While humanity suffers under a microbial pandemic, it’s easy to forget there’s a digital plague raging on that requires equal vigilance.  Just as we have seen the need to practise physical protections in the face of COVID-19, let’s ramp up our digital defenses: with more people working from home than ever, we’re already seeing a raft of malicious behaviour adapting to the new landscape of distributed workforces, heightened job uncertainty and unprecedented financial stresses.

This is part one of a four part series to help you protect yourself from malicious online threats during the lockdown.

Part 1: Scams – The Oldest Trick in the Book

It’s abhorrent, but entirely predictable: not even a week into pandemic lockdown and we started seeing online lowlifes taking advantage of widespread fear and suffering, only to inflict more on their victims.  The irony is not lost on me: A real, live virus is causing a new wave of digital malware from opportunistic thieves.  However let’s start by looking at common scams and what to be wary of.

Everyday Scams and Shams

On my first day of official COVID-19 lockdown I got a phone call from a New Zealand mobile number. A kind lady with a foreign accent wondered if I was interested in stock trading to earn money while at home. As a hobbyist scam-baiter I was keenly interested!  The delay on the call, combined with the foreign accent quickly tipped me off that this wasn’t someone local, and the unsolicited stock trading proposition meant it certainly wasn’t legitimate.

I led her on for a while and discovered the scam was backed by an official-sounding name, official-looking website, and offered a tantalizing prospect: Earning money easily using automated software from one of their approved stock broker partners, for a small sum of between $250 – $1000 (depending on how many “features” I wanted), and all with a 14-day money back guarantee!

“That’s a lot of money!” I teased.

“Oh, you can’t afford that? Well, today only I can offer you a special discount!”  How kind of them to discount how much money they’re trying to scam out of me…

Tips:

  • Never give out bank numbers, credit card numbers, passwords, personal details or any other sensitive information to anyone who has called you unsolicited. In the limited cases you might need to provide this information to someone for legitimate purposes, offer to call them back using their official number (from a source you can trust, such as their website).
  • Likewise, be very wary of any link or attachment in any unsolicited email.  If you need to log into your bank, email, Facebook, etc. then manually type the address into your browser.
  • Nobody with legitimate business should ever ask you for passwords or PIN numbers as verification.
  • Do your research before engaging with anyone new.
  • Scammers often like to create a sense of urgency – this clouds our something’s-not-right-ometer. Don’t be pressured into acting without verifying first.
  • If it sounds too good to be true, it probably is. Don’t get sucked in by greed or urgency.
  • Check out the government’s scam information page, MBIE’s Consumer Protection site, Consumer NZ’s scams page, NZ Police scams page or Spark’s scams page for the latest scam trends.

Never Trust, Always Verify!

Let me share another call I received, allegedly from my bank. The caller addressed me by name, but then proceeded to ask me security questions, “to verify your identity” she said.

“Huh?” I thought, “She has the ‘verify’ thing all backwards!”

“Hold on”, I told her, “How do I know you’re actually from my bank? You could be any old scammer asking for answers to my security questions!”, I said.

I asked if there was a way that I could contact her via an official number on their website.  She didn’t want to give out her extension, but eventually agreed that I could call customer services using the official number from their website and someone could help me resolve the issue.

It turned out that she was actually from the bank, calling on legitimate business, but she seemed blindsided when I questioned her identity. Crucially, she didn’t ensure from the outset that I could trust her.  She could have said something like “See the number on the back of your bank card?  Call that number, press 6 for staff directory, I’m on extension 1234”. It would have taken 30 seconds.

Let this be your new security mantra: Never trust, always verify!

Think about trust as a series of layers. If one layer is breached, the remaining layers can’t be trusted. In the case above I couldn’t trust an unsolicited call, hence nothing she said to me could be independently “trusted”.

On the other hand, I can probably trust that my bank card was printed with the correct contact number, not modified in transit before it got to me, I can trust that the number on the card hasn’t been hijacked, and I can probably trust that anyone I speak to on that number actually works for the bank and won’t try and deceive me. As you interact with others personally and professionally from home, be more aware of the layers of trust you rely on.

Tips:

  • Don’t trust “From” addresses on emails, or Caller IDs – these can be spoofed.
  • “Official-looking” or “Official-sounding” may have been good enough in the past, but it is not a criteria for trustworthiness. Scammers are getting more sophisticated than ever.
  • Be aware that advances in technology mean that layers you could trust in the past may no longer be trustworthy in the future: As an example, you might recognise and trust your boss if he called on the phone or via video chat today, but recent advances in the field of machine learning have successfully faked both voices and live video to a remarkably realistic extent.  Don’t trust, always verify!
  • How should you verify identity? If you’re unsure, or feel you need to act on untrusted information, verify it by another channel: eg. if it’s an email from your boss asking you to transfer a large sum of money, give him a call or text to check it is legitimate.
  • Review the topic of trust with your staff, especially while there are fewer face-to-face interactions: are you providing each other and your customers with adequate layers of trust? If you have outbound call centres, do you provide ways that customers can verify trust in them?
  • Consider signing all email communications, perhaps even with a hardware security token if email-based trust is important to your business: this means that, unlike regular email, a recipient can verify that the sender is actually who they say they are, and that the message hasn’t been modified in transit. NOTE: Signing does not mean that the email is encrypted from prying eyes. Email should be considered an insecure form of communication.

Conclusion

Being computer literate or even highly technical is not enough to protect you from malicious actors any more. Everyone from front line staff to IT departments and executives need to level-up their security savvy and keep abreast of these fast-moving threats.  In the rest of the series, I’ll cover various forms of phishing, social engineering, data leaks, and give you the lowdown on good password habits. Stay tuned for Part 2!

Paul Hutchison