By Mark Cox
Covid-19 forced Americans to take their lives online, and it has been a bonanza for hackers and scammers.
Consider that corporate credentials with plain-text passwords exposed on the dark web increased by 429% between March and October, according to a report by security company Arctic Wolf. Meanwhile, in September alone, almost 10 million U.S. health care records were compromised. All told, cybercrime cost the world economy $1 trillion in 2020, an all-time high and a nearly 50% increase over 2018, according to a December report by security firm McAfee.
But here’s perhaps the most shocking statistic: Ninety-five percent of all cybersecurity breaches are caused by human error, according to Metropolitan State University of Denver cybersecurity experts.
Criminals’ preferred method of attack is social engineering – basically, tricking computer and smartphone users into divulging valuable information. That’s because hacking into a computer network can be hard work; it’s often much easier to just bamboozle people into sharing their login credentials or bank details.
“The basic truth is that we all need to become better-educated in the trade craft of social engineering,” said Richard Mac Namee, director of the new Cyber Range at MSU Denver, an interactive, simulated environment that will serve as a cybersecurity training ground for students and industry professionals.
Covid created an unprecedented craving for information, which can be easily exploited, he said.
“People are letting their normal guards down when offered any data or guidance they think will help them through this journey,” Mac Namee said. “But all too often, it’s bogus and harmful.”
Turns out that scamming the work-from-home crowd is like shooting fish in a barrel.
“Normally, office workers use a desktop computer on a secure network behind a firewall, managed and protected by IT professionals,” said Steve Beaty, computer-science professor at MSU Denver. “But if you’re accessing work systems while sharing home Wi-Fi with your spouse and kids, all security bets are off.”
Not to mention the fact that many remote workers are accessing organizational systems through their personal computers, he added. Worryingly, experts have warned that remote workers will increasingly be a target for cybercriminals in 2021.
Scammers are even making phone calls posing as information-technology support workers – because obviously, nobody can just walk down the hall anymore to check that the call is legit, Beaty said.
“They can smell the blood in the water,” he said. “Now that cybercriminals have seen how easy it is, these kinds of attacks are bound to become more common.”
Make sure you're not an easy target for cybercriminals by following these 7 tips from Mac Namee and Beaty.
Despite being so well-known, phishing emails remain an easy, successful way for scammers to cash in. (You know the basic drill by now: An email from an apparently trustworthy source, such as a bank, persuades you to click through to a fake website where, by logging in, you hand over all your details to a grateful thief.) Just remember that legitimate organizations do not send such emails. If it seems “phishy,” don’t go click on the link. You can also learn more about protecting yourself with anti-phishing websites.
It can feel embarrassing to realize you’ve been scammed – but staying quiet is never a good plan or any kind of solution. Sadly, these problems will not go away by themselves. Besides, this is a routine affair for any IT department, and they certainly won’t blame you. What’s more, if you report the issue promptly, they’ll be on the front end of tackling the problem and in a better position to proactively help others.
Word to the wise: Using a single password for all your accounts (probably something like your spouse’s name and year of birth) is not a long-term security solution. Ultimately, “Debbie1984” will let you down. The only truly safe answer is to have a unique password for each secure website you visit. Of course, it’d be virtually impossible to remember them all, so use a password safe to store them. (KeePass is a good option, used by many security professionals.) Obviously, the upside of having a unique password per website is that, even if one of them is compromised, it will affect only that single site.
Another option is to just hitch a ride on your Google, Apple or Facebook accounts and use them to access secure websites. The big advantage here is that you don’t even need to give your own username or password at all, so you’ll be safe even if the site is compromised. (Basically, it’s like being allowed into the VIP area of a club because your big, famous friend is vouching for you.) This option basically amounts to putting all your eggs into one big, trustworthy basket. The only potential downside is that if (or more likely, when) one of these big companies finally does get hacked, your secure details will go down with that ship. But even with such an eventuality, you’ll have to change just one password and all your other sites will be secure again.
RELATED: When going viral goes wrong
This option, sometimes known as two-factor authentication, can significantly reduce your chances of being scammed. Put simply, MFA dictates that you must always provide two distinct verifications to access a secure account. That’s why, for example, if you’re transferring money on a banking website, you’ll likely get a numeric code sent to your phone that you’ll need to use to confirm the transaction. The idea is that, even if hackers have stolen your username and password, they’ll still be powerless to do mischief because that second verification code is sitting on your phone, safe in your hands. Multifactor authentication is not foolproof by any means, but it’s way better than using just a single password.
Sure, it’s a bore to continually update all your devices. But virtual mischief-makers find new bugs all the time, many of which are exploitable, and the less up-to-date your device, the more susceptible it is to them. You should be especially diligent with high-use devices such as smartphones, laptops and iPads, which many of us use to manage our finances. But also remember that there are now millions of notoriously insecure and immensely hackable internet-of-things devices – cameras, speakers, doorbells, kitchen appliances and even toys – dotted around American homes. Want to sleep easy? Make sure the security settings on all of your smart devices are up to date.
You hear the sad tales sometimes: The stolen laptop with half a novel on it or the computer caught in a basement flood with thousands of treasured photographs lost. But there’s no good reason for those things to happen anymore, as backing up to the cloud is so cheap and easy (and even automatic). Using a backup service (such as Backblaze) will cost you pennies per day. And it means that no matter what happens – accidental deletion, stolen computer, dog chewing the hard drive – you’ll always be able to retrieve your stuff.
©Copyright 2019 by Metropolitan State University of Denver. All rights reserved.
MSU Denver Office of Marketing and Communications