Blog
Beware of TMI: Cyber Crooks Are Watching
Research conducted since the start of the COVID-19 pandemic shows an increase in cyber threats as cybercriminals try to take advantage of users working remotely. What most users may not realize is that they could be making it easier for threat actors to target them.
Here’s how: Every time a user posts a picture of his or her remote office setup on social media or participates in a videoconference, the user unwittingly may be revealing personal or company information that threat actors can exploit. In an opinion piece published by the Wall Street Journal , a cybersecurity expert warned about the dangers of over-sharing.
“People often don’t realize how much personal information they are revealing in photos—images of their houses and hobbies that provide clues about their usernames, passwords and other personal information. And hashtags like #WorkFromHome and #HomeOffice make it convenient for crooks to zero in on photos that contain those details,” wrote Jason R.C. Nurse, a cybersecurity at the University of Kent’s School of Computing in the U.K.
Nurse notes that so far, no cybercrimes have been documented as a result of sharing photos during the pandemic, but the potential is there. There is no doubt, however, that threat actors have upped their game, as evidenced by separate studies that (ISC)2 and ISACA have conducted.
In the ISACA study , 87% of respondents believe the rush to set up remote workstations to cope with the pandemic has increased data protection and privacy risks. The (ISC)2 poll , meanwhile, found that nearly a quarter of respondents (23%) have seen an increase in security incidents at their organizations since work-from-home policies were instituted, in some cases as many as double.
Too Much Information
In the Wall Street Journal article, Nurse says online crooks can scour photos to identify personal information that users don’t realize they are sharing. For instance, an Amazon package could contain a person’s name and address. Photos from a birthday party might reveal someone’s birthday and age.
A threat actor could pull that information together in a phishing email containing enough personal details to make the email believable and prompt the recipient to click a compromised link. The same type of information can be shared in web conferences, Nurse noted.
Cyber attackers can also glean information about hobbies and interests from social media posts, photos and videoconferences. Sports team memorabilia, books about a particular topic, and other objects can deliver the clues cybercriminals are looking to use to lend credence to their attempts to trap unsuspecting users.
Corporate Details
In addition to unwittingly revealing personal information, remote workers may also expose corporate details without realizing it. “My preliminary analysis of photos from the new wave of work-at-home postings has found that people unwittingly reveal images of sensitive internal corporate correspondence and webpages on their screens—a trove of information for criminals,” Nurse wrote.
Users can even reveal information about the technology they are using, such as laptop serial numbers and software applications. A criminal could use that to call a company’s helpdesk, pose as a user and obtain information that provides access to the person’s system.
Everything Nurse describes in his article is avoidable, so long as users are made aware of the risks. It’s an important reminder that cybersecurity isn’t just about technology; it also involves a strong human factor that every organization needs to address to protect itself and its users.