in most cases, the attacker never comes face-to-face with the victim.
“If a con man gains your confidence, you are likely to provide that person with the money in your wallet or your bank account password. The thief may also send you a ‘phishing’ email, which is an email that looks like it’s coming from your bank or other credible source, but is actually designed to gain your confidence, deceive you and take something of value,” Siciliano said. “Once you click on a link from a bad email, it can lead to your personal information being sent to a spoofed website.”
Other types of social engineering take a more physical form, but can be just as lucrative for the criminal. It includes people who pose as firemen, policemen, etc., to gain access to a business. From there, they often find easy access to computers and sensitive information.
He added the human gullibility is common, and everyone falls victim at some point. That plays into the hands of those behind today’s social engineering exploits.
“Everyone can be suckered. It’s just a matter of the thief finding the right trigger, pressure point and/or vulnerability of his/her victim,” Siciliano said.
Often the trigger is fear or greed. For example, someone behind a scam calls a person and tells him/her to provide valuable information in order to win a prize or stay out of some type of trouble. It’s a scam, but many well-educated people fall victim to such schemes every single day.
“People will say, ‘I’m not that stupid.’ It’s not about being stupid. Some people are lonely, and loneliness sometimes trumps common sense,” he said. “There is also pressure that can negatively influence our decision making. That includes the pressure to get a job done on time or responding to a boss or colleague in a responsible way. Such pressure can lead us to make decisions that we might not normally make.”
Siciliano added that a good con man knows all about the principles of influence and the psychology of persuasion.
“You can read book after book on how to influence and persuade people, as well as how to negotiate to get what you want,” he said.
Social engineering comes in many forms, some more sinister than others. For example, there is the “lost thumb drive found in the parking lot” trick.
“You see a thumb drive on the ground and pick it up. There are 40 gigabytes on the drive, which is worth around $30. You put the drive in your briefcase and eventually plug it into your computer. That thumb drive was planted by a criminal, and soon launches a virus that affects your device and gives the bad guy complete control over your personal information,” Siciliano said.
He added the thumb drive can also be found in an unopened package, all in an effort to gain a person’s confidence.
“The person who picked up the thumb drive thinks it simply fell out of someone’s bag. Finders keepers, right?” Siciliano said.
That particular trick was able to severely damage Iran’s nuclear program, with a “lost” thumb drive containing a highly destructive Stuxnet computer worm. According to Siciliano, the same tools that are being used as cyber weapons to fight wars are also being used by thieves to drain bank accounts.
Email scams, meanwhile, are one of the most common forms of social engineering. Today’s schemers go to great lengths to spoof company emails and use social engineering to assume the identity of a CEO, company attorney or trusted vendor. Con men research and find unsuspecting employees who manage money, and then use language specific to the company that they are targeting to request a fraudulent wire transfer, using dollar amounts that lend legitimacy.
There are various versions of such scams. Victims range from large corporations to small non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers and regularly perform wire transfer payments. Law enforcement officials have received complaints from victims in every U.S. state and numerous countries.
“By using the internet, sophisticated criminals can find a person’s job responsibility and take advantage of that person through email scams,” Siciliano said. “It can happen to any company. However, a business can take steps to prevent future losses.”
OTHER FORMS OF THIEVERY
There are many familiar —and not-so-familiar — ways for a thief to obtain something of value without using physical means. Siciliano outlined the following scams as well as helpful advice and tips:
■ Stealing incoming and outgoing mail: “Do you have a locked mailbox? If not, I would suggest getting one — for your home and business,” Siciliano said. “Both incoming and outgoing mail can include sensitive information.”
He also warned of falling victim to a criminal filling out a change of address form at a post office with a specific victim in mind.
“The mail can then be sent to the thief. The victim will eventually get a notification that his/her mail has been diverted, but it may be too late,” Siciliano said.
■ Dumpster diving: How low will a criminal go? There are people willing to sift through a person or company’s garbage to find important information, in hopes of stealing someone’s identity.
“I never throw sensitive information in the garbage. That includes prescription bottle labels, which can lead a criminal to a person’s medical information. Prescription bottle labels can be used to scam a person, a pharmacy and/or an insurance company,” Siciliano said. “I also shred all business cards that I no longer need. A criminal can take a business card from the garbage and figure out what the person, whose name is on the card, does for a living. He/she can then send that person an email posing as somebody else. The goal is to get personal information via fake correspondence.
“If a thief does that with 100 business cards, and is successful just one time, he/she may walk away with somebody’s valuable information and a lot of money.”
Siciliano added that he is a big proponent of shredding any unwanted document that features a name, physical and/or email address, phone number or account number.
■ There is safety in using a safe: All important papers and other valuables should be stored in a safe.
“Do you have paperwork stored in a file cabinet that somebody could easily look at or steal, and then use against you? Everybody should have and use a safe, even if it takes extra effort to keep putting things in, and taking things out, of that safe,” Siciliano said. “Security is not necessarily convenient, but it is necessary.”
■ Keep your wallet/pocketbook light: “Think about how much valuable information is in your wallet or pocketbook,” he said. “If you cannot tell me right now everything you have in your wallet/pocketbook, then you probably have too much in that wallet/pocketbook.”
■ Caller ID spoofing: This is when a criminal obtains a fake caller ID that shows up on a victim’s phone. The victim sees the caller ID, thinking it’s legitimate, such as from the local police department, and ends up getting scammed. Fake caller ID technology is available online for any criminal to purchase and use.
“People fall for that type of scam all of the time, providing personal information to unknown individuals,” Siciliano said.
He added it’s always a good idea to call people back, such as the police department, to find out if a call is, in fact, legitimate.
“Simply put, don’t trust caller ID, especially if the call indicates it’s coming from a government agency or a major corporation, such as a credit card company,” Siciliano said.
■ Stay out of the spam folder: “What is in your spam folder?” Siciliano asked. “You should have no idea, because emails sent to spam folders can get people in a lot of trouble.
“Those emails are sent to the spam folder for a reason. Internet service providers generally know what is spam, based on certain aspects of that email. They see the server which an email comes from, and determine whether or not it’s spam. Don’t ever click on a link from an email that has been sent to a spam folder.”
■ Know about spyware: That includes “scareware,” which carries a fake anti-virus; and “ransomware,” which tries to hold data for a ransom.
“Scareware is designed to scare somebody to pay money to get rid of a virus that is not really present,” Siciliano said. “If a pop-up ad appears on your computer stating that you have a virus and need to download a program, I would recommend that you disconnect from the internet, run a scan and, in some situations, back up all data and completely reinstall your operating system. If you see that kind of pop-up, you probably are using an outdated operating system.
“Ransomware, meanwhile, holds data for ransom, including what is in your backup. Many such instances have occurred. Unfortunately, if you pay that ransom, you may get your data back, but you are also funding the bad guys.”
■ Beware of KeyCatchers: Those are small hardware devices that can be plugged into the back of a computer, generally the desktop, and can be used to retrieve important information.
“Let’s say one of your competitors knows a member of a cleaning crew who works in your office. That competitor can pay that crew member to plug in a KeyCatcher in the back of one of your computers to ‘catch’ valuable information. After a week or so, the same person who planted the device retrieves it and gives it back to the competitor,” Siciliano said. “I’ve seen many KeyCatchers in the backs of PCs used by teachers, probably from people trying to get test information.”
■ ATM skimming and independent ATMs: Using ATMs is a convenient way for a person to withdraw money from his/her bank account. Unfortunately, thieves have found ways to take advantage of that convenience.
Siciliano explained that skimming involves a criminal placing a device over the card slot of an ATM. He advises ATM users to cover the key pad with one hand as they punch in their PIN code.
“That way, if there is a camera nearby (placed by a criminal), it can’t pick up the code. And, pay close attention to your bank statements when using ATMs,” he said. “I also never use an independent ATM. You see them at gas stations, convenience stores, hotel lobbies, etc. Anybody can get into the cash dispensing business and find a way to use your valuable information for his/her gain.”
■ Proper disposal is a must for secondhand devices: “What do you do with your old laptops, desktops, mobile phones and printers? Do you donate them, recycle them, trade them in, sell them? The problem is, they often still have personal information that a thief can use to steal your identification,” Siciliano. “I would never sell such devices on the secondhand market. It’s also important to remove hard drives from those devices, and either send them to an industrial shredder or destroy them yourself.”
■ Learn about, and use, a credit freeze: Siciliano recommends that people check their credit reports three times a year, and to use a credit freeze. He said this is a program that has been around since 2008, but remains relatively unknown.
“To get a credit freeze, a person submits specific information to the three main U.S. credit bureaus (Equifax, Experian, and TransUnion). The application process is easy and inexpensive,” Siciliano said. “Prior to your credit being frozen, you will receive a letter that shows a PIN number or password. When you want to lift your credit freeze, you simply go online and type in your provided information.”
He added that using a credit freeze, “Is probably the single best thing you can do to prevent new account fraud. It’s another layer of protection when guarding against identity theft.”
■ The importance of employee training: “I recommend that employees participate in ‘phishing simulation’ and security awareness training, both of which my company provides,” Siciliano said. “It’s training that can be conducted remotely and is inexpensive. The objective of the training is to make employees aware of what their responsibilities are, as it pertains to preventing major intrusions within a company’s network and significant dollars lost through fraud.”