Digital protection in the early days of the home computer was pretty straightforward when the only device needing protection was the family computer: a Gateway 2000 running Windows 95.
The computer typically was located in the living room, kitchen, or home office — nobody had two computers — and the adults would use it to build spreadsheets and file tax returns via early iterations of Microsoft Excel and Turbo Tax. Meanwhile, the up-and-coming millennial generation used the Microsoft Encarta ’95 encyclopedia software for school essays and, on Saturdays, rapturously played Where in the World is Carmen San Diego and Myst.
To protect these activities and the machine on which they were held, the most computer-savvy member of the household would download a McAfee or Norton Antivirus security program and scan for hidden threats. That was all that was needed to protect the digital lives of an entire family.
Yet just as our devices and the programs on them have evolved over the last 25 years, so too have the malicious codes that attempt to infiltrate them and pilfer our personal information. Today, a shocking 93 percent of malware and 95 percent of potentially unwanted applications (PUAs) have the ability to evade antivirus scanners, according to a 2019 threat report by Webroot.
And for scammers, there has never been a better time to steal identities or scam vulnerable people than during times of crisis.
The COVID-19 pandemic, coupled with its resulting economic fallout, and the civil unrest of the Black Lives Matter movement have left many feeling isolated and downtrodden, which creates a rife opportunity for opportunistic scammers who target vulnerable individuals during tumultuous times. In fact, the Federal Trade Commission saw such an uptick in the amount of fraud claims it was receiving as a result of the pandemic that it developed a COVID-specific data-tracking system via its Consumer Sentinel Network.
The data — updated in real time and climbing quickly — reveal nearly 115,500 reports of fraud, identity theft, and more have been filed this year, resulting in a fraud loss of $75 million in the United States at the time of this writing. Washington’s share accounts for $2.04 million of the current deficit as a result of almost 3,000 reports since 2020 began.
It was due to this increase in threats that Cybercrime Support Network — a Michigan-based nonprofit established to be a voice for the 1 in 4 Americans each year who experience cybercrime — recently teamed up with Google to debut scamspotter.org to help individuals evade scams through awareness.
“Our (user safety) team really focuses on high-risk content on our platforms,” explained Aura Navarra, a user safety expert at Google’s Kirkland campus who worked with Cybercrime Support Network on the Scam Spotter project. “We’re not an enforcement team, but we tend to work with nonprofits and other good organizations to help amplify good content where there might otherwise be risky and problematic content.”
This risky content includes romance scams, Social Security number and identity thefts, online shopping scams, government and military scams, and cyberstalking, which Cybercrime Support Network’s chief marketing officer, Rachel Dooley, said are the most-searched-for cybersecurity threats in the Seattle-Bellevue-Tacoma area this year.
“Scammers take advantage of these times because they know people are distracted, and sometimes, they’ll put a lot of urgency behind it,” Dooley said of the impacts felt by COVID-19. “We see a lot of charity scams pop up; people are targeted to give out credit card information, personal information, and (targeted for) phishing scams.”
Dooley said romance scams in particular prey upon an individual’s need to seek companionship amid physical and social distancing.
“It’s really about that emotional connection and the long game of getting to know someone,” Dooley said. “People start to open up online; they’re comfortable — it’s investment; you’re invested emotionally in someone online, and you feel that this relationship is real and blossoming — (and then), they’ll start asking for more and more information.”
Even more insidious are the scams that aim to steal an individual’s Social Security number and other personal identification information for the purpose of a fraudulent unemployment claim during a time when unemployment is seeing an historic high. In Washington, the unemployment rate skyrocketed to more than 16 percent in April, according to the U.S. Department of Labor and Statistics.
“It’s definitely a COVID scam,” Dooley said. “It’s really important for the individual, if you find out that (a fraudulent claim has been filed in your name) you tell your company right away. And vice versa for the business owner to make sure you inform your employee right away if there has been an identity theft.”
The Scam Spotter site, Dooley said, was designed to help users identify most scams and shut them down by using “three golden rules.”
These rules include slowing things down, spot checking, and “Stop! Don’t send,” with a clear description of each step along with an example of what a scammer might say.
“If someone starts asking you for money or information, just slow it down,” Dooley posited with a fictional, yet entirely plausible scam. “Ask: Is it right? And just stop; don’t send any money whether it be gift cards, wire transfers, or even your personal information. Keep it private until you can verify the source and that they are legitimate.”
Visitors to the Scam Spotters site also can test their scam-spotting smarts through an online quiz and share the results with friends and family via social media to keep the conversation of cybersecurity going.
“This is happening every day, and these types of scams are happening more and more,” Dooley said. “This is a really important issue; it is affecting millions of people’s day-to-day lives, and it can also put people in a financial crisis. Maybe $1,000 doesn’t seem like much to one of us, but it could potentially be the difference between paying rent for someone next week.”
‘Threat Level Midnight’
OK — so your digital network might not be under attack from Michael Scott’s fictional Golden Face archetype made famous by The Office, but if your system, devices, or users are unprotected, you just might need to raise the “threat level.” Rather than calling in Scott’s doppelganger, Michael Scarn, consider these cybersecurity services to secure your network.
- Cybadev: This enterprise-grade cybersecurity firm not only keeps devices and users safe through the use of AI-powered antivirus monitoring and protection, but it also offers monthly training to clients’ employees to increase awareness and reduce human error.
- Microsoft Threat Protection: The team at Redmond-based Microsoft uses a coordinated defense to rival that of a Super Bowl lineup using AI, automation, and integration to ensure users are safe, cloud apps retain integrity, and data stays locked up tight.
- Rubica: Answering the conundrum of staying safe in a mobile, bring-your-own-device environment, Rubica’s cybersecurity suite includes an encrypted VPN, live threat monitoring, and protection against malware and phishing that runs across all devices for one monthly subscription.
Protecting Your Business
Businesses and their employees also are vulnerable. Frances Dewing, CEO of Kirkland-based cybersecurity firm Rubica, likens cybercriminals’ use of global trends like the COVID-19 pandemic to the “marketing arm” of cybercriminal organizations.
“Whatever is going on in the world that we’re all urgently seeking information on or are interested in, they are going to use to hook us,” Dewing said. She noted that in the first few months of the stay-home order, she observed criminals impersonating health organizations and local governments, with alerts about COVID, stimulus checks, and PPP loans. Additionally, many scams included fake Zoom and Amazon links as well as fraudulent apps containing malware and designed to look like the real thing.
One of the biggest problems, Dewing said, was the immediate, almost-overnight implementation of remote work. As companies and workers were setting up programs and procedures to necessitate work-from-home capability for an indeterminate amount of time, security took a backseat.
“Cybercriminals know we are all at home using our Comcast routers with our basic Wi-Fi setup and password,” Dewing said. “We’re multitasking a lot, especially those of us that have kids or other people in the home. You’re ordering your food delivery, downloading your kids’ homework assignments, downloading your email, and using tools like Zoom (on your work computer). So, there is just this confluence of you are your own IT department; you’re on your own, frankly, and nobody is overseeing and making sure that you’re doing everything by the book. All of this is just a rife opportunity for cybercriminals, and they are taking advantage of it.”
Take for example, Dewing said, an employee using his personal phone for work calls — a near-necessity while working from home. And 85 percent of employees perform actions — like placing a family Amazon order or posting a status update to Facebook — on work devices, going against the policies of many companies.
“There’s not really a distinction anymore; our personal and professional lives are intertwined,” Dewing said. “We need to build security with that in mind.”
Unlike that family PC running Windows 95 that needed only antivirus software, contemporary users have to come at cybersecurity from three angles: devices, connection to the internet, and accounts.
Think of this in terms of home security. To protect one of these things but not the others would leave a user open to attacks, much like a barred front door serves little purpose if ground-level windows are open and the back door is ajar. If users have a secure device and excellent passwords, an unprotected network still can leave them vulnerable.
Dewing recommends a “reputable, solid, well-respected VPN” — not unlike those included in Rubica’s monthly subscription — that can create a “separate secure tunnel between you and whatever you are accessing online.”
“We think of your device as your vehicle onto the internet, and with all the things you are doing online, you have that digital bodyguard basically around you,” Dewing said of Rubica’s VPN.
Finally, Dewing said companies also should be thinking about deploying network layer threat detection, a standard for enterprise cybersecurity. Instead of looking for something malicious, look for behavioral indicators that suggest suspicious activity.
“If your device gets infected with malware, ultimately that malware is there to do something, to collect your data and send it out,” she said. “We’re watching for those in-and-out communications; that is where you can detect threats.”
At the end of the day, individuals and businesses can experience monetary and even psychological distress in the face of such a breach.
Dewing sometimes tells the cautionary tale of one phone call she received in the early days of Rubica’s founding, when a high-net-worth individual phoned after having money drained from his bank account. “He was literally yelling to his wife to unplug the toaster; he was afraid of everything electronic,” Dewing said with a laugh, before turning serious again.
“How can you fight something you didn’t even know was there?” she asked. “Don’t wait until it happens to you.”