ou likely already know that cybercriminals want access to your data and that’s it’s bad news if they’re successful in getting it. What many don’t know is what hackers do once they have data in their hands. How, exactly, are cybercriminals generating profit? In the era of COVID-19, many hackers are exploiting vulnerabilities to steal data in new and insidious ways. They are impersonating healthcare organizations, employers and charities and promising stimulus check advances to gain access to people’s information in a time of great fear and uncertainty.
Read on to better understand cybersecurity as a whole and cybersecurity in the context of COVID-19—and learn some basic steps you can take to keep your information more secure.
What Data do Hackers Want?
In general, cybercriminals want to steal data that they can profit off of. Makes sense, right? Of course, it’s not that simple. There are various types of data that cybercriminals can steal and exploit for financial gain.1. personally identifiable information
- Personally Identifiable Information
Cybercriminals often steal a type of data called personally identifiable information, or PII. Personally identifiable information is any data that can identify a specific person. This includes information such as your name, social security number, taxpayer identification number, date of birth, email address and telephone number.
Different types of personally identifiable information can help hackers accomplish different goals. Names and addresses can help them apply for loans or transfer money, email addresses can be the key to accessing online accounts, and phone numbers are crucial to commit phone scams.
- Account Credentials
Account credentials—typically a username and password—are the information needed to access an online account. Using stolen credentials, cybercriminals can commit a type of attack called an account takeover, during which criminals use account credentials to gain unauthorized access to an account.
Card InformationFor obvious reasons, financial information like credit and debit card numbers are also high on the list of the type of information cybercriminals want. Access to card information means access to money, which can generate a hefty profit for cybercriminals and mean bad news for you.
2 Tips to Pick Better Passwords
Even though a username and password are the most common way to authenticate an account, passwords are highly prone to be stolen by cybercriminals. Here are two ways you can make it less likely a hacker will breach your password:
- Pick a stronger password
Is your password 123456? 123456789? If so, you’re not alone. According to NordPass, an online password manager, those were the two most commonly used passwords of 2020. The third was picture1 and the fourth… password. As easy as passwords like this are to remember, they’re even easier for hackers to decode.
In fact, hackers can decode many of these overused, simple passwords in less than a second. That said, it’s a good idea to update your password to something stronger if you’re still choosing convenience over protection.
- Stop using the same password for all your accounts
Just like picking a password like 123456 is easier to remember than a complex one, remembering one password instead of 10 is appealing to a lot of us. In fact, an online security survey conducted by Google and Harris Poll found that among 3,000 adults in the U.S., over half (52%) reuse the same password for multiple accounts. Another 13% reuse the same password for all their accounts. Unfortunately, using the same password for some or all of your online accounts makes it easier for hackers to commit certain types of cyberattacks. It’s time to switch it up.
What Do Hackers Do with Data?
Now that you know some of the main types of data that cybercriminals like to steal, it’s time to learn why. Here are a few of the ways that hackers use your data after they steal it:
- Unlock even better data
When hackers get your data, they’re sometimes looking for the key to unlock even better data. Knowing that many people use the same authentication credentials across numerous accounts, hackers can use one set of credentials to target other accounts or companies in credential stuffing attacks—this highlights the importance of not reusing your passwords across various accounts.
Credential stuffing occurs when hackers use stolen login credentials from one account to try to break into accounts on other services. Cybercriminals use sophisticated bots to “stuff” stolen credentials into hundreds of accounts across different websites and apps. This makes users who rely on the same email and password combination across accounts vulnerable to having multiple accounts breached at once.
The hacker can then commit different types of fraud by doing things like stealing stored card information, draining loyalty points from accounts and committing fraudulent transactions.
This can happen on a small scale or much larger. In a recent example of a large-scale attack, hackers listed 500,000 Zoom account credentials for sale on a dark web forum in April 2020 after the company fell victim to a credential stuffing attack.
- Commit identity theft
Plenty of online services require users to enter personal information like their name, address and card number. When cybercriminals steal this personal information, they can use it to unlock benefits by pretending to be the person whose data they stole.
According to Javelin Strategy & Research’s 2019 Identity Fraud Study, 14.4 million U.S. consumers (around 1 in 15 people) became victims of identity theft. This is just in one year—a global cybersecurity awareness survey conducted by the cybersecurity and compliance company Proofpoint, Inc., found that 1 in 3 U.S. consumers have experienced identity theft at some point.
Identity theft can lead to steep financial losses. In fact, The Department of Justice found that identity theft victims experience an average combined loss of $1,343. It can also severely impact credit scores, resulting in significant emotional distress.
- Go phishing
Just like actual fishing, cybercriminals phishing use bait, often in the form of fraudulent emails, texts or phone calls, posing to be a legitimate institution. They then attempt to convince people to provide PII, authentication information or banking or card details. If they’re successful, the phisher can use the information they gathered to commit crimes like identity theft.
Phishing messages often try to tell a story that convinces victims to open an attachment or click on a link. Messages regarding “suspicious activity”, claiming there is a problem with your payment or billing information on file, asking you to confirm personal information or claiming you’re eligible for a refund from the government are likely fake. In the era of COVID-19, many phishing scams have revolved around stimulus payments and unemployment claims.
Phishers like to impersonate companies that people recognize and trust. Vade Secure, a predictive email defense company, found that the top five most impersonated brands used for phishing attacks in 2020 were Microsoft, Facebook, PayPal, Chase and eBay. Microsoft alone had over 30,000 unique phishing URLs. Hackers can potentially use each of these URLs in hundreds or even thousands of phishing attempts.
- Commit ransomware attacks
Sometimes, cybercriminals want to hold your data for ransom. To do so, they use a form of malicious software called malware to encrypt their victims’ files. Encryption is a way of scrambling data into an unreadable format so that only authorized parties can understand the information. This locks victims out of their own devices.
After cybercriminals encrypt a device, they demand a ransom from their victim, sometimes demanding they send a payment in a set amount of time if they don’t want to lose access to their data forever. If you fall victim to ransomware, you could lose access to your documents, photos, financial information and other files stored on your device.
The worst part? Since untrustworthy cybercriminals are behind the attack, paying the ransom doesn’t necessarily mean they’ll restore your access if you fall victim to ransomware.
- Sell it to other cybercriminals
Sometimes hackers profit from stolen data by simply selling it to other criminals. The dark web is a huge marketplace for stolen personal information and data. From credit card information to social security numbers, birth dates, passports and medical records, cybercriminals have a slew of data to purchase on the dark web to use for their own nefarious reasons.
The Twitter Hack that Had Everyone Talking in 2020
One of the most high-profile hacks of the year occurred in July, when some of the platform’s most famous users, including Jeff Bezos, Elon Musk, Bill Gates, Barack Obama, Joe Biden and Kanye West, fell victim to what Twitter called a “coordinated social engineering attack.” Companies, including Apple and Uber, were also targets of this attack.
The hack led to tweets being sent out from their accounts claiming that they would double and return all Bitcoin sent to a certain Bitcoin address. Although Twitter identified the scam quickly, the cybercriminals still made around $121,000 from 400 payments they received in response to the hack.
The Bitcoin scam was later attributed to an attack targeting Twitter employees “with access to internal systems and tools.” Undoubtedly, the hack stands as proof that not even the nation’s most wealthy and influential are immune to the power of modern-day sophisticated cybercriminals.
Cybercriminals & COVID-19: How They’re Exploiting the Pandemic
Cybercriminals are eager to exploit people, and a global crisis is no exception. Since the COVID-19 pandemic sprung up in the early months of 2020, hackers have exploited the pandemic to stage a number of cyberattacks.
Phishing is a popular choice for hackers looking to exploit fears surrounding the pandemic. A survey conducted by OpenText, a Canadian enterprise information management software company, found that 20% of 7,000 office professionals from eight different countries reported receiving a phishing email related to COVID-19. Here’s who hackers are impersonating in the wake of COVID-19:
- Teleconferencing platforms
Companies like Zoom, Skype and Google Meet quickly became venues of choice for phishers eager to exploit the influx of newly remote employees relying on virtual meeting hubs during the workday.
Cybercriminals deck out their phishing emails with the company they’re imitating’s logo and make claims saying you need to activate or reactivate your account or that you missed a meeting but can follow a link for more information. However, the link is actually a scam that grants scammers access to the information they need to commit cybercrime.
- Healthcare organizations
In a world dependent on reliable and ongoing news about the pandemic, fraudsters have taken to pretending to be various health agencies to prey on their victims. In one of the most recent examples, fraudsters impersonated the United Kingdom’s National Health Service, emailing recipients that they are eligible to receive the COVID-19 vaccine and asking them to accept or decline the invitation to schedule their vaccine.
Phishers even target healthcare providers themselves with messages regarding COVID-19 updates, business contingency alerts, purchase orders and returned mail. Some of the messages directed toward healthcare workers impersonated the World Health Organization.
Executive phishing, which is also known as CEO fraud or Business Email Compromise, is a phishing type where cybercriminals impersonate executives to try to fool an employee into executing wire transfers or giving away personal information.
Often, CEO fraudulent messages come from fake email accounts under the names of the executives at your employer. If you aren’t careful and don’t see the full email address, however, you might only see the sender name—which happens to be the name of your boss. These emails can be pretty convincing, as cybercriminals tend to do their research before picking a target and impersonating an executive.
To prevent this from happening to you, watch out for emails that seem unusually urgent or time-sensitive. According to the FBI, phrases like “urgent invoice payment” and “urgent wire transfer” are go-to’s from phishers trying to find an in. Take this type of message with a grain of salt, as a strangely time-sensitive request, is a classic red flag for a scam.
Cybercriminals have long taken advantage of their victims’ good-hearted nature and intentions by tricking them into donating money to fake charities. After convincing you to donate, they take your money and run. With the devastating global economic and health impacts of COVID-19, there’s plenty of opportunities for this type of scam.
Scammers impersonating a legitimate charity may contact you online or through the phone pretending to be representatives of the charitable organization. Others will establish fake websites that look similar to those run by actual charities, hoping to entice compassionate people into giving donations.
- Stimulus check updates
With two stimulus check rounds approved and another one being discussed, this is another area phishers are targeting. In some cases, cybercriminals impersonating the IRS will ask you to click a link to request your payment or verify your personal information to make sure you receive it.
Others will claim that you can get your payment faster or are eligible for a cash advance for a small processing fee. But as enticing as a cash advance may sound, that simply isn’t how the stimulus payments work.
What Can You Do to Protect Your Data?
There are some things you just can’t change, such as whether an organization uses a username and password for authentication versus a more secure method like biometrics. But that doesn’t mean you’re completely helpless. Here a few simple steps you can take to protect yourself from cybercrime:
- Use strong (and unique) passwords
The best complex passwords are random and hard to hack. Aim to use a combination of at least 10 capital and lowercase letters, numbers and symbols that have no ties to your personal information. If you’re worried about forgetting your password or mixing up which one goes to which site, consider using a password management site or app.
- Enable multi-factor authentication
Multi-factor authentication is an authentication method that only grants access to a user once they verify their identities in two or more ways. For example, some websites will ask you to enter your password, then, if the password is correct, send a push notification to your cell phone requesting access to the account. Though it may seem like a pain, enabling multi-factor authentication is a good choice to make wherever you have the option to do so.
- Stay updated on major security breaches
According to Risk Based Security, 2020 surpassed any year in history for the total number of records exposed in the first half of the year alone. A lot of times, these breaches happen on sites that millions to billions of consumers regularly use. By keeping track of which sites are getting hit by cybercriminals, you can respond accordingly by changing your login credentials ASAP.
- Learn how to recognize different types of scams
While certain scams are easy to recognize, the ever-evolving nature of cybercriminals makes it possible for them to trick even the most tech-savvy of us. By knowing what red flags to recognize when it comes to phishers, identity thieves and other types of scammers, you’ll be less likely to fall for the increasingly believable attempts to steal your data.
You now have a better understanding of the type of information hackers want, why they want it and how the COVID-19 pandemic brought up new ways for cybercriminals to profit.
Luckily, there are a few simple steps you can take to protect your data and stay safe online—and now more than ever, they’re important steps to take. Ignoring strong account security and authentication in lieu of convenience may be tempting, but the consequences of lost data can be severe and lasting. It’s time for cybersecurity to be top-of-mind.