Cybercrime is flourishing during the pandemic, including for work-at-home employees. Be extra careful with credit card and other financial information – yours and your employer’s.
The pandemic has been a boon for cyber criminals, created partly by the transition from working in offices to working from home. Remember to be extra careful with credit card accounts and other financial information – both yours and that of the company you work for.
This year alone, there were 1,111 cyberattacks, compromising the personal data of more than 185 million people, according to a recent report from the Identity Theft Resource Center. That’s 233 more cyber attacks than in all of 2020.
Top on the cyber criminals’ to-do lists this quarter: phishing attacks and ransomware demands.
Many telecommuting Americans don’t have the luxury of leaving cyber threats at the office anymore. As we’ve transitioned to working from home or hybridized office schedules, cyber crooks know what pressure points to target, and where we’re vulnerable, says James E. Lee, chief operating officer for the Identity Theft Resource Center.
“The criminals who do this are not dumb,” says Lee. “They have great insight into human behavior. And they use our own behaviors against us.”
One common gambit: Posing as an employee or client, the criminal “creates a state of emergency” and requests assistance, says Jim Van Dyke, senior vice president of innovation for Sontiq and inventor of BreachIQ. That assistance happens to involve clicking on a link, opening a corrupt file or email, or sharing information.
The ploy “appeals to the desire of people to help or not to get in trouble,” says Van Dyke. “It’s amazing how well it works.”
One criminal fooled a work-at-home employee into handing over financial information by posing as another employee from a different department, recalls Van Dyke. If the employees had been working in the same building, the ruse might not have worked. But add in distance working, employees who are – quite literally – virtual strangers and an artificial sense of urgency (a grifter’s best friend), and the worker handed over the files as requested, he recounts.
When it comes to security, the migration to working at home “has clearly changed everything,” says Al Pascual, senior vice president of data breach solutions at Sontiq. “We’re learning as we go.”
Not all the news is bad. While cyber attacks are more common, fewer individuals are having their data stolen.
In pre-pandemic 2019, there were 928 cyber attacks – 183 fewer than 2021, according to the IDTRC. But 844 million consumers had data stolen, as opposed to 185 million consumers this year.
“Part of the general trend that we’ve seen: Cyberattacks are up and data breaches are up,” says the IDTRC’s Lee, but “the number of individuals impacted is down.”
See related: How to protect yourself from credit card fraud
Financial data brings special challenges
At the start of the pandemic, when everyone was working from home – and many people didn’t know if they could pay their bills – customer service lines to card issuers, banks, and lenders “were flooded with calls,” says Danielle Fagre Arlowe, senior vice president at American Financial Services Association. To meet the demand, employees had to be able to access sensitive customer data from home, safely and securely.
Financial institutions managed this by “really upping their virtual private network (VPN) game,” Arlowe says, and investing a lot of money “to make sure the customer experience was the same.”
From card issuers to loan servicers, institutions armed work-at-home employees with devices that connected to secure VPNs, says Arlowe. “Both incoming and outgoing calls go through the computer,” she says. “I could be sitting at my customer service desk or at home, and the only difference for the consumer is if my dog barks.”
How it often works: Customer records can be viewed, but the system is essentially closed, Arlowe says. Records remain in the company database and can be updated, but they can’t be copied, stored elsewhere, downloaded or printed.
“Witnessing what financial institutions did – it was something to behold,” says Arlowe. “They completely pivoted their business models.”
It looks like the trend may be here to stay. When PwC (formerly Pricewaterhouse Coopers), surveyed 50 financial service executives, it learned working from home is not only popular with employees, but good for financial institutions, too.
U.S. business in general seems to be moving in that direction. In a separate 2021 study, PwC surveyed 133 executives across various industries about the work-from-home shift. More than 70% were planning to increase investment in secure virtual connectivity.
Work-from-home tech challenges
Part of the challenge with securing information when employees work from home is logistics.
There’s no question that with more employees working remotely “you have a loss of control,” says Van Dyke. You never want employees using personal devices with their work computers, for example. If you work remotely, he says, “never put USB drives into, or charge your phone with, your work computer – especially if you deal with sensitive data like credit card numbers, account numbers or Social Security numbers.”
Where companies used to be able to see what employees were doing with office devices, he says, “now, with work-from-home, you’ve taken that away.”
Lee agrees. “If you’re the person responsible for securing the laptops and the desktops, it’s a lot easier when all the laptops and desktops are in one place,” he says.
But many security experts concur that, after some initial hiccups, employees and companies have adapted well.
Companies are employing several different strategies, including providing virtual private networks (VPNs), giving employees dedicated routers and using a variety of other tools to make remote working more secure. Some also offer home office subsidies or cover the cost of upgrades, like high-speed internet or additional equipment and software aimed at protecting data.
That’s definitely the way to go, says Pascual. “As an employer, I don’t know how much we can rightfully ask folks to do,” he says. “The onus is really on the business, the organization, to keep the company’s data safe. It shouldn’t be on the employee.”
Now, almost two years into the pandemic, work-at-home employees are seeing “the same kind of issues you’d have in the office,” says Lee. The only difference: For companies, it’s “more difficult to monitor behavior and compliance.”
It’s also difficult to pin down exact causes of various breaches, even if security professionals have their suspicions. Smaller breaches can go unreported. And companies don’t always publicly divulge all details of how cyber criminals gamed a system.
How can a work-at-home employee avoid scams?
One big step in preventing problems is recognizing you could be a target. “If you’re working from home be on the lookout for more scams,” says Van Dyke.
It may be a phishing attack that starts with a legit-looking work email. Or a purported client or co-worker with an urgent request.
“People are taking advantage of individuals working from home,” Van Dyke says. “They’re doing reconnaissance, using LinkedIn or other sites to see who’s working from home and what their responsibilities are. If [employees] work with individual data, they should be particularly careful.”
10 things you can do to protect sensitive data when you work from home
- Never connect work and personal devices. No, you can’t charge your phone through your work laptop. Ditto connecting cameras or gaming systems.
- Use a secure VPN whenever you can, especially if your office provides it. These services can protect sensitive data from prying eyes.
- Don’t recycle or reuse passwords. As much of a pain as it is (and it is), devise a different password every time it’s required. And change them regularly.
- Go beyond passwords. Where possible, opt for two-factor authentication, says Lee. Even better: Use authentication apps. That way, if someone clones your phone, your accounts are still secure.
- Keep friends and family members off work devices. No “going on for a minute” to check email or post to social media. And set work devices so they auto-lock after a short period of inactivity – and require a password to unlock.
- Don’t share passwords. Tougher when everyone you know and love is using the same work/living space. Still using the factory-set passwords on equipment and devices? Change them.
- Make sure your equipment is up to date. “If you’re using an old router that’s never been updated, now is a good time to ditch that and put in a new one,” says Joseph Krull, strategic advisor for cybersecurity for the Aite-Novarica Group.
- Never view more data than you need. Many larger companies don’t put all of a consumer’s data in one file – which limits risk for employees and consumers, says Van Dyke. His tip: Open only what you need, then close and hard-delete files as soon as you’re finished.
- Always double-check email addresses before you hit send. In one all-too-relatable anecdote, Krull recalls a bank employee who accidentally sent marketing and pricing information to the competition when an email program auto-completed the wrong recipient.
- Be careful with smart speakers. “Those record even when they’re not on,” says Lee. “You can’t necessarily turn them off because that’s how they’re hardwired.” His tip: Give voice-activated devices a unique password and adjust settings so recordings aren’t kept or “sent back to the mothership.”
It all comes back to being aware of the challenges, staying on top of the technology and asking for help – or a second opinion – when you need it. If something smells fishy, or if someone’s demanding something in a hurry, don’t be afraid to contact them or a boss on a different channel to verify there’s a genuine emergency.
“Cybercriminals are going to use every trick in the book to get [you] to do something stupid,” says Krull. “Keep their head on a swivel – like they say in the military. And [don’t] feel stupid reporting something.”
Credit card and other sensitive information – yours and possibly your company’s – are increasingly vulnerable to systems and equipment that you (not your employer) set up and monitor. Put security measures in place now, because remote work is likely here to stay. “I foresee that we’ll be in the work-from-home or hybrid environment for years to come,” Krull says.