We Are All Aware of Hackers During COVID-19 – Now How Do We Prevent Them?

Hackers are everywhere. They look just like you and me; you might see them in a grocery store, online at the pharmacy, or sitting at the table next to you at a restaurant, but you would have no idea of the capabilities they possess. By definition, a hacker is a person who illegally gains access to and sometimes tampers with information in a computer system. This means they have the talent to install viruses and malware that can allow them access to your personal information and the unauthorized use of your computer.

With technology being an important part of our lifestyles, you may have already known that. But what you may not realize is the magnitude of the power they possess over a network with more accounts than citizens in the United States or the trickery and influence they can have over your mind. 

Not sure if I can believe you without examples…

I see Facebook posts and small business articles every day about the distress of realizing there is a virus in a system followed by a plea for a computer whiz to remove it. Would you believe me if I told you that you could be that computer whiz? First let me give you some more specific examples.

Just over a month ago, on June 19, 2020, hundreds of thousands of personal police files and sensitive investigation information were leaked online stemming from a breach in Houston, Texas. These so called “BlueLeaks” contained not only police reports but international bank account numbers (IBANs) and other financial information from over 200 police departments spanning over ten years.

Now, you may be thinking, some of these files belong to the national government – shouldn’t they be better protected? Yes, of course, but no security system is perfect no matter their size or importance. The BlueLeaks data breach is at risk of exposing private investigations and endangering lives. Serious stuff.

Security breaches don’t just happen on the business level – they can happen to anyone. A malware gang identified as RATicate found its way onto many personal devices through the installation of NSIS, a Microsoft Windows-backed authoring tool.

RATicate gave the cyber criminals behind the operation access to the files, screen and webcam activity of its victims and the ability to download additional malware. We’ve all had suspicions of the NSA snooping, but now there may be others…

Another recent example that might blow your mind is an attack on Twitter. Yes, the social media platform used by many political figures and celebrities. On July 15, 2020 Twitter’s internal systems were attacked by a socially engineered phishing operation allowing hackers to obtain access to millions of accounts.

User accounts by Barack Obama, Apple, Wiz Khalifa and too many more posted tweets about doubling funds sent to them by fans through Bitcoin; the operation made the hackers $110,000 in only a few hours. Although Twitter released a statement about taking “significant steps to limit access to internal systems,” if this doesn’t convince you how easily hackers can gain access to your information, I don’t know what can.

Examples of the tweets posted by hackers on celebrity accounts.
(Screenshots via BBC)

Enough scaring me, what can I do to prevent all of this?

One of the best ways to ensure that YOU are the one logging into your account is to use multi-factor authentication. All this means is that there are two out of the three following that you use to gain access to your accounts: something you have, something you are, and/or something you know.  So if you know your username and password, you need a second something to authenticate, think, you may have a downloaded application on your phone or you prove who you are with a biometric scanner, like face ID or fingerprint reader.

There are a handful of applications you can download; personally, I use 3 of them. My university requires a two-factor authentication to sign into our school accounts using the mobile app, Duo. At UOTech.co, we use the mobile app, Okta Verify. We also ensure that our clients’ account information is safe, so we help them use the mobile app, Microsoft Authenticator. All of these perform the same function – it’s all about the software you’re using and preference.

How the multi-factor authentication works is, after typing in your log-in credentials and clicking “Sign-In,” a notification will be sent to the mobile application on your device asking if you were the one attempting to sign-in. This prevents hackers who have your log-in credentials from accessing your account without your knowledge or permission.

Another simple, yet not well-utilized tip is ensuring you have a strong password. Now I’m sure you, just like millions of others, when signing up for a website that requires a stronger password than your go-to, probably add a 1 or an exclamation mark to the end of your password. While that is easy enough to remember, it doesn’t necessarily count as a strong password.

An easy way to check if your password has been exposed in data breaches is by using the website https://haveibeenpwned.com/Passwords. Not only will it notify you if you should or should not use your current password, but it can help you to generate a secure, unique password to protect your account.

What about your email? This is one of the more common ways that hackers can obtain access to your device and information. Rule number one: never send confidential information over unencrypted email. Most of the time when passwords, credit card numbers, or other personal information is requested over email, the email is a scam. Sending money over an email to help provide clean water in developing nations sounds like a nice gesture, but if you’re going to donate, maybe consider doing so through a more trusted site.

Email rule number two: verify that the sender is who they say they are (and always independently confirm that an unexpected email requesting the confidential information above is authentic). Always check the spelling in the email and in the message; if something seems out of the ordinary then investigate it as it is very likely a scam. Follow up with a phone call or video chat if the sender is asking for information. Confirm their identity and why they need access – do not just reply to the email. Alongside that, do not give anyone unsolicited access to your computer, even if they state they are from an IT company. Verify their identity and contact them in person.

On your end, adding a profile picture to your email account may help recipients quickly identify that you are the legitimate sender, and if a scammer attempts to impersonate you, the recipients have a better chance of recognizing that it is a scam.

And email rule number three: never download attachments or open links from an email with an unknown or suspicious-looking sender. This is how hackers can download malicious software to your device and verify your account credentials.  

Spam email imitating Microsoft security.

Notice the unusual location, email address, and missing profile icon.
(Screenshot via Microsoft Answers)(Screenshots via BBC)

Another important tool I would suggest is having proper malware protection software on your computer. First off, always be aware of where you are downloading software from and be sure it is from a trusted source. Software developers will work with device and operating system manufacturers to make sure the software is “signed” or approved by your device’s parent company for authenticity, doing the legwork of proving legitimacy and reliability.

Second, always stay up to date with software, because as soon as there are loopholes your device will be vulnerable. An unpatched device is one type of vulnerability and can make you a target. Similarly, be sure to stay on top of system updates, software bug fixes, and security patches. Managed IT service providers can help you ensure that your data is secure, systems are up to date, and all your technology is running smoothly.

Some security software that I would recommend downloading are Sophos or Esset. These antivirus and security software not only provide protection against ransomware and trojan horse attacks, but, because they are heuristically-based, they don’t just scan files and ignore them – they continuously watch the files and detect patterns based on global attacks and the behavior of the files and programs running on your computer.

My last few bits of advice are simple yet powerful. First, always lock your computer when you are not using it. Even if you are home, hackers can still obtain access to your files. If you have an IT company, you can have them set an auto lock timer on all company computers.

Lastly, and probably most importantly, back up your data! Create a cloud backup of all your data, vary your backups, have backups on and off site, and have a physical and local backup of your data, as well. I know it may sound like a lot and you may be thinking, do I really need to back up in all these places? The safest answer is yes. If something happens to an external hard drive or if you have a power surge, having backups in multiple places will ensure access to your data in a timely and safe fashion. Not to mention if a virus or hacker obtained access to one of your backups, you still have your data in other places, and it would be very difficult for them to harm or destroy every place your data is located.

Technology is a lot like the ocean – there is a lot yet to be discovered, and the deeper we dive, the more there is to look out for. Having extra protection such as multi-factor authentication, antivirus software, and stronger passwords is like adding an extra oxygen tank: it makes you safer, but you still need to keep an eye out for danger.