Consumer Electronics Daily was a Warren News publication.
Convenience Over Security

COVID-19 Fears Fueling Growing Number of Cybersecurity Scams, Says F-Secure

October 6, 2020 by Rebecca Day|Top News

Fear during the pandemic has led to a spike in online security concerns, said Olli Bliss, business development manager of cybersecurity firm F-Secure, on a Parks Associates webinar Thursday. An employee who receives an email with COVID-19-related information from what appears to be her employer is "going to open up that spreadsheet that’s in there,” he said. Local authorities are using texts to send information to citizens, too, he said, which leads to opportunities for phishing scams that mimic official announcements.

People lower their guard a little bit because they’re overwhelmed with fear … and they’re prone to click things,” Bliss said. Phishing scams are designed to get users’ credentials, which lead to other threats such as account takeovers, he said. Phishing scams over the past year have become more polished and increasingly difficult to pick up, he noted: “It used to be common to see typos ... but now, they’re sophisticated,” he said of a growing number of cybercriminals: “They know what they’re doing.”

Cybercriminals are taking advantage of anxiety over COVID-19, impersonating personnel from the Centers for Disease Control and Prevention, sending phishing emails for charitable donations and making bogus offers for home test kits and vaccinations, said Parks analyst Brad Russell. In the past year, about 5% of U.S. broadband households have experienced identity theft -- some 5.5 million households.

Identification theft tops the list of cybersecurity concerns among U.S. broadband households, said Russell. About half are very interested in a service that guards against it, though only one in five households currently subscribes to one vs. 37% that have virus and spyware-prevention software, he said.

ID theft includes theft of personal data such as Social Security and credit card numbers, along with the “assimilation of personal information” from across the internet, Russell noted. New account fraud is up over 13% in the past year, he said. The most common categories of fraud were imposter scams, debt collection and identity theft.

A frequent type of fraud is “formjacking,” caused by hacker attacks on commercial websites where consumers provide credit card information. Form-jacking was up 117% in 2018 when more than 57,000 websites were compromised; cybercriminals are stealing millions of dollars monthly by hijacking credit card data from online payment forms, said Russell.

Account takeover is one of the main drivers for online identity theft, said Bliss. He gave the example of a subscriber logging into her Netflix account and unable to access it because a cybercriminal has assumed it. Account takeover is designed “to spread like fire,” Bliss said, and targets “low-hanging fruit” owing to weak passwords. “If online criminals are able to get into your Netflix account, chances are they’re able to latch onto other accounts.”

Consumers have bits and pieces of their personal information stored on different online accounts, and that’s what’s used in full-blown identity theft, Bliss said. “Passwords play a massive role in feeding this overall threat,” he said. Consumers put a priority on convenience vs. security, he said, citing some websites’ option to let consumers sign in to an account using Facebook or Google credentials. “But what if your Facebook account is taken over?” he said: If online criminals take over the Facebook account of a person who has used the social media site as a validation tool, “you’re basically just handing over the keys to online criminals.”

Data breaches cause most account takeovers, Bliss said. A third of takeovers and ID theft cases originate from malware, something an end user doesn’t have control over, he said. Stolen data winds up on the dark web, where cybercriminals try to monetize their efforts. It takes six to nine months after a breach for data to be dumped on the dark web, he said. A service that protects against identity theft looks at the dark web layer, a reaction to something that has happened months before.

To protect against account takeover from happening in the first place, the expert noted, “we need to focus detection efforts on the bottom layer,” which F-Secure calls the underground web: “If we can try to prevent things from happening, we don’t have to try and have complex services to try and resolve cases that might not end up being resolved at all.” F-Secure uses a combination of “good password hygiene,” breach and exposure alerts and mitigation and restoration. It can push a notification to users by app to say their personal data was part of a breach and walk them through what should be done to protect against account takeover, Bliss said.

Active internet users with a lot of accounts have a “wide attack surface,” Bliss said, saying F-Secure’s goal is to minimize the attack surface. Customers know they shouldn’t recycle passwords, he said, but often stick with the familiar one they have been using for years. A password manager is a way to improve “password hygiene,” he said.

ISPs can use a service like F-Secure to differentiate their offerings, Bliss said: In addition to taking a “hands-on approach” to the customer experience, a cybersecurity solution helps boost average revenue per user. The end goal of add-on services, he said, “is to reduce churn.”