When something big happens globally, that thing can change how humans see their lives and do their activities.
The 'COVID-19' coronavirus is no exception. Since declared a pandemic, unprecedented numbers of people started working from home.
With more offices closing their doors to limit the spread of the deadly virus, more homes become offices and workspaces.
And in the rush to fix the plummeting economy due to lockdowns, many companies and organizations were rushing on things to keep their gears and lubes running. And that happened to be a fail, at least in the cybersecurity criteria, simply because many people have never experienced this kind of crisis before.
While working-from-home (WFH) policies make working more casual and flexible, the boundaries between private life between work are breaking apart.
And not just that, as with businesses being done over home internet, through regular Internet Service Providers (ISPs), with unmanaged routers and printers, people are exposing themselves to a multitude of privacy and cybersecurity risks, with some that has never been seen in the past.
For starters, hackers know that in order to create a distance between one person to another, businesses and organization require communication to be done digitally.
And when the data is passed through the internet, the public space that is connected by servers and cables, hackers are quick in placing themselves in the game, trying to eavesdrop or even attack computers they see vulnerable.
They desire to scam and prey on people's desire to work, get news, by basic supplies and avoid the virus, as well as people's hope to recover quickly if they get sick.
Many old attacks were brought back because of the WFH policies. And not just that, as hackers are also introducing new threats.
One of the new forms of attack methods that happened following the pandemic, is weaponizing information gathered from victims' home.
This can be done by extracting information from seemingly harmless photos and videos, to create age-old traps to catch potential victims and find their weaknesses.
This has been done for countless of times in the past.
People share almost anything on the web and social media networks, exposing them to numerous risks of privacy and security. But with WFH policies, things went up a notch.
With more people use social media networks, and are working from home, the worrying trend is that, they are sharing their activities to the public, more than ever before.
From making video conference recordings available for replay for the public to see, posting online photos of home-working setups, posting their routine schedules, using series of hashtags #WorkFromHome, #WorkingFromHome, #RemoteWork, #HomeOffice and related hashtags in different languages, including the allude apps being used, like using the hashtag #Zoom and so forth.
Fraudsters, scammers and other cybercriminals just love when people share information openly online about their lives, personal or work-related.
These insights ease the work of those malicious actors.
In the pandemic where people stay at home and are overly anxious, stressed, away from supports groups and their loved ones, balancing work and personal life is already a choir.
Knowing that oversharing is often the side-effect of the lack of real-world human-to-human interactions and communications, hackers are preying on those vulnerable and unsuspecting people.
How Hackers Personalize Scams Using WFH Data
With social - physical distancing and WFH policies, many use online platforms routinely to communicate with colleagues, friends, family members and loved ones.
This should be harmless, until the data is shared to the internet, and fallen to the wrong hands, seen by cunning malicious actors.
While there are tons of ways hackers can extract information from targets, including by planting malware and so forth, but the one thing that the pandemic is introducing that has never been seen before in the past, is an open door to the inside of the victims' home.
In the past, scams that are a preferred form of attack for many criminals, require personalized data in order to increase the success rate.
For example, scammers have used victims' real names and addresses, the names of their relatives and so forth, as baits to their scams.
With the pandemic, where people are literally opening their front doors to the public, allow hackers to gather an increasing number of information to empower their scam attacks.
Through WFH activities being shared online, scammers can get a glimpse of potential victims, by seeing the background of video calls.
With web cameras becoming better and better, the amount of data that can be extracted can be alarming.
In one example, birthday parties expose birthdates, names and the number of people inside the household, pets, potential home addresses, and more.
Another example, is when working through a video-conference call inside the living room. This can also expose more variety of data, like hobbies and interest, the house layout, children being home-schooled, and so forth.
In many cases, this information can be presented and readily available in the background of video calls. From the sound of the TV show being aired, the home-made lunch, the picture hanging on the wall, the time of the day, the golf bag in the corner of the room, desk ornaments, and more.
From there scammers can also judge the financial status of the targets, their well-being, guessing their hobbies and favorites, and gather lots of other personal insights.
The variety of information that may be exposed in such contexts is endless and is only limited by what will fit into the web camera and recorded through the microphone.
The more the pieces of information that can be extracted, will put the person in an increased risk of scams if attained by the wrong individual.
And if the malicious actors targeting the person can plant a malware to the target, they can extract even more information, including work email inboxes, internal emails, names of individuals in emails, private web pages, potentially sensitive internal business correspondence, software installed on computers, and internal identification numbers of devices.
Put everything together, the result is a recipe for disaster and a huge privacy breach.
At the end, hackers that have more insight into their victims, add the chances for them to create increasingly powerful and targeted scam attacks, and even the possibility to crack passwords, knowing that passwords are often created based on favorite teams, music artists, hobbies, and children and pet names.
With malicious actors having more information about their potential targets, traditional security measures may not be sufficient in protecting WFH activities without adaptation.
What this means, businesses and organizations need to rethink their mindsets and approach to improvised security.
The most important element of effective security in a time of change is to realize that while people can do anything with computers and the internet, they can’t do everything with them.
Always remember that any personalized information can be weaponized.
Nothing should be taken for granted when it comes to the privacy of people in the world of the digital internet.
Companies and organizations must set policies that are important to preserve privacy. Should employees have cameras on or off for meetings? Should they wear earphones? Should they take notes on paper or digital applications? Should they use VPN for certain things? In what room of the house should they be while conferencing" What communications applications are acceptable? What happens when others intrude, see notes or overhear discussions?
People should always be mindful of what’s in the background of their photos or video conference calls. People may consider using a virtual background, if applicable. People should also use social media networks more carefully, and think twice about using popular hashtags that depict work-from-home activities.
Remote workforce will always be an uphill battle for many, simply because it involves digitizing real-life and automating the manual.
The job of security is not to eliminate all available risks, because all threats are not equally dangerous, and won’t all be exploited at once. Employers and employees must discuss risk early and often, and revisit triage on a regular basis. The risks people face during WFH will change as hackers improvise and cybersecurity enhances.
It should be noted though, that security on the internet is never "finished" because the opponent is never finished; cybercriminals are endlessly innovative and adaptive.
In the cat-and-mouse game, the best bet to be safe, is to have precautions, and keep ears closely to the ground.