The 2020 worldwide pandemic will go down in the history books much like the 1918 Spanish Flu. One big difference between then and now: the technology that has enabled millions of us to remain moderately productive “at work” from the comfort of our homes. Welcome to the “new normal” of telework. Being comfy at work in yoga pants – saving time by not having to dress for “the office” as we once knew it. Shorter commutes, with coffee refills only steps away in the “breakroom” – our kitchens. Staying connected to our co-workers, clients and work associates in Brady Bunch style, creating a little mystique with virtual backgrounds on Zoom, Microsoft Teams or WebEx video conferencing platforms.
As relaxed as we may be in the new normal of teleworking, it’s not a time to relax when it comes to being vigilant in securing the confidences of our employers, employees, clients or customers. Teleworking brings new technology challenges: learning new software and conferencing programs, managing confidential paper documents, and protecting electronic data. And since our homes are now an extension of our offices, these challenges may create additional exposure for employers. As office workers and healthcare providers switched to telework and telehealth under state stay-at-home orders, malicious cyber actors were ramping up to take advantage of the security gaps that would inevitably accompany such a sudden transition. Wyatt data privacy counsel offer practical tips to protect employer and client data, as well as personal information, in the new normal of telework.
Cyber hackers and criminals are taking advantage of this situation in a number of ways. Here are some practical tips to protect the employer’s data, as well as your own personal information while teleworking.
Video Conferencing Security Tips
People have embraced video conferencing for work meetings as an opportunity to see faces while social distancing. Recently, Zoom, the video conference platform, shared some stats indicating that its platform had 10 million users a day in December 2019 and skyrocketed to 200 million users a day in March 2020 when the COVID-19 social distancing and state stay-at-home orders were issued. The quick shift to the use of video conferencing platforms has created an opportunity for a cybercriminal to capitalize on the gaps in security that come with so many employers and healthcare providers who had to adopt video conferencing and telehealth almost overnight. Be on the lookout for some of the following malicious cyber activities:
Fake Video Conferencing Websites Aimed at Stealing an Account Holder’s Identity. Cybercriminals set up fake websites to look like one of the popular video conferencing platforms and hope that unwary video-conference account holders will enter their login credentials into the fake webpage. This enables the cybercriminal to steal the account holder’s login credentials to their video conferencing account. The cybercriminal can then use the log-in credentials to log onto the real account and send video conference invitations that will appear to be from a trusted source. The fake video conferencing invitations can be used by the cyber thief to phish for personal or confidential customer information, to download a malware attack, or even to steal money.
Emails and Texts Aimed at Stealing Login Credentials. Cybercriminals send a fake email or text message that may say something like, “Click here to join your meeting.” The recipient clicks a link that directs him or her to a fake video conferencing webpage where he/she is asked to enter his/her login credentials in order to join the call or conference. The cybercriminal then uses those credentials to log onto the actual video conference. This could be particularly problematic if the video conference is a telehealth or a call with a financial institution or broker. And financial account information, investment strategies, a patient’s health plan number, or payment information exchanged during the video communication could be stolen by the cybercriminal. Accordingly, it is advisable to avoid the exchange of any non-public, confidential personal information during one of these calls.
Gaining Access to Webcams. Issues with whether the companies hosting video-teleconferencing platform are doing enough to secure and ensure the privacy of meetings also recently came to light. The New York Attorney General, for example, asked Zoom whether the company “is taking appropriate steps to ensure users’ privacy and security” to address vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.” Security issues are not limited to a particular video conferencing platform as several steps still rely on whether the host has turned certain security features on or off.
Zoom-Bombing. Further, the FBI issued a warning against “zoom-bombing,” where hackers or trolls hijack a public video call, shouting profanities or sharing vulgar images. The FBI urged victims of “zoom-bombing” to report any incidents. Although this moniker arose from the overwhelming popularity of the Zoom platform, the practice could occur with other platforms as well.
The FBI has provided the following tips for using video conferencing to mitigate hijacking threats:
- Take steps to avoid making your meetings public. Look for these options to make your meeting private: the option to set and require a meeting password or to use a waiting room feature that allows you to confirm the identify and control the admittance of meeting guests. Requiring a password for your video conference ensures that people cannot login to your audio-video meeting without knowing the password. Just as you should be doing for your financial and other sensitive online accounts, use a strong password. Your dog’s name or other information that can be readily obtained about you and your family from social media should not be used as your password.
- Be alert to spoof texts and email invitations. Cybercriminals are taking advantage of the uptick in audio-video telecommunications by sending texts or emails pretending to be an invitation from an associate, friend or family member. Warn your invited attendees to confirm the source of any invitation to join a meeting before clicking on a link to what might appear to be your meeting but is actually an invitation from a cyber-thief attempting to steal the participant’s logon and password credentials for the online meeting.
- Privately share the meeting link. Do not publicly share a link to a teleconference on an unrestricted, social media post. Share it only in an email or text message directly with the individuals you are inviting to your video conference.\
- Manage screen-sharing options. In most audio-video platforms, you have the option to change screen-sharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications.
For additional tips specifically related to using teleconferencing platforms for telehealth, please refer to our article Audio-Video Conferencing Tips for Healthcare Providers.
Masking Your Caller ID Tip
Individuals who are working from home may be concerned when using their own cell phone for work that their personal number will be visible to strangers. They may opt to mask their cell phone number (to protect their privacy) by entering *67 before making the call. This only works for calls—not texts—and some people might refuse to answer a masked call since they do not know who is calling. Further, some prepaid or government-issued cell phones will not answer masked calls.
Another option is to see if your employer has a unified communications system, such as Cisco’s Jabber, that would permit employees to use their personal cell phone or computer to make calls that look like they originate in the office and hide your personal number.
Securing Wireless Network Tips
There has been an uptick in ransomware and other tricks cyber hackers are using to take advantage of home networks, which may be less secure than networks in the office. Employees should consider taking action to address these additional vulnerabilities. The FTC has issued guidance on how to secure a wireless network, and here are some key takeaways:
Secure Your Router. The router directs traffic between the internet and your local network, so it’s your first line of defense from attacks over the internet. You can secure your router by taking the following steps:
- Change the name of your router from the default.
- Change your router’s pre-set password(s).
- Turn off any “Remote Management” features so hackers cannot use them to get into your home network.
- Once you’ve set up your router, log out as administrator, to lessen the risk that someone can piggyback on your session to gain control of your device.
- Keep your router software up-to-date.
Encrypt Information Sent Over a Wireless Network. Encryption scrambles information sent over a network so outsiders cannot read it. Wireless routers often come with the encryption feature turned off, and it should be turned on. Wi-Fi Protected Access (WPA) 3 is the strongest, and WPA2 is preferred to outdated WPA or Wired Equivalent Privacy (WEP) encryption. Try updating your router software, then check again to see if WPA2 or WPA3 are available. Consider replacing an older router using WPA or WEP encryption, which likely won’t protect you from some common hacking programs.
Limit Access to Your Network. Allow only specific devices to access your home wireless network. Every device that is able to communicate with a network is assigned a unique Media Access Control (MAC) address. Wireless routers usually have a mechanism to allow only devices with particular MAC addresses to access to the network. Some hackers have mimicked MAC addresses, so don’t rely on this step alone.
Computer and Mobile Device Security Tips
It is also important to stay vigilant and protect PCs, laptops, tablets and mobile devices. Here are some tips to do so, many of which come from FTC, DOJ, and FBI guidance:
- Strong passwords. Create strong passwords for your computer, mobile phone, and any other device that connects to your home network.
- Update software. Keep your software—including your operating system, the web browsers you use to connect to the Internet, and your apps—up-to-date to protect against the latest threats. Install software patches so attackers cannot take advantage of known problems or vulnerabilities. It is especially important to make sure the anti-malware and anti-virus software on your computer is operating and up-to-date.
- Limit personal information on social media. Restrict the amount of personal information you share on social media as it may reveal answers to password retrieval security questions. High school graduation photos, photos of your first car, and other topics are trending—and fun—but also are answers to common password retrieval security questions. Fraudsters leverage this personal information to reset account passwords and gain access to user data and accounts.
- Pay attention to email sender’s address. Do not open emails from unknown individuals and be alert to emails that spoof someone you know. With people working from home, you may receive emails that “appear” to come from people you know but are not sent from their work email address. This practice is known as “spoofing” and is often designed to “phish” for private information–a combination of spoofing-phishing. With teleworking, individuals tend to read emails on smartphones and other mobile devices where the sender’s email is not readily apparent. Capitalizing on this fact combined with the fact that many employees will need another employee’s cell phone number to have a work call, cyber attackers often send spoofing-phishing email with a very brief message, such as “Available? Cell phone number?” Create a new email to the person using the email address you have for them or, if possible, call the purported sender, to verify they sent you an email.
- Use extra caution with email attachments. Be wary of unsolicited attachments, even from people you know. Clicking on these links could download a virus onto your computer or device. Cyber actors can “spoof” the return address, making it look like the message came from a trusted associate. If an email or email attachment seems suspicious, don’t open it, even if your antivirus software indicates the message is clean. Attackers are constantly releasing new viruses, and the antivirus software might not have the signature.
- Save and scan any attachments before opening them.
- Turn off the option to automatically download attachments. To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and disable it.
- Consider creating separate accounts on your computer. Most operating systems give you the option of creating multiple user accounts with different privileges. Consider reading your email on an account with restricted privileges. Some viruses need “administrator” privileges to infect a computer.
- Look out for pandemic emails from unknown or suspicious email addresses. Cyber criminals are blanketing the U.S. with email that claim to be from the Centers for Disease Control and Prevention (CDC) or other organizations claiming to offer information on the Coronavirus. Similarly, watch out for phishing emails from the IRS asking you to verify your personal information in order to receive an economic stimulus check from the government. Do not click links or open attachments you do not recognize.
- Verify the web address of legitimate websites and manually type them into your browser. Cybercriminals have set up fake COVID-19 websites that quietly download malware to victim devices.
- Be cautious with financial transactions over the web. If your business has the ability to send wire transfers, checks, and automated clearing house (ACH) transfers, then be cautious of emails purporting to be from a company you normally conduct business with. For example, during this pandemic, fraudsters have impersonated vendors and asked for payment outside the normal course of business due to COVID-19. Is the email requesting money be sent to a new account or that standard payment practices be altered
Protect Paper Documents
Even in this digital age, there may still be paperwork to deal with. When working from home it is important to securely transport, store, and destroy sensitive papers. These can be a treasure trove for burglars who may capitalize on the transition to telework to break in and grab work papers they hope contain personal identification information about customers or employees:
- Confidential papers should be kept securely in a locked file cabinet or room.
- Access to those papers should be restricted on a need-to-know basis.
- Dispose of sensitive data securely. Don’t just throw it in the trash or recycling bin. Always shred documents with sensitive information before throwing them away.
For additional articles regarding data privacy and security, visit the Wyatt HITECH Law blog at https://wyatthitechlaw.com/.
For guidance on responding to a cybersecurity incident within the first 24-48 hours afterward, see our Six Tips, which can also be found on the blog’s Data Incident Response Team tab. For information about Wyatt’s Data Privacy & Security Incident Response Team, see the tab on this blog to the Data Incident Response Team and our Data Privacy & Incident Response Team brochure.