• Credential theft is when fake webpages are created that look real for the sole purpose of stealing logins and passwords to access legitimate accounts.
  • The top targeted companies for phishing scams from credential theft include Paypal with 11,000 fake login pages, Microsoft with 9,500 fake pages, and Facebook 7,500 fake pages.
  • To prevent falling victim to a credential theft attack, consumers should not click on any links unless they know they are legitimate, double-check the email address of the sender, and change their password if they believe they used a fake login page.
  • For more information about the latest data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Victims of identity theft can contact the ITRC toll-free at 888.400.5530, or by using the live-chat function on the website.

Credential stuffing is a term consumers often hear from cybersecurity experts. Credential stuffing is a type of cyber attack where stolen credentials, like usernames and passwords, are used to gain access to other accounts that share the same credentials. There is another term not heard as much, but just as prevalent: credential theft.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) takes a look at the most interesting data compromises from the last week in our Weekly Breach Breakdown podcast. This week, we are talking about creating fake websites that look real for the sole purpose of stealing logins and passwords used to access legitimate accounts. We will look at how security researchers found tens of thousands of fake website login pages that are used to collect credentials from consumers.

Credential Theft

To commit a credential stuffing attack, a hacker must have credentials. Where do data thieves get the logins and passwords needed to fuel these attacks? The most obvious way is through data breaches everyone has seen over the years, where millions of credentials are stolen in a mass attack. However, there are less obvious ways, too. One of those less obvious ways is credential theft.

Earlier in 2020, security company IRONSCALES began to look for a specific kind of webpage; fake login pages that look like they could come from real companies. From January until June, IRONSCALES found more than 50,000 phony login pages from more than 200 recognizable brands with a high volume of web traffic.  

These fake login pages are used in phishing emails as a way of getting people to click on what they think is a legitimate login page. Most people cannot tell the login page is fake, leading unsuspecting victims to enter their real login and passwords into a fake webpage. That is all it takes for data thieves to have actual credentials from live accounts. They do not even have to buy or steal any data.

Top Targets for Phishing Scams

Anyone reading this blog might be wondering if they have ever clicked on an email link connected to an account. If they have, was it a real login page?

IRONSCALES reports that PayPal is the top target for phishing scams, with more than 11,000 fake login pages spoofing the brand. Microsoft is not far behind with 9,500 phony login pages. The list continues with Facebook with 7,500, eBay with 3,000 and Amazon with 1,500 known fake login pages. Other commonly spoofed brands include Adobe, Aetna, Apple, Alibaba, Delta Air Lines, JP Morgan Chase and Wells Fargo.

All of these companies have people who do nothing but seek and shut-down these and other kinds of fake webpages, websites, social media accounts and text messages that are used to collect personal information from their legitimate customers and prospects. However, research shows that credential theft is easy for a couple of reasons. The first is because malicious phishing emails that deliver fake login pages can easily bypass cybersecurity tools and spam filters just by making small changes in the email.

Inattentional Blindness

The second reason is because of inattentional blindness; when something looks so familiar or causes you to focus so intently that you don’t see the apparent errors hiding in plain sight. An example of inattentional blindness comes from a study where people were told to watch a video to count the number of people wearing white jerseys as they passed a ball. More than 50 percent of people taking the test missed the fact that one of the players was wearing a gorilla suit.

How Inattentional Blindness Applies to Identity Theft

Credential theft attacks translate into the inability to spot the tell-tale signs of a phishing scheme, even among trained cybersecurity and fraud professionals. What should people do if they encounter what they believe is a phishing attack?

1. Don’t click on any links unless you are sure they are legitimate. When in doubt, navigate directly to the website or webpage you are trying to reach instead of using a link.

2. If the link arrives in an email, double-check the address of the sender. An email address can be masked to make it look legitimate in the sender line. However, if you click on the sender’s name to see the actual address, you may find the email from mybank.com is actually from bob@scams-r-us. Get into the habit of checking email addresses.

3. If you believe you used a fake login page, change your passwords and alert the security team at the company whose login page has been spoofed as soon as possible. While changing your password, consider switching to a 12-character passphrase with upper and lower case letters. It will take an automated hacker tool 300 years to break that passphrase, as well as be easier to remember.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor by calling toll-free at 888.400.5530, or on the website via live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

Cense.Ai, Freepik and ArbiterSports Headline Recent Data Breaches

Right now, there is a particular kind of data exposure that is mystifying security experts around the world. Every week, the Identity Theft Resource Center (ITRC) takes a look at some of the top data compromises of the previous week in our Weekly Breach Breakdown podcast. This week, we are looking at an attacker who is erasing insecure cloud databases and leaving a single word as their calling card: meow. Yes, it is a “meow” attack.

Where It All Began

The story begins 20 years ago when threat actors were known as hackers. They were just as likely to be your neighbors’ kid than a criminal mastermind in a foreign country. For visual, you can think of the 1980’s movie War Games where Matthew Broderick breaks into a super-secret pentagon weapons system to challenge the computer to a game of thermonuclear war and tic-tac-toe.

Fast forward to today, and the average threat actor is part of a well-organized criminal enterprise where stealing and selling personal and company information is the bottom line. It is a multi-billion-dollar business that runs like a regular business – that is, if it weren’t illegal.

Unsecured Databases

Every week the ITRC talks about data breaches from the previous week and how they happen. In July, one week we focused on the top reasons data breaches occur, and pointed out that IBM’s latest research shows misconfigured cloud databases are tied for the number one reason personal information is compromised, even if it is not stolen.

Unsecured databases have been a growing cybersecurity problem since 2018, and some of the world’s biggest data compromises have been the result of poor cybersecurity practices. In 2019, a mystery web database containing four billion records linked to 1.2 billion people had no password protection and was accessible on any web browser.

Later in 2019, databases that included hundreds of millions of records were exposed at First American Financial Corp., email validation firm Verifications.io, and Capital One Bank.

What Is Happening Today

Now, in a throwback to the time before professional hackers, either someone or some group is trolling the internet using the same automated tools as professional data thieves. They are looking for cloud databases that do not have proper security. However, instead of stealing the information, the Grey Hat attacker is deleting the information it finds and is replacing it with the word meow.

As ITRC COO James Lee says in the podcast, “In other words, a modern-day Robinhood is treating the internet as their own personal Sherwood Forest and taking from the data-rich to protect the personal information of the masses.”

When the Attacks Were Discovered

The “meow” attacks were discovered in early July by cybersecurity researcher Bob Diachenko. Diachenko has since identified more than 4,000 “meow” attacks, including one where 3.1 million patient records were erased at a medical software company because the database housing the sensitive information did not have a password to secure the data.

What the ITRC Recommends

The ITRC disapproves of vigilante justice, even when protecting consumers from having their personal information misused. The ITRC condones and strongly encourages businesses to make sure they have properly configured their security tools before putting an internet-accessible cloud database into production. To use a pun, doing so may help “keep the cat in the bag,” where it belongs.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.



Read more of our latest news below

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

People are spending more time on their phones, tablets and computers now than ever, making the importance of cyber-hygiene tips as paramount as they’ve ever been. The Identity Theft Resource Center (ITRC) wants to highlight some of the best practices and steps that users can take to improve their online security.

We recommend everyone make these cyber-hygiene tips part of their regular routine to greatly reduce their risk of identity theft or other cybersecurity compromises.

1. Use a secure connection and a VPN to connect to the internet

A virtual private network (VPN) is a digital tool that keeps outsiders, such as hackers, identity thieves, spammers and even advertisers from seeing online activity. Users should also be wary of public Wi-Fi. While public Wi-Fi may be convenient, it can have many privacy and security risks that could leave someone vulnerable to digital snoops. If connecting to public Wi-Fi, be sure to use a VPN.

2. Get educated about the terms of service and other policies

It is important to understand what the terms of service and other policies say because, once you check the box, you may have agreed to have your information stored and sold, automatic renewals, location-based monitoring and more.

3. Make sure anti-virus software is running on all devices

It is very important to have anti-virus software running on every device because it is designed to prevent, detect and remove software viruses and other malicious software. It will protect your devices from potential attacks.

4. Set up all online accounts (email, financial, shopping, etc.) with two-factor or multi-factor authentication

Two-factor authentication (2FA) or multi-factor authentication (MFA) adds an extra layer of protection to your accounts; it requires at least two separate verification steps to log into an account. Relying on a minimum of two methods of login credentials before accessing accounts will make it harder for a hacker to gain access.

5. Use secure payment methods when shopping online

One easy cyber-hygiene step is to only shop on trusted websites and use trusted payment methods. Consumers should not use payment portals or shop on websites with which they are not familiar.

Always use a payment instrument that has a dispute resolution process – like a credit card or PayPal – if you have to shop on an unfamiliar site.

6. Use unique passphrases for passwords and do not reuse passwords

The best practice these days is to use a nine to ten-character passphrase instead of an eight-character password. A passphrase is easier to remember and harder for hackers to crack.

Also, users should employ unique passphrases; if they use the same one, hackers can gain access to multiple accounts through tactics like credential stuffing.

7. Never open a link from an unknown source

Do not click on links or download attachments via email or text – unless you are expecting something from someone or a business you know. If it is spam, it could insert malware on your device.

Also, never enter personally identifiable information (PII) or payment information on websites and web forms that are not secure or have not been fully vetted. It could be a portal to steal personal information.

8. Make sure devices are password protected

If devices are not password protected, it is just that much easier for a hacker to share or steal personal information. Without a layer of protection or authentication to access the device, all the information saved on it becomes fair game. Use a PIN code, biometric or pattern recognition to lock your devices and set the same protection for apps that have access to sensitive information like banking or credit cards.

9. Log out of accounts when done

This is another bad habit that makes it much easier for someone to share or steal your information. Always log out of accounts when done so no one can get easy access to them.

While there is nothing that can be done to eliminate identity theft, account takeovers and other malicious intent, these cyber-hygiene tips will help keep consumers safe, as well as reduce the number of cybercrime victims.

For anyone who believes they have been a victim of identity theft or has questions about cyber-hygiene tips, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also live-chat through the website or the free ID Theft Help app.


Read more of our related articles below

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

Ransomware is something no one wants to end up with. It is a type of malicious software that is designed to deny access to data or a computer system until the hacker is paid. Ransomware is just one of many forms of malware, code that is developed by cyberattackers to cause damage to data and systems or gain unauthorized access. While there are many different types of ransomware, the operators behind the Maze ransomware attacks are some of the bad-actors at the core of many of these types of data compromises or phishing emails.

Maze is considered a sophisticated Windows ransomware type with the threat actors using it to ambush many organizations with demands of cryptocurrency payments in exchange for the stolen data. The impact of the Maze group and other similar ransomware exploits has led to a growing problem.

According to healthitsecurity.com, in May, the Maze operators published two plastic surgeons’ stolen data for sale on the dark web after a successful ransomware attack. A little over a month earlier Maze operators hit Chubb, a cybersecurity insurance provider for businesses that fall for data breaches. According to CRN, the Maze group just recently stole 100 GB of files from Xerox.

However, there are actions that consumers and businesses can take to reduce their chances of an attack:

  • Consumers should use reputable antivirus software and a firewall
  • People should consider using a virtual private network (VPN) when accessing public Wi-Fi or untrusted Wi-Fi
  • Consumers and businesses are both encouraged to make sure all systems and software are up-to-date and have the relevant patches
  • People should not provide any personal information in an email, phone call or text message they are not expecting
  • It is important that consumers do not click on any links from emails, text messages or instant messages they are not expecting; instead, they should go directly to the source

The Maze ransomware has impacted many; businesses and consumers should do what they can to protect themselves and their data.

Anyone who has questions or believes they are a victim of a Maze ransomware attack, or any sort of malware attack, can live-chat with an Identity Theft Resource Center expert advisor for tips.

They can also call toll-free at 888.400.5530. Finally, victims can download the free ID Theft Help App for instant access to advisors and resources.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

This post will be updated as more information becomes available

Contact tracing scams have begun to pick up steam with the evolving technology coming closer to becoming a reality. Some of those scams include hackers and fraudsters posing as contact tracers – both online and in person – trying to steal personally identifiable information (PII), personal health information (PHI) and other personal data.

The United States began the re-opening process after the COVID-19 pandemic closed many aspects of daily life. That is expected to include many precautions to keep people safe, including contact tracing – a method used to find the people who may have come into contact with someone infected with COVID-19. In fact, many people anticipate contact tracing will play a large part in keeping people informed of their risk of exposure until a vaccine is available.

Apple and Google are cooperating to ensure the different phone operating systems are compatible for contact tracing purposes. Apple and Google are also working with health departments across the country to figure out how to roll-out an effective contact tracing Bluetooth-based system that would allow public health departments to create their own contact tracing apps. Despite doubts from some health officials on how useful Apple and Google’s optional systems will be, the two tech companies have developed the digital contact tracing system, and have included it in their latest software updates. Contact tracing apps have already rolled out in other countries. According to MIT Technology Review, so far, there are 25 contact tracing efforts globally. However, none of those apps work in the U.S. Consumers should beware of any attempt to entice them or someone else to download and register for an app.

While app development efforts continue, scammers are tricking people into contact tracing scams using fake apps that steal their personal information. The Better Business Bureau of Connecticut warns people about text messages in their area that appear to be linked to COVID-19 contact tracing, alerting people that they were near someone who tested positive for coronavirus. Police in Washington state are alerting residents of contact tracing scams going around trying to steal sensitive information, including credit card information and Social Security numbers. The Champaign-Urbana Public Health District urges residents not to fall for contact tracing scams, adding that they will never alert people of a positive test via text.

In all of these scams, fraudsters are trying to steal people’s personal information, whether it is by trying to get them to click on unknown malicious links or simply asking for them to provide it. Hackers then have the ability to turn right around and sell the information, which could lead to identity theft. Even when legitimate apps are available, users should check to see if the data they share will be used for marketing purposes without their permission or sold for other purposes.

To avoid a contact tracing scam, people should stay informed on the latest contact tracing details, as well as the most up-to-date COVID-19 information from their state and local health departments. Local health departments will inform people of what a legitimate contact tracer will ask and any protocols they will follow. If anyone gets a text or notification they are not expecting that they were in contact with someone who tested positive for COVID-19, they should ignore it and call their local health department to confirm the validity of the message. They should not provide any information they are asked for, nor should they click any links, open any attachments or download any files.

If anyone believes they have fallen victim to a contact tracing scam or is a victim of identity theft, they can live-chat with an Identity Theft Resource Center expert advisor or call toll-free at 888.400.5530. An advisor can help victims create an action plan on the steps they need to take that are customized to their needs.


You might also like…

Online Shopping Safety a Priority During Coronavirus Pandemic

Five State Unemployment Department Data Exposures Uncover System Flaws

COVID-19 Could Lead to Increase in Travel Loyalty Account Takeover

Unemployment identity theft, also known as unemployment fraud, continues to skyrocket across the United States during the COVID-19 pandemic; particularly hard-hit is Washington state. A possible Nigerian fraud ring could be to blame for many of the cases involved in the uptick. According to the New York Times, a group of international fraudsters from Nigeria are believed to be behind a sophisticated attack on the U.S. employment systems, an attack that has already led to millions of dollars being stolen. While the U.S. Secret Service is still working to identify everyone involved, Special Agent Roy Dotson believes the unemployment identity theft is being aided by mules (people who transfer illegally acquired money on behalf of or at the direction of another) being used for money laundering after making connections with fraudsters online.

According to a memo from the U.S. Secret Service in the New York Times article, investigators received information that suggested the scheme was coming from a Nigerian fraud ring, and that hundreds of millions of dollars could be lost. Washington state is believed to be the primary target for the unemployment identity theft and unemployment fraud attacks. However, there has also been evidence of similar attacks in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Maryland and Wyoming.

The Identity Theft Resource Center (ITRC) believes many fraudsters are trying to take advantage of more people, money and activity running through state employment offices due to the unusual lengths that government has gone to support Americans in light of the COVID-19 pandemic financial impacts. The ITRC has received reports from victims where workers have received notifications that their unemployment application was approved, even though they did not apply or are still working.

There are things consumers can do to prevent the likelihood of becoming a victim of identity theft as a result of an unemployment identity theft attack. If someone has an account with a government agency, they should upgrade to a passphrase and check to see if their information has been changed. If it has been changed, it should be reported to the state agency. It is also important for people affected to update all of their accounts to passphrases, to make sure their passphrases are not reused, or that a work passphrase is shared at home and vice versa. It is important to update passphrases and not use them across multiple accounts because identity thieves use stolen login information from data breaches to commit other crimes like unemployment benefits identity theft.

It is also a good idea for people to freeze their credit because it prevents new accounts and new obligations from being created that require a credit report. However, it will not stop the creation of an account with a state agency. To help protect personal information from being used in a cyberattack, it is a good idea for people to keep all of their software up-to-date, including their anti-virus software.

If someone believes they are a victim of unemployment identity theft or unemployment fraud, they are urged to live-chat with an ITRC expert advisor. Victims can also call toll-free at 888.400.5530 to leave a message for an advisor to return the call. Advisors will help guide victims and walk them through the process by creating an action plan that is tailored to their needs.


You might also like…

Five State Unemployment Department Data Exposures Uncover System Flaws

Key Ring Data Leak Exposes 14 Million Users Sensitive Information

Online Shopping Safety a Priority During COVID-19 Pandemic

Password security has been a hot topic for a long time. That is because passwords stand as the most commonly used tool to keep unauthorized individuals out of accounts and files. However, as technology changes and hackers adapt their methods to keep up, what was once considered best practices can change as well. That is why users need to keep up with the latest password advice. Today’s recommendations may evolve again in the near future, so staying up-to-date with the latest best practices is key to ensuring data is safe.

New password advice from top experts in cybersecurity updates how individuals should manage their password practices. For example, the “password” has fallen out of favor with some major corporations, like Microsoft, and law enforcement agencies, like the FBI. Instead, using the more descriptive and secure “passphrase” is recommended. Also, the once “golden rule” of changing passwords frequently—and requiring routine forced resets—has now been updated to reflect why this is not necessarily the best security habit.

First, a passphrase is a much longer security tool. Studies have found that a password’s “guessability” by hacking software decreases exponentially with every additional character. The six-to-eight characters guideline for passwords has been replaced with the recommendation of a nine-to-ten character passphrase. A passphrase, unlike a single word or acronym, is a short combination of words that mean something to the user. It can make the user more likely to create unique logins for every account they own instead of reusing a single password on multiple accounts. Common, strong passphrases could be things like the name of a favorite song, a movie quote or a favorite team cheer, such as “BoddaGettaBoddaGetta” or “HookEmHorns.”

Replacing a password/passphrase routinely has also been shown to have a downside. When users are forced to change a password/passphrase, they often simply alter just one character. For example, passwords such as “doghouse1” become “doghouse2,” which makes it easier to guess during attacks like credential stuffing.

Experts warn that passwords/passphrases should contain a combination of uppercase and lowercase letters, numbers and symbols. However, that password advice has also been re-examined. The likelihood of a user establishing and remembering a complex combination for every single account is not very high. However, creating a unique passphrase for every account is both more secure and a more likely practice.

Some of the password/passphrase advice has not changed. It is still important to create different passphrases for every account—meaning a separate phrase for every account—and to enable multi-factor authentication when possible. It is also important to avoid any passphrase similarities between work and personal accounts and not share login credentials with any unauthorized users.

As with all technology-related practices, the most important thing for users is being adaptable and able to evolve as the ecosystems change to address exploits. Microsoft, for example, has introduced three different methods for a no-password logon and has reported a lot of success. Keeping up with security findings and fitting them into daily use is a valuable way to protect valuable data and users’ identities.

If anyone has questions related to cybersecurity or password best practices, they can talk to one of our advisors via LiveChat by visiting our website, www.idtheftcenter.org.


You might also like…

COVID-19 COULD LEAD TO INCREASE IN TRAVEL LOYALTY ACCOUNT TAKEOVER

COVID-19 CATFISHING SCAMS MAKE A REBOUND AMID PANDEMIC

CAM4 DATA EXPOSURE LEAKS BILLIONS OF RECORDS FROM ADULT STREAMING WEBSITE

During the COVID-19 pandemic, people are not traveling much – if at all. As a result, people could be more susceptible to travel loyalty account takeover (accounts that may include large amounts of personally identifiable information like driver’s license and passport numbers). They could also be more vulnerable to attacks because of past breaches and exposures like MGM, Marriott, Choice Hotels and Carnival Cruise Line, to name a few. Many experts are predicting a long, slow recovery to reach a sense of normalcy, while others believe “normal” will never be quite the same. One of the most impacted areas where that is expected is the travel industry.

With a 95 percent drop in passenger travel and most air passengers flying only in emergency situations, it could be hard for some to envision a speedy recovery for the travel and hospitality industries. For that reason, there is another precaution that consumers need to take in this time of quarantine: monitoring their travel loyalty accounts.

COVID-19 could make it easier for fraudsters to steal consumers’ credit card information, passport information, names, dates of birth, along with any other information included in a travel loyalty account. It could also allow scammers to steal credits and travel funds. In fact, one source cited an estimated fourteen trillion flight and hotel miles already go unused each year. That means a lot of travelers are saving up their bonuses or banking credits for unused trips but not cashing them in at the moment, which could attract hackers to travel loyalty accounts as a means to get their hands on PII as well as cash equivalent benefits.

Travel loyalty account takeover has been a problem for a long time. However, with people putting a halt to their travel plans for the immediate future, identity theft advocates like the Identity Theft Resource Center worry that those unmonitored accounts could be vulnerable to an attack due to lack of use or oversight. Account-holders need to protect themselves, and their accounts, in a variety of ways.

Fortunately, the steps that can help people protect their travel loyalty accounts are identical to the actions that users can take to secure any account type. First, people should monitor their account routinely for any signs of suspicious activity and report the activity immediately. Next, people need to be very cautious about clicking any links in emails, even ones that appear to pertain to travel loyalty credits or funds. Finally, people should secure their account with a strong, unique passphrase—one that is not easily guessed by hacking software and that is not reused on other accounts. It is also advised to change the account passphrase from time to time to prevent credential stuffing.

Anyone who believes they have fallen victim to travel loyalty account takeover is encouraged to live-chat with an expert advisor from the Identity Theft Resource Center. Victims can also call toll-free at 888.400.5530.


You might also be interested in…

COVID-19 Catfishing Scams Make a Rebound Amid Pandemic

CashApp Scams See a Rise Due to COVID-19

A Shift in 2020 Identity Theft Trends as a Result of COVID-19

Each year, the Identity Theft Resource Center (ITRC) reflects on the previous year’s exploits and anticipates trends for the next. When we first published our thoughts on 2020 back in December, it was stated that we anticipated the identity theft trends for 2020 would include 2020 being the year for privacy. While privacy remains an important topic, the recent changes in the landscape with other cyber issues have changed the conversation.

Data Breaches in Overdrive

Data breaches have continued to occur and the ITRC believes hackers and scammers will shift things into overdrive due to the amount of money that is about to flow through the economy, creating a redistribution of assets.

The coronavirus has forced most companies and their employees to work remotely. While that used to be a luxury, it is the new normal for many who previously haven’t had the experience. That has created a whole new challenge for companies, platforms, service providers and each individual employee.

In this post-COVID-19 shift, the ITRC anticipates breaches will continue to occur at an increased rate, both the number of breaches and the number of records exposed in a single incident. Given that there are a lot of new users that are creating an increase in user-data being housed in databases, it’s easy to see why this will be a potential outcome as a result of shifting workforces.

Increase in User Vulnerabilities Exposed

Security deficiencies are exposed daily, and more rapidly, because of the sheer volume of use of platforms. No one anticipated all of the vulnerabilities that would have to be fixed due to the increase in use. The ITRC has seen a massive shift in those priorities.

Now, issues that might have been well down the road to update need immediate attention because of how organizations have had to shift their use of products and services. Also, those providing those products and services must address the issues now to maintain the integrity of their users’ data.

There are other vulnerabilities with the new remote workforce that will be exploited as they become apparent over the course of the coming weeks and months.

Cybersecurity Issues Exacerbated by Remote Work

The previous 2020 identity theft trends that the ITRC predicted, in all likelihood, will happen. What is now new are the challenges that shifting to remote work as the primary method of working due to COVID-19 entail. All of the problems like ransomware, phishing attacks and patching are still going to be issues. However, they will be exacerbated by this shift in business being done by remote individuals. People who are not accustomed to working from home will be easy prey for hackers and scammers to exploit because of their lack of familiarity with platforms and processes.

Adding to that, companies that moved to stand up a remote workforce quickly may not have the proper policies, processes and employee training in place to guide their workers.

ITRC Is Here For You

Predictions like the 2020 identity theft trends are only educated guesses, based on previous events and information. Businesses, policymakers and the public will have to wait and see how the 2020 trends for identity theft, cybercrime and data privacy play out. Regardless of what happens the rest of 2020, the ITRC will be available, working to teach each person how to fight back against the techniques scammers will use to commit identity theft and support victims through the process of regaining their identities.

For a complete look at the ITRC’s 2019 Data Breach Report, click here.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also be interested in…

With so many people working and socializing from home, more than just businesses – employees, families and friends – are trying to find a place to gather (hold virtual meetings, religious services, game nights, birthday parties and happy hours). Zoom has become “that meeting place” for most. According to the Chief Executive of Zoom, in December the video platform had approximately 10 million users, to currently over 200 million users.

While Zoom has become popular rather quickly, some of its security vulnerabilities have taken the spotlight too. Some of the recent Zoom privacy issues have included user data being sent to Facebook and a flaw leaving Mac users vulnerable to their microphones and webcams being accessed. Another Zoom privacy issue has included a lack of password protection. That has led to some meetings being “Zoom-bombed,” like an AA meeting where trolls harassed those participating in the recovery process.

Zoom executives have come out and said they are working to address the Zoom security problems, including enabling passwords by default in all future meetings, clarifying its encryption practices, releasing fixes for Mac-related issues and more.

In the meantime, there are few things users can do to make sure their Zoom meetings are secure.

Protecting Meetings

Zoom now offers its users multiple ways to protect their meetings. Users can secure a meeting with end-to-end encryption, create waiting rooms for attendees, require a host to be present before the meeting begins, lock a meeting and more. These features can be found in the host settings. These Zoom privacy measures can also help reduce the risk of someone getting into a meeting that does not belong and “Zoom-bombing” the meeting.

Protecting Data

According to Zoom’s website, recordings can be stored locally on the host’s device with the local recording option or on the Zoom Cloud with the Cloud Recording option that is available for customers who are paying for Zoom’s services. The meeting host can manage their recording through a secured interface and the recording can either be shared, downloaded or deleted. Zoom phone voicemail recordings are also processed and stored in the Zoom Cloud and can be managed through Zoom Client. Meeting hosts can manage the Zoom data settings in the settings tab.

Protecting Privacy

Zoom currently stores user email addresses, passwords, names, company names, phone numbers and profile pictures. Company names, phone numbers and adding a profile picture are optional for users. If a user is concerned about their Zoom security, they can elect to only provide their name, email address and password. Users will not be asked to provide any personally identifiable information and should report any message asking them to do so directly to Zoom because it could be a scam.

Oversharing

While Zoom has taken responsibility for its security issues, it is important users do their part. Oversharing their meeting information on social media can lead to some scary consequences, making it easier for others to join what was intended to be a private Zoom meeting. It could also lead to information in someone’s profile settings being stolen. To prevent oversharing, users should not post meeting information on any of their social media platforms. Instead, send the invitation directly to the person they would like to invite. Also, consider revisiting what level social media privacy and security settings are set – otherwise, users may be sharing more information than they intended with people they shouldn’t.

Avoiding Zoom Scams

Security issues are not the only problem Zoom is running into. A Zoom phishing attack is making the rounds threatening employees that their contracts will be terminated, and then asking recipients to input their login credentials in a fake Zoom login page.

There are also Zoom phishing scams saying people received a video conference invitation, like the one the Identity Theft Resource Center received that is pictured below. The email looks real because it is sent with “High Priority” as indicated by the red exclamation point. It is generically from “Zoom” and there is no name of the sender.

However, if you hover over the email address with your mouse, it shows a full address that is gibberish.

Do not click on links you are not expecting. Rather, go directly to your Zoom account to manage any invitations.

At the bottom, there is also no contact information or business logo verifying it is the company.

Image provided by Identity Theft Resource Center

In a statement to NBC 7 San Diego, a Zoom representative said that there are three web addresses that may appear in a legitimate invitation.

  • Zoom.us
  • Zoom.com
  • Zoom.com.cn

The rest of the statement said:
Users across all services and technology platforms should be cautious with e-mails or links received from unknown senders, and they should take care to only click on authentic links to known and trusted service providers. Zoom users should be aware that links to our platform will only ever have a zoom.uszoom.com or zoom.com.cn domain name. Prior to clicking on a link, users should carefully review the URL, being mindful of lookalike domain names and spelling errors.

If anyone ever comes across a Zoom email they are not expecting, they should ignore it and go to their work manager to verify whether or not it is real.

The current times are unprecedented and people are doing what they can to stay connected. Zoom and other video conferencing platforms will continue to play a large role during these times – and beyond. However, being aware of some of the Zoom privacy pitfalls, and can be done to keep themselves and their information safe while they are on their next virtual meeting, game night or happy hour should be the first priority.

The current times are unprecedented and people are doing what they can to stay connected. Zoom and other video conferencing platforms will continue to play a large role during these times – and beyond. However, being aware of some of the Zoom privacy pitfalls, and can be done to keep themselves and their information safe while they are on their next virtual meeting, game night or happy hour should be the first priority.

If people have questions regarding their privacy settings, they are encouraged to contact the Identity Theft Resource Center through the website to live chat with an expert advisor toll-free.

For those that cannot access the website, call the toll-free hotline (888.400.5530) and leave a message for an advisor. While the advisors are working remotely, there may be a delay in responding but someone will assist you as quickly as possible.


You might also be interested in…