In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cybercriminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree.”
So that seems like a bit much, but it’s true!
With the spread of COVID-19, associations and businesses like yours have had to make changes. Some of you work from home, while others work a little farther apart than usual in order to follow social-distancing measures. Plus, flights, conferences and events have all been postponed or made digital.
So what’s keeping us together while we’re spread so far apart? Why, the internet of course.
Whatever the degree of distance is at your organization, at the very least your handshake should be going digital and that water-cooler talk should take place on your company messenger app.
Sorry, Brad – that means your 25-minute recap of last night’s Big Brother is going to need some serious editing.
And like the advent of the railroad meant a sudden spike in train robbery back in 1866, so does the work-from-home era make easy pickings for cybercriminals – only these bandits are a little harder to spot without six-shooters and spurs.
In fact, the FBI’s 2020 Internet Crime Report revealed over 790,000 internet crime complaints last year, totaling $4.1 billion in losses in the United States alone.
You know how you never want to keep too much cash in your wallet if you’re walking around a sketchy neighborhood where you’ve never been before?
Well, the unfortunate reality is, if you’re reading this then you’re in a sketchy neighborhood and your wallet contains your house, your car and your life savings, plus there are 790,000 professional muggers waiting for you around the next corner.
And not just you. 74% of American organizations self-identified as victims of a successful phishing attack in 2020, reports Proofpoint. Whether it’s through email, phishing, hacking, malware, fracking (did we catch you with that last one?), if you have a bank account and an internet connection, you’re at risk.
In Proofpoint’s report, they measured the number of users who fell for simulated attacks and how often they’d report them to their organization, varied by industry. They found engineering, telecommunications and mining to be the industries that performed the poorest, with 16% of engineering users failing to identify a phishing scam in action.
Although, those industries were also the most likely to report encountering a scam, so bonus points for failing diligently.
Higher-performing industries weren’t all that better off, with the overall average failure rate being 11%. That means there’s a good chance that one out of every 10 people in your organization is vulnerable to a phishing scam.
Proofpoint’s report goes on to detail that not only are you at more risk than ever through sheer volume of attacks, but with only 52% of Americans able to define phishing and only 54% who know what malware is, it seems that some of us haven’t exactly been keeping up to date with our internet literacy.
That’s so not #fire, right gang?
Generally, there are four major tactics employed by these dastardly cyberpunks. The American Press provides the following helpful definitions in their stylebook that everyone should know and watch out for:
Now you might be thinking, “But I’ve got my ironclad antivirus software installed, my password is a random sequence of 50 characters in upper and lower-case letters and I sleep with my hard drive under my pillow! Am I still vulnerable?”
Yes, unfortunately. When it comes to cybersecurity, the easiest thing for a computer-savvy individual with nefarious intentions to program and exploit, is you.
Let us explain.
You would never give anyone your password, right?
But you might be scrolling through Facebook one day and see a notification that your cousin just shared their result from an online “read my aura” quiz.
You decide, screw it, you’ve been feeling ethereal lately and you just want to confirm. So you take the quiz and it asks you little things about yourself. You punch in your favorite type of dog, your favorite leisure activity, your favorite sports team, your childhood vacation spot and your kid’s hair color.
Turns out you’re a pale aurora, which of course you are, good job.
A few months later you scroll through your newsfeed and happen upon another quiz, only this time it promises to reveal to you which Hogwarts house you’d belong to were you ever to find yourself suddenly thrust into the Wizarding World and needing an informed decision.
This time you plug in your favorite hockey player, the camp you attended as a kid and your firstborn’s first name.
A few months later you get an email from your bank saying the line of credit you didn’t know you opened on your company card is past due.
You’ve been hacked.
But how? When? Could it have been the quizzes and if so, how do you know which one to blame?
Blame both of them. The first quiz was a net designed to snare a few million people at a time, offering a fun reward for the basics of your personal information. Once the designer had a list of a million respondents, they narrowed down which of you had impactful childhood vacations, which of you are obsessed with sports (wow, so many) and which of you have children.
After a clever bit of phishing, the second quiz was like shooting phish in a barrel. They already knew you had a child and you’re willing to give up a bit of information for a fun game. So they targeted you with an in-stream quiz using specific questions that dig a little deeper through your first answers. They get your kid’s name which, in combination with the jersey number of your favorite hockey player, just so happens to be the password you use for your banking.
Now they have all your accounts without ever writing a line of code.
You’ve just been socially engineered.
If your personal information is the currency cybercriminals jockey for, social engineering is the work they do to get it.
So now you’ve heard of phishing, ransomware, spyware, but the most important thing to know is that the days of viruses using brute force to smash their way through your firewall are dead and gone.
57% of people worldwide said their organization was a victim of a phishing attack, according to a survey published in Proofpoint’s report.
These phishing attacks slip into your email inbox or social media and ask for personal trivia, or tell you your Amazon or Facebook account has been compromised and you need to enter your username and password to recover it.
The good ones are well-written, timely and themed. It’s Valentine’s Day, enter our contest to win a free dinner date! Christmas is coming, enter our contest to win a free vacation for everyone at your association!
With new info coming out every day and fresh panic on the back of everyone’s mind, COVID-19 has presented an entirely new set of scams for criminals to employ.
An easy spoof for a hacker to work off is anything that elicits your health-based concerns. It would take only a few minutes to buy a domain similar to a federal or medical institution and make a fake government email address and a fake form to email to you. Then they tell you your COVID-19 test results are in, or that you’re eligible to take your vaccine if you just enter your full name, address and Social Security number, knowing that when you do, they’ll have free reign over your identity.
Look around your desk right now. Do you see any sticky notes? Little pieces of paper with a single phrase on it? Chances are, if you leave your password on a note at your desk at home, then you left it at work too.
That means a criminal can call up your association members' businesses and talk to one of the few people still left working inside -- it’s Pam, from Human Resources. They tell Pam they’re sorry, they’ve forgotten their password but they’ve conveniently left a little note at their computer, their name’s Michael, would she mind terribly going and checking your desk for it?
Now Pam from HR is the only one left in the building, and she’s just trying to be helpful and keep things running smoothly. She even checks the employee list and sees the name "Michael." Next thing you know, your imposter is sitting on some beach in Hawaii sipping mai-tai’s on your dime.
A hacker will take a trip to Staples or Best Buy and pick up a hundred USB sticks. They put two files on the USB: a funny cat video, and a piece of ransomware designed to lock your computer unless you call a number and get a code from the hacker -- after paying them a ransom.
They take these USB sticks and drive around town, dropping them outside of businesses, apartment buildings or, if they’re lucky, they’ll find an association convention or event to scatter them around.
Out of the few thousand people that spot the mysterious USB, one of them is bound to get curious, pick it up and take it to their computer. When they plug it in, they watch the funny cat video and then move on to the executable file containing the ransomware.
These basic human instincts of curiosity, kindness and compassion are more powerful than any virus. They’re the ammunition cybercriminals use to socially engineer their way into your platform, emails and accounts.
The easiest and most impactful way is to simply educate yourself, the people around you and remain vigilant. Our experts say that these criminals aren’t after you or the general public, they try to target the least computer-literate populations.
So if you’re reading this, you’re already one step ahead.
Know where acceptable or trustworthy emails, posts and messages are coming from. If it looks a little suspicious, or you’re not sure, just check the sender address. If you’re in email, that means clicking the “From:” at the top of the email and making sure you recognize the sender.
Be mindful of emails from accounts that read similarly to trustworthy accounts. Hackers will set up a fake domain similar to popular sites designed to trick you with email addresses like “email@example.com” or “firstname.lastname@example.org” (these are fake, please don't email these).
If you do receive any emails asking for your username or password, regardless of the sender, a great way to be sure of their authenticity is to independently type in the website on your search bar. So if it looks like Amazon, or an association partner is emailing you, simply enter in their web address on your search bar and log into their website on your own. If the email was real, you should get a prompt to complete the task they emailed you about and you know it’s safe.
Some hackers rely on the fact that it’s harder to identify suspicious accounts or pages on a mobile site, because many legitimate companies still haven’t optimized their software or web page for mobile.
That means they have a better chance of making you think that their attack is a legitimate website because it’s just harder to tell what’s an attack, and what’s a real site that just doesn’t look as good on your phone.
Plus, it’s much easier to investigate the sender address of emails, email attachments or the form you’re being asked to fill out on your desktop because of the naturally larger screen size.
Haveibeenpwned.com is a great tool to determine if you’ve been made a victim of a data breach. Visit the website and enter in as many of your email addresses as you like, and the tool will tell you if that address has been compromised in any known instances of hackers stealing and selling emails.
If you have been “pwned,” it’s a good idea to reset your password, and it’s always a good idea to send this to your coworkers and association members to let them see if they’ve been hacked and need to take action.
Another great tool is apollo.io. It’s a sales platform used by email marketers, but it also allows hackers a completely legal look into your association or company’s email address bank. So if they access just one account on your association server, they can enter that email into apollo.io and apollo.io will offer them up a list of every known email associated with that server. What you can do is enter your email into apollo.io and get the same list, so you can see the accounts that might need to change their passwords more frequently than others.
Finally, make sure you have a solid web team in control of your web content and video platform. If you want to learn more about how we keep your content and accounts safe, please click here to register to learn more about our online platform.
Froke, Paula, Anna Jo Bratton, Jeff McMillan, Pia Sarkar, Jerry Schwartz, and Raghuram Vadarevu. The Associated Press Stylebook 2020-2022 and Briefing on Media Law. New York: The Associated Press, 2020.