Why COVID-Induced Work From Home is Open Season For Hackers

By Russ Levanway, President

Working from home has become a new norm for many of us, and it looks like it will be for some time. Just last week, Google announced that it won’t require employees to return to the office until next summer, a year from now. Other major companies like Twitter, Facebook, Coinbase, Shopify, and Square have told employees they can work from home indefinitely or, in some cases, permanently.

As wonderful as it is to be able to continue working in the midst of a global pandemic, the truth is, working from home has compromised many peoples’ security posture. Many of us have relaxed our commitment to keeping computers safe while working remotely, and for hackers, it’s become open season.

Think about it. Pre-COVID, when employees needed to share files with one another, they often did it in person or over secure on-site networks and company-owned computers. In other words, employers could mostly contain the flow of sensitive information. Now, with people working away from the office, they often use their personal computers and devices (which may or may not be secure), or over connections that also may or may not be secure. With coworkers emailing each other attachments of files instead of accessing them on a network share, a much higher level of risk is introduced. These security lapses are of course unintentional, but they can still result in major breaches.

Unfortunately, we’re seeing this across our client base. It can happen to the most well-intentioned person. Let’s say you open an email from what appears to be a legitimate source, like your bank. The email might ask you to set up a new account or reset your password, and it offers a link to get the process started. That link leads to a website that prompts you to reset your password. Everything may look authentic, but behind that innocent front is a credential harvesting system that uses your username and password — which you just supplied them — to remotely log in to your email.

And what do hackers do next? They wait, watching your email activity, and learning your habits. After maybe a couple of weeks, they’ll impersonate you to wire money from your bank account to an overseas account (a true story that I’ve seen transpire multiple times this year). They’ll use your real email account with your real signature to do it.

In other words, it looks real because it is real.

Before you know it, you’re missing $100K or much, much more. In the past, this could have been prevented by a quick walk down the hall or a paper trail approval in the finance department. However, now, these simple precautions were skipped because everyone was working from home.

This is a concrete example of an issue that’s incredibly prevalent right now. Yes, it’s scary, and it’s happening because communication is much more distributed, with everyone on their own “islands,” often using their own less-protected equipment.

Why doesn’t antivirus catch it?  This method doesn’t rely on an actual virus on your computer. Hackers are obtaining and using your legitimate credentials: your username and password.

Hackers are exploiting every advantage right now. But, there are ways to secure your working environment more effectively.

Here are three categories of things to focus on to fight back: what you can do, what your IT professional should do, and what you can do together.

1.) What can YOU do?

  • Practice a higher degree of vigilance.

This can mean several things, but the easiest is to distrust any emails unless you can verify the source.

  • Never, never follow a “reset password” link.

It’s almost certainly not legitimate. If you get an email from somewhere like, for example, Chase Bank, go to the standard Chase Bank website on your web browser and log in normally. From there, you can check your secure messages to see if the request is real. This is one of the single best things you can do to protect yourself.

  • Avoid sending or receiving email attachments, period.

There are much better and more appropriate tools for sending files, including services like ShareFile.

  • Make it a point to reset your passwords frequently, and never use the same password for different websites.

If you use the same password at work as you do on LinkedIn, Home Depot, Target, and Anthem Blue Cross, if a hacker breach steals your credentials from any one of those (as they did with LinkedIn, Home Depot, Target, and Anthem Blue Cross!!), they can now get into all of them — including your work email. And they will definitely try.

2.) What can your IT team do (with your approval)?

  • Set up two-factor authentication.

With two-factor authentication, when you attempt to log in to an account, you also have to prove yourself through a second credential. This could be through a text message, phone call, or some other method. With this in place, your account on a website is doubly secure. For instance, let’s say someone hacks in from Russia. They use your correct username and password, but the site requires two-factor authentication. A code is sent to your phone to complete the second step to log in. The hackers don’t have your phone, so they can’t hack into your account; that’s good protection.

Two-factor authentication is still slow to catch on, though. It’s sometimes seen as too complicated, too much of a hassle. But there are new systems and applications coming out that make the two-factor process easier. Work with your IT department to see if one of those would work for you or your company.

3.) What can you and your IT professional do together?

  • Secure your home computer and devices.

In a work-from-home environment, your personal computer is only as secure as you’ve made it to be. Any technological assets used for working at home really need to be company assets now, and should be treated and protected as such. That’s an internal company decision you would need to make.

Then, your IT team can install standard antivirus and monitoring software, at minimum, to bring your personal computer up to date with those on the company contract. This partnership can go a long way toward keeping every asset — whether personal or professional — protected and safe while you work from home.