Part 1: updated 4/14/20
Part 2: updated 4/20/20
Part 3: updated 5/11/20
Starting in March 2020, cities and states across the US began implementing ‘stay-at-home/ shelter-in-place’ recommendations for any non-essential workforce to help prevent the spread of COVID-19, and your average worker has started working at home instead of in the office.
In this 3 part series, we’re going to highlight some of the most common threats people should be aware of when working at home, and best practices to mitigate them.
- Potential threats to personal privacy
- Emerging threats to business security
- Phone/email-scams and solicitations to be aware of
Consequently, the work from home population has at least doubled in the past few weeks (Gallup). Precise numbers of those working from home are unknown, but all indicators suggest that what used to be an occasional practice for 20-30% of the US workforce has become almost full-time for the majority.
This is an entirely unprecedented situation, especially given the open-ended timeframes for this new state of affairs. Many businesses are reconfiguring operations to try and minimize in-person attendance, increasing employee remote-capabilities via expanded access to corporate networks, and replacing face-to-face meetings with online video conferencing.
This explosion in remote-work has come with some obvious associated security and privacy risks for business-information. Tens of millions of people are now treating public networks and cloud-based applications as primary business infrastructure. Enormous amounts of data/communications that would normally be protected within private corporate networks are now traveling through low-security home and public Wi-Fi. And many people are now utilizing software tools for business productivity purposes which have far fewer of the security features or data-protections they may have previously taken for granted.
Many of these same threats to business information-security also create new potential privacy risks for individual workers: risk of exposing private information to employers, coworkers, or creating opportunities for exploitation by malicious 3rd parties.
While some of the latter are versions of already-common forms of threat – such as COVID-specific robocall scams, or email phishing schemes pretending to represent Public Health Agencies – some are novel attempts to exploit specific IT platforms people are utilizing while working from home, such as Zoom, or commonly used VPN/Gateway services.
Corporate Surveillance Continues – Even as a Telecommuter
Working from home, especially if using company-provided equipment, can often involve being subject to even greater personal behavior tracking than while sitting at a desk in an office.
If using a company-supplied laptop, it is very likely that everything done on the computer is being remotely logged in as much (if not more)-detail than when in the office.
This fact is not especially new; but it still may be surprising news to a new telecommuter who hasn’t had years of experience working remotely.
Similarly: even if using your own personal computer, common platforms for worker collaboration – like Slack, Zoom, or Google Hangouts –provide administrators access to all personal-messaging that users do.
No interactions with co-workers using cloud-based platforms are ever more-secure or private than they would be using internal corporate email or messaging platforms.
Further: conferencing apps like Zoom provide employers with behavior tracking of users who are supposed to be attending meetings. Opening a conference in the background and then browsing away to engage in other activities during the meeting will be flagged to employers.
And it is also more likely that employers, worried about the rapid decline in company productivity, and worsening economic conditions, will be looking at these kinds of behavior-tracking data to determine which employees are contributing most during working-hours.
Platforms like Zoom expose PII telecommuters to third parties, not just co-workers
While most people will be cognizant that information they share while video conferencing will be accessible by employer or co-workers, it is not always self-evident how cloud-hosted platforms might make personal data available to 3rd parties. Just last week it was revealed that Zoom was automatically aggregating and sharing user-emails that share similar domain-names via its ‘company directory’ feature. This inadvertently exposed thousands of names, photos, and personal email addresses to anyone who happened to be using similar domain-services. While this may not be a concern for those solely using corporate email accounts, for those using lesser-known email domain hosts, it created a massive privacy breach.
The best practice to avoid this kind of risk is to make sure not to commingle personal email accounts when using any cloud-based platform for business purposes.
Control your background information
For the average telecommuter that is doing video conferencing from home for the first time, it may also be tricky to firewall home-life from what gets shared during conference calls. Many may recall the viral BBC interview where an interviewee was interrupted by his children.
New users of Zoom or other video conferencing tools should pre-prepare for future calls by setting up a virtual-background. This way, the environment you are working in doesn’t become a source of privacy-breach.
Key Privacy Tips that all telecommuters should keep in mind when working at home:
1. Don’t use employer-provided equipment for anything you wouldn’t being doing at the office itself
2. Be aware that ‘private browser windows’ aren’t at all private; browsing history may not be retained by the app, but it will always remain tracked at the operating system level, and can be accessed by administrators. See #1!
3. All collaboration platforms, whether corporate-hosted or cloud-based, log all person-to-person private messaging data and make that information available to administrators, and – potentially – 3rd parties who might gain access to credentials. Don’t share any personal information via shared platform messaging if it is just as easy to send an email or text to someone.
4. Don’t commingle personal files on work computers, or use company provided web-storage for personal reasons; that data will always be archived elsewhere forever and be compromised.
5. If you can avoid it, never resort to public Wi-Fi for work purposes. If using your own home Wi-Fi network, make sure it has WPA or WEP security features enabled.
6. Don’t share personal information on collaborative work platforms. This includes your phone number or private email or any details you’d prefer 3rd parties not have access to.
7. Mute your phone and/or microphone unless actually speaking in any public conference; any information that may be shared in the background may become public knowledge.
While personal privacy risks are often the focus of our users, we also think it is important to consider that heightened business-security risks can create significant personal liability, especially now that most of us are working at home.
No one wants to be the person who accidentally shared corporate VPN login-credentials, or whose conference call gets hijacked because you sent invites to the wrong email-address.
Enterprise-level businesses have had decades of experience with remote employee-access, and usually have very robust VPN/Gateway services, as well as encrypted email platforms that ensure information between worker and home-office remains secure.
However, this is less often the case with smaller companies that rely on cloud-based collaboration platforms like G-Suite or Slack, or a mixture of cloud-based and client-based applications. Risks of data exposure/loss, or providing inadvertent access to malicious actors, becomes far higher, especially when large numbers of people with little experience with these tools begin using them for the first time.
There are also millions of people now working at home who may be relying solely on public email platforms rather than company-hosted Office 365-suites, and cloud-based document-sharing rather than a company intranet. While most companies will make do with whatever is necessary to keep businesses running, consequences for any eventual breaches of privacy and security will first fall on individual users.
Secure Communications Tips for Working at Home
- As with our general-privacy tip to “don’t commingle personal information on work platforms”: don’t mix work communications between your company-provided email and a personal one.
Some people may find it time-consuming to log-on to a secure company computer every time they need to send an email, and choose to send business info via a Yahoo or Gmail account. It is better to resist this temptation unless you’ve been given explicit instruction to do so.
- Make sure you have all your most frequent and important contacts verified in your email address-book; there has been a boom in the spoofing of company names/email addresses, where hackers send messages from what appears to be a co-worker’s account, sending links/docs which can infect work-computers. This can be especially important when switching from business email to a personal account, which may not have the same address-book details for co-workers.
Secure File-Sharing Tips When Working at Home
- Keep business documents off phones. While the power of modern smartphones can sometimes make them temporarily effective as an ad-hoc office-computer, devices get lost, or can be compromised easily. Files stored on mobile devices become accessible to a wide range of 3rd party background apps and services, including data backup services that copy all your files and store them remotely.
- If sharing company files on a cloud-based platform, zip, encrypt, and password-protect those files, and send the passwords in secure emails, separate from the links you send to the documents. Additionally: delete files from these platforms after your co-workers/clients have confirmed receipt
- Be wary of thumb-drives: They’re a popular tool to distribute malware, and old thumb drives can sometimes carry malicious code which leapfrogs from one computer to another whenever used. If you do need to use them, format the drive entirely before use, and erase any proprietary company files from drives as soon as you no longer need them.
Video Conferencing Privacy and Security Tips for Working at Home
One example of the heightened risk environment has been an increase in hackers targeting conferencing platforms like Zoom. Forms of malicious exploitation have ranged from ‘spoofing sign-on forms’ so that unwitting employees share corporate credentials; mailing of malware-ridden zoom-links to company domain names at random; or logging into ongoing conferences when users share links or credentials in insecure platforms, and surveilling corporate communications, hoping to gain proprietary information.
The potential privacy and security holes in the zoom platform have multiplied by the week; only a few days ago it was revealed that the service was automatically aggregating and sharing user-emails that share similar domain-names via its ‘company directory’ feature. This inadvertently exposed thousands of names, photos, and email addresses to each other without knowledge or consent. These and other emerging concerns recently prompted the New York City Schools commissioner to order a halt in use of the platform.
Some tips to ensure new Zoom users minimize these forms of risk:
- Make sure you can verify who is sending you conference links; be wary of conference invites sent via text, instant messaging platforms, or emails from unknown @zoom addresses.
- The same goes for sending conference invites. Use the ‘Invite by mail’ feature provided by the platform, rather than instant messaging or ‘invite by contacts’. Copying conference links and sending them in secure emails to attendees is considered best-practice.
- Make sure those working at home and hosting conferences know how to adjust privacy and security settings to ensure conferences remain private. Most commonly used privacy and security settings include:
- ensuring ‘only authenticated users can join’;
- requiring password for all conference attendees;
- disabling auto-saving of chats
- disabling ‘Join before host’
- make sure only hosts can screen-share
- share with attendees instructions on how to use virtual backgrounds
Additionally, consider using Waiting Rooms to ensure that the identity of every conference attendee is verified before allowing them access
With the population-wide shift to working at home, there has also been recent and rapid growth in Coronavirus-specific fraud threats.
While the formats of these threats – Robocalls, Email Spamming/Phishing, Malicious Apps and Advertisements – are not new, and impersonation of Government Agencies (e.g. Social Security, Medicare, FBI, etc.) is a tactic common to these forms of fraud, what makes these newest incarnations more-dangerous is the increased vulnerability of the population created by the COVID-19 pandemic.
Any emergency situation vastly increases the likelihood of people to respond credulously to people claiming to represent Government or Medical authorities, offering specific forms of immediate relief.
Even more dangerous: people are far more likely to share vital personal information – including bank details, or credit card information – during a period where state and federal governments are engaged in massive economic stimulus effort.
What the most prevalent forms of COVID-related fraud share in common is a) representing themselves as outreach from either Federal or International-NGO Officials, and b) offering unsolicited financial or medical benefits.
Notable recent examples include:
- Fake emails from the World Health Organization’s (WHO) WHO.int domain.
- One example attempted soliciting donations for a COVID-19 ‘Solidarity Response Fund’. The fund itself is real – however the messages were not, and directed people to donate bitcoin to an obscure 3rd party. Another WHO impersonator sent out an E-book attachment purporting to contain information on how to protect children from infection, but instead contained malware.
- Similar impersonations of the Center for Disease Control (CDC) and Health and Human Services (HHS) agencies
- Offering to update people about growth of COVID cases in their area, but aiming to get people to share email credentials and other personal identifying information with scammers.
- A variety of Stimulus Check-related scams, including:
- Fake-checks sent in the mail, followed by calls attempting ‘confirm’ people’s financial account info, or take 1-time payment for ‘expedited direct-deposit’.
- Emails purporting to be from IRS asking people to provide information in order to receive their emergency stimulus relief
- Robocalls claiming to be from the Social Security Administration or IRS, requesting people update their financial account info in order to ensure rapid payment of emergency stimulus relief.
- Text Messages offering to sell fake at-home testing kits, personal protective equipment, or suggesting that targets have recently been in contact with an infected person.
- Calls targeting Medicare beneficiaries, attempting to get people to provide Medicare account numbers in order to receive either ‘emergency testing’ or preventative treatments or supplies
The reality people often tend to overlook is that communications from large public agencies are not done at the individual level. Neither Medicare or the World Health Organization is sending bulk emails out to a general audience – much less identifying specific individuals. Public benefits are inherently scarce; federal agencies don’t need to push benefits on a leery public.
A second risk-element sometimes overlooked is that not all fraud-methods are trying to solicit immediate payment. Increasingly, the most successful methods of victimizing consumers isn’t to get them to make direct payments, but to simply feed scammers useful personal identifying information that can be used. Often things as simple as confirmation of name, address, phone number, who your phone carrier is, who your relatives are, what your most-recent purchases were, or naming institutions that you bank with or have credit accounts at, can be used to compromise a target.
Best-practices for avoiding being caught in some of these forms of fraud are the same as usual, but helpful to remember:
- Federal Agencies do not transact with citizens by phone or email; they will never ask people to provide information except in person or via mail
- Similarly, international orgs like WHO do not do any direct, unsolicited outreach to US citizens
- Don’t fill out forms submitted by email, or on websites which have unusual address-format or domain names, or which lack a clear indicator of security (e.g. URL begins with https:, and includes a ‘lock’ icon)
- Never open attachments in emails from unfamiliar third-party sources
- Confirm any links in emails by hovering over the link and confirming the URL directs you to the site of the organization it claims to represent
- Beware links sent in text messages; while some organizations – like your phone carrier – may still sometimes do this with customers for marketing purposes, SMS messages are incredibly easy-to-spoof, and lack any of the safety and security measures that are built into modern web-browsers.