Most of us now use online platforms routinely – in some countries, almost exclusively – to engage with work colleagues, friends, family and loved ones.
One worrying trend is the posting online of photos of home-working setups, video calls, and virtual meetings.
This trend has coined its own series of hashtags including #WorkFromHome, #WorkingFromHome, #RemoteWork, #HomeOffice. Others allude to the app used, such as #Zoom and #MSTeams.
While the sharing of such photos may seem harmless and even a must-do at the time, the reality is that we are, once again, falling into the age-old trap of oversharing online and overlooking the risks.
We are forgetting to ask ourselves: what might a criminal or fraudster do with this information?
Fraudsters, scammers and other cybercriminals love when we share information openly online about our lives, personal or work-related.
These insights make their jobs of targeting us substantially easier, while the ongoing pandemic – a situation where people are overly anxious, stressed, away from support groups, and balancing work and family life in the same physical space – increases our vulnerability to these attacks.
Opening yourself to targeted scams
Scams are a preferred form of attack for many criminals. They are often simple to launch and, if well-executed, can have relatively good success rates.
As we have become more aware of scams, criminals have had to become more cunning.
One way they have sought to boost success rates is to personalise scams – think spearphishing-type attacks.
No longer do we see “Dear user”, but rather “Dear [your name]”. And, scams now even use your old passwords within their messages to you.
These personal details are often gathered from your online presence and old data breaches – think of it as open-source intelligence (OSINT) gathering focused on you. Its purpose is to increase the believability of their tricks, and it works!
Now we are also leaking personal information through home-working photos and visuals – even that seemingly-harmless background shown during video calls.
Family members (in person or photo form) often feature in the background of video calls, along with your hobbies, favourite sports teams and television shows, and other personal insights.
Photos tagged with #WorkFromHome, #WorkingFromHome, #HomeOffice have also revealed:
- Birthday parties (celebrated on Zoom or Teams), thereby exposing birthdates.
- Home addresses, through photos revealing addresses on Amazon parcels or postal mail.
- Names of family members, children and pets.
The variety of information that may be exposed in such contexts is endless and is only limited by what will fit into your home office (be it a bedroom, living room, or actual office).
Each of these pieces of information stand to put you more at risk to scams if attained by the wrong individual
From research, we know, for instance, that passwords are often created based on favorite teams, music artists, hobbies, and children and pet names. Therefore, this information could easily be used in password guessing attacks.
Or, let’s say you are emailed an ‘e-gift card’ on your actual birthday by a long-lost friend looking to reconnect. Many people would be more likely than usual to open the gift card attachment because the date is correct, unaware that it is actually a piece of malware or ransomware, and that the fraudster knows your birthday because it was posted online months earlier.
You’re leaking corporate data
Businesses have struggled to keep pace with how quickly they have had to adopt digital technologies over the last year. And securing the remote workforce is still very much an ongoing uphill battle for many.
Along with the more typical secure remote working considerations such as VPNs and managed credentials, you also need to worry about oversharing – this time of corporate data.
Analysis of images of home-working environments has revealed work email inboxes, internal emails, names of individuals in emails, private web pages, potentially sensitive internal business correspondence, software installed on computers, and internal identification numbers of devices.
In many cases this information was in the background of video calls or photos of pets near/on keyboards, in the background of children being home-schooled, or within snaps of a nice home-made lunch. Any of these digital footprints could be used in a corporate hack.
For example, an attacker may contact an employee under the guise of a known supplier, drawing on information gathered from an email.
Or, they may get in touch with the employee, pretending to be from the IT department and with a request that the staff member update key software that only internal employees would (should!) be aware of.
In both cases, employees may be tricked into providing more sensitive files or data, directed to download malware, or exploited through a range of other attacks.
There have been similar issues with numerous data breaches in the past where unsecured corporate servers online have leaked data, including millions of business and customer records.
Four tips to stay secure
- Always be mindful of what’s in the background of your photos or video conference calls. This way, you are always in control over the information you expose – wherever it ends up!
- For video conference calls, consider using a virtual background. Most popular software clients allow these, and they work pretty well.
- Blurring backgrounds works too, and makes most objects indecipherable.
- Think twice about sharing photos of your #WorkFromHome, #WorkingFromHome, #RemoteWork, #HomeOffice setup. Advise your friends and family members to think twice, too.
Remember, the cybercrime economy hasn’t slowed down due to COVID-19… and you’re just as likely to be targeted as anyone else.
Learn more
For a deeper dive into topics covered in this article you may like to take a look at research papers that I’ve recently authored/co-authored:
- Exploring the Risks to Identity Security and Privacy in Cyberspace
- Cybercrime and You: How Criminals Attack and the Human Factors That They Seek to Exploit
- Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks during the Pandemic
Gerald Mitchell
I don’t disagree with any of this, but I do think it might be a little overblown. Your hopes of keeping things like your birthday secret aren’t really going to rest on work photos when 100 people say “happy birthday” over Facebook every year for example.. it’s not safe to assume that any of the things you might expose this way were ever private. The targeting is only going to get more and more insidious over time whether you post pictures or not; at worst poor hygiene in this area will accelerate the pace at which it develops. If automated spam mailers aren’t already using big data techniques to scour through the massive amounts available from all these “ransomware” breaches, they will eventually. While it’s definitely a very small additional risk to have things in the background of photos, stopping that isn’t much of a defense. Slowing them from gathering the information might help weaken the attacks for a while, but the only actual defense is to make sure that information isn’t a key to more. (So, for example, if your dog’s name is all someone would need to reset your secure bank password, then fixing that “security” question vulnerability is probably more critical than making it harder to find out your dog’s name by hiding his tags when you take his picture.)
Paul Ducklin
I hear you, although I was comfortable with the article when I read it (and, to be clear, that was before it was published) because I don’t think it makes out that the threat here is super-critical, merely that it is an ever-present (ahem) background issue to be aware of.
To me, the biggest problem in giving away home life hints is not so much that the information leaked in a Zoom call might instantly prove to be the clue that reveals your password, but simply that what’s all around you in your life inevitably makes excellent “pretexting data” for future scammers and social engineers.
I suspect that a lot of people are still strongly influenced to accept someone as genuine on the grounds that “this person can’t be a hoaxer because they couldn’t possibly know all those bits of info about me otherwise.”
When it comes to macroeconomics, there’s a truism along the lines of, “Look after the pounds and the pence will take care of themselves.” There’s a variant of that used when someone is trying to convince you not to be sloppy about details, viz. “Look after the pence and the pounds will take care of themselves.”
Well, my own opinion is that in cybersecurity, things are a very different. “Look after the pounds. Look after the pence. And look after the shillings too, while you’re about it, because none of them will look after themselves.”
My £2/10/6.
David Heath
£2/10/6 Really? That’s $5.05 around here!
Related to birthdays… every site that has ever asked for mine (without a ‘legal’ reason to know) is told January 1st 1970. UNIX aficionados will know why!
Paul Ducklin
When Australia decimalised its currency in the 1960s there were apparently three competing schemes.
One was the system used five years later in the UK itself, i.e. map 1 Pound -> 1 Dollar. (The UK had little choice but to go 1 Pound -> 1 Pound because it wasn’t introducing a new currency but simply re-subdividing an existing one.)
The second plan was to copy what South Africa had successfully done five years before, i.e. map 1 Pound -> 2 Dollars. This was a popular option because 1 shilling -> 10c, 2/- -> 20c and so on up to 10 bob -> $1/.
The third proposal was the funkiest, i.e. 8 shillings and fourpence -> 1 Dollar.
The last option is nowhere near as weird as it first seems, being simply 1 old penny -> 1 new cent. With 12 old pence in a shilling (and with 8×12 + 4 = 100), all the old coins would have “lined up” neatly with the new money and could therefore have circulated usably in parallel for a while.
As your comment shows via its calculation, the middle option (split the pound in half) was the one ultimately used.
Tony Gore
I assume all unsolicited emails, phone calls and letters are scams until proven otherwise. An awful lot of scams get by because people think they must be important for Microsoft or some obscure bank to be contacting them. Some are very obvious – like a new one I saw today wh-ich h-ad be-en wri-tt-en li-ke this presumably because the scammer thought their standard scam text would be found by phrase matching software. However, I know full well that my bank would not write to me like that, so it takes my prize for being one of the most obvious scams yet (perhaps ties with emails starting “dearly beloved” – a phrase not in common use in my country for a century).
Paul Ducklin
My Esteemed Sir, I hope you will not object if I offer you my most enthusiastic contrafibularities.
Bryan
@Tony
“dearly beloved” – a phrase not in common use in my country for a century
Unless you’re listening to 30-year-old Prince songs.
:,)
R.Dale Barrow
Phone scams are the worst, especially the ones claiming to be from a company you do business with, or as mentioned, the company you work for. With call spoofing the call can seem quite legitimate.
ALL of them, get the “I don’t know you from a fence post down the street. I will call the company directly. Thank you for your call.” followed by an immediate hang up.
P.S. gets rid of telemarketers too.
David Heath
I regularly receive calls from “financial services” telemarketers INSISTING that I made an enquiry to them so that they can bypass anti-SPAM laws here in Australia.
I flat-out tell them, “You’re lying. And I would never in a million years deal with an organisation that lies to potential customers.”
Paul Ducklin
Some companies do the weirdest things in the name of customer care. Like those mailing lists that, when you ask to be removed and carefully tick the reason on their survey form that says “I no longer wish to receive your emails because they make me want to be sick” (or words to that effect…
…then they immediately send you a happy, upbeat, cheery email [a] telling you how much they respect your decision to take a break from their annoying messages, [b] reminding you how easily you can resubscribe if your ill-will towards them ever subsides at some far off future time, and then [c] asking you if, in fact, you would like to RESUBSCRIBE AGAIN RIGHT AWAY AND THEREBY NOT MISS A SINGLE MINUTE OF THE UNBRIDLED EMAIL FUN THAT YOU ARE SURELY AND SECRETLY PINING FOR ALREADY.
It’s like that thing where you tell a 6-year-old to stop banging that table with their spoon and they instantly obey. And then very carefully and neutrally do one last tap, at a moment that is perfectly timed to be simultaneously inadvertent and insolent; accidental and aggressive. What to do? :-)
David Heath
You should recall that you were probably the same at the same age… you should probably also recall that you were permitted to live!
Paul Ducklin
Which raises the question – was I talking as a parent or reminiscing as a child? Who can say? :-)
Bryan
No one can say unequivocally.
However everyone here reading (and we’re all friends here Duck), knows that Passionate Security Proseletytisers are lifelong Testers of the System. It’s in their DNA.
Tony Gore
I use an old green tablecloth that I drop down to cover the wall behind me and then use a virtual background so that (a) there is nothing I might inadvertently give away and (b) it helps look professional. I have had to a series of long meetings where people must be on their own in a room for security, and I have seen things in people’s bedrooms that I would rather not see. At least my approach saves me causing participants embarrassment.
Janice Booth
I got the best call the other day on my cell phone! I love how they are trying to make it look like local area codes. It came through Culpepper. VA, then said this is Customs and Boarder Protection. A package in your name has been seized with drugs and cash. To speak with us IMMEDIATELY press 1, LOLOLOL