No Such Thing as 'Fair' Play for Hackers

Like more than half the country, my home state of Iowa is mourning the cancellation of our state fair due to continued concerns over the spread of COVID-19. For my family, the Iowa State Fair is an annual must-see. We are so disappointed in the loss of this experience, but of course, I support efforts to keep people healthy and agree with their decision.  

Keeping people healthy is the last thing on the minds of the opportunistic cybercriminals, crooks and scammers organizing to take advantage of the pandemic. The sophisticated leaders of these crime rings, some state-sponsored, have put the pedal to the metal over the last several months, expanding their enterprises to strike while the iron is hot. And, they do not play fair. 

Many people are distracted, out of their element and worried right now. This makes them particularly vulnerable to misinformation and misdeeds, which crooks are only too happy to spread. 

But, awareness of their tricks and traps gives you a fighting chance!

Read on to learn what today's fraudsters and hackers are up to... and please share. The more people who know, the fewer victims there'll be. 

beaconstwoData Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

Chris Parker's has been a reliable resource of mine for 20 years. Launched in 2000, the site is full of free tools that allow users to check the legitimacy of online communication. Because scammers often try to use complex technical information, such as IP addresses, to convince victims they have obtained control of the victim's devices or data, this is a really useful site. It also houses tools like an email tracer that details where a sender is located on the planet. I encourage you to check it out and also to listen to Chris's podcast, The Easy Prey.

The University of Chicago's Sand Lab has developed a technique for tweaking photos of people in a way that sabotages the learning abilities of AI-based facial-recognition systems. The solution is called Fawkes, and works by cloaking photos so they actually mistrain facial recognition software. This is important progress, given the fact that facial-recognition trained from online images is a growing threat to people's individual security and privacy. And, several big-name retailers, like Rite Aid, are beginning to roll out facial recognition broadly in their stores. The stated goal of using such software (to catch criminals) is often legitimate and understandable. But the widely demonstrative fact is that software like this is not only usually privacy-invasive; any flawed AI backing it up can lead to suspecting (perhaps even convicting) the wrong people for the actions of others. I'll be facilitating a panel discussion in a full-day NIST workshop on bias in artificial intelligence Aug. 18. (Registration is full, but a recording will be available after the event.)

**Privacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
russianThe 'Insider Threat' Grows, Diversifies
From unethical to criminal, employee behaviors present huge risks
The insider threat continues to grow in size and scope. Here are two examples of risky workplace behaviors companies need to be aware of and create controls to prevent. 

Top-level eBay employees turn cyberstalkers

What began as cyberstalking by former eBay employees eventually moved offline. A Massachusetts couple who criticized eBay in the online newsletter they publish were systematically harassed by several employees and contractors of the Fortune 500 company. At one point,
disturbing packages meant to scare them started showing up at the couple's home.  

The accused employees include a senior director of safety and security and former director of global resiliency. They, along with other employees, and contractors were charged with conspiracy to commit cyberstalking and tampering with witnesses.

Acting inappropriately as a group may have generated a feeling of strength in numbers. One employee alone might not have had the confidence to lash out to this degree.

Formal policies and procedures around whistle blowing can go along way prevent employer resources from being used to facilitate this kind of harassment. No doubt others at eBay were aware of what was going on. Employees need to know who to contact if they suspect something, especially if that person holds a senior level position. 

As individuals, we can protect ourselves, as well. Here are a few anti-cyberstalking tips to help fend off would-be attackers.

Raytheon engineer steals classified government blueprints

Eighteen months in jail is the sentence received by a former Raytheon engineer who regularly took top-secret documents home, sometimes in a plastic bag. 

Over nearly 20 years, this individual worked on many highly sensitive government projects, including military radar and missile defense systems. Some of the documents he took home were discovered on a laptop that belonged to a woman he was seeing. 

Interestingly, Raytheon found all of this out when they began investigating the engineer for suspected time card fraud. In doing so, they examined network history logs and saw he had downloaded documents to an external drive, which was against company policy. 

Luckily for Raytheon, this was not an individual good at covering his tracks. In fact, when he was arrested, he was searching "how to wipe data from a computer" at a public library. Had he been more sophisticated (or backed by a group with more nefarious intent and experience), the government contractor could have suffered irreparable harm. 

All companies should have policies and procedures in place for regularly checking access logs. Other tips to prevent unauthorized access include:
  • Providing regular training on information security and privacy policies and the associated sanctions for non-compliance.
  • Implementing strong access-control practices.
  • Preventing intellectual property, personal data and other sensitive data from being printed or downloaded from the network.
conoConversation with a Criminal
Scammers count on the unbelievable turning believable 
A longtime friend and colleague, Ben Rothke, recently wrote about an email exchange he had with an iTunes gift card scammer. It's a fascinating read. 

While the gift card scam and ones like it have been around for many years, guards are down right now. Things that at one time would have seemed unbelievable (no March Madness, closed schools, face masks as fashion accessories) have suddenly become believable. And that's exactly what scammers are banking on.

How gift card scams work
Scammers hijack an email account and send a request to the entire contact list asking recipients to purchase iTunes gift cards for them. They claim to be out of town or sick and that they will send the money for the cards later. Because the email address is legit, victims believe the message is coming from a friend, family member or colleague. They are tempted to do the favor.
In his article, Ben outlines a few precautions that can protect you from gift card scams:
  • Ask a few questions.
  • Watch out for generic text.
  • Use hard-to-guess passwords and change them frequently.
  • Employ multi-factor authentication (MFA).

Easy way to send money (and steal it, too)     

The PayPal-owned peer-to-peer payment app, Venmo, is being used to scam people out of money. 

Many of the victims never even opened a Venmo account. Instead, fraudsters used their stolen credit card or bank account information + email accounts (all easily purchased on the dark web) to create the legitimate-looking, yet totally fraudulent, accounts. 

Here's how the scammer uses your Venmo account

The scammer sends a victim an unexpected amount of money, sometimes as much as $1,000, with a message that says: "Sent to you by mistake, please return the money." 

Seems innocent enough, but the scammer has actually sent the money from a stolen credit card account. If you were to "return" the money, it would go straight to the scammer's Venmo account. From there, the scammer can quickly cash out and close the account, $1,000 richer. 

Here's the really terrible part: If an investigation is conducted, it will appear as though the money went into YOUR Venmo account. You could then be suspected of money laundering.

How to prevent becoming a victim of Venmo fraud

Venmo provides steps to take if a person discovers a Venmo account has been fraudulently created in their name or if they notice unauthorized charges on their actual account.

If you are a Venmo user, take a minute or two and check your bank and Venmo accounts to make sure you haven't been hit. Also make sure to use Venmo as intended. In its user agreement, Venmo states no one should use the application to buy anything from anybody they don't know or trust. It also states there is no protection for buyers and sellers using Venmo. Nice. 

You can get information on other Venmo scams, as well as more ways to protect yourself, by going here.
delicateFresh Phish: Real-Life Phishing Emails Sent to My Inbox
Subtle signs the sender isn't actually from Amazon

I've got an oldie-but-goodie email for you this month...

The below message made its way to a client's inbox recently. Upon opening it, his computer immediately froze. Fortunately, he was able to restore his system from a backup he'd made in the prior 24 hours. 

Not everyone will be so lucky.

Let's walk through the clues this is a phishing email one-by-one:

1) The sender appears to be "" But, look at the space between the end of the address and the period. Scammers use this irregularity to force a spoofed email address to display. 

2) Following the spoofed email address is the originating address (definitely not belonging to an Amazon server!) 

3) The generic claim that someone has tried to log in to the recipient's account does not include any specifics. Quick tip: Do an online search for an suspicious subject line, and if it's a common enough scam, you'll see people talking about it. 

4) The message is sent to "undisclosed-recipients." If someone actually tried to access YOUR account, this would have been your email address, not what looks like a generic group email.

5) The good old PDF attachment... it's how so many types of malware are spread. See the weird, non-meaningful title of the attachment? That's a pretty good clue it's not a communication created by Amazon. 

Protect yourself (and the many people / businesses whose data you house) by putting any questionable email you receive through a quick analysis like the one we've done above. You'll be far ahead of sneaky scammers like this one.

'Return to Work' Not Slowing 'Work from Home'
Wide-ranging reopening heightens need for remote work security

As the world continues to grapple with solutions to slow the outbreak of COVID-19, many businesses are opting to extend their remote work plans. Google, for instance, just announced it will keep employees working from home until at least June of 2021
Now is the time to lean into the development of data security and privacy policies and procedures. Even with return-to-work plans in the early stages of deployment, it's possible new or repeat infections will send some or all employees right back to their home offices. Employers must be ready. 

To help, I have a few suggestions:
  • My team has put together a new resource at Privacy Security Brainiacs. Please check it out and let me know what you think. 
  • I am also giving an online webinar for ISACA on this topic: "Security & Privacy Compliance in Work from Home Situations." I hope you'll look into that, as well.
  • And, keep an eye out for my new book, scheduled to be out yet this year. "Security & Privacy When Working from Home & Travelling" will be published by CRC Press. 
shopTime May Be Up for TikTok App
Governments, corporations consider app a security threat  

Multiple reports of surveillance and personal data collection on the part of the Chinese-developed TikTok app have officials in the U.S. and the E.U. speaking out about the app's security. The incredibly popular app has been downloaded more than one billion times. 

The U.S. Department of Defense, U.S. Navy and U.S. Army have urged employees not to download or use the app. And in the E.U., a task force plans to investigate TikTok's activities after a lawmaker expressed concern over the app's security and privacy risks.

Corporations, too, are taking the potential threat seriously. Wells Fargo, for instance, banned the social media app from all company devices. 

So what exactly has legislators and business leaders so nervous? 

The app's Chinese origins certainly don't help; the country's government has been siphoning personal data from U.S. citizens for years

What's more, ByteDance, the Chinese company that owns and operates TikTok didn't request the required clearance to purchase the American app, That acquisition gave ByteDance access to millions of U.S. users and their data. Also, many believe that National Intelligence Law of China requirements could force ByteDance to cooperate with any intelligence operations the Chinese government may demand. 

Also, smartphone security teams have, indeed, caught TikTok spying on their users. Apple learned the app had been accessing users' clipboards to see what content they'd been copying, either from online sites or personal communications. 

Just based on what we know about the number of downloads, many of you may have this app on your phone. Even if you don't, its likely the young people in your life do (you know the ones you speak to, call and text). Check your phone and ask your contacts if they have the app. You may wish to make changes in the way you communicate with them. 

One last thing... if you're tempted to think "What would China want with my data?" consider the former White House cybersecurity coordinator's explanation: "For a nation-state, if you're trying to seed a large analytic engine, more data is always better."

whereWhere to Find the Privacy Professor 

On the air... 

I'm looking forward to being a guest of these following in August:


Do you have an information security, privacy or other IT expert or luminary you'd like to hear interviewed on the show? Or, a specific topic you'd like to learn more about? Please let me know!

I'd also love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox,, iHeart Radio and similar apps and sites. 

Some of the many topics we've addressed... 
  • student privacy
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety 
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen, let me know what you think! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

Advertising Now Available!

Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! There are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this email is sharable (I'd just ask that you follow

Thank you for indulging me in a little virtual state fair appreciation session with this month's photos. It was good for the soul. 

Next up, finding a way to enjoy all those foods-on-a-stick I'll be missing out on this year. Those food vendors are going to be stationed around the Iowa State Fair Grounds for drive-by purchases on weekends throughout August. I'm not sure how my body will react, though, if I consume that much fried food without the 30,000 steps around the fairgrounds that typically accompany my culinary explorations!

Here's to finding fresh ways to live out our passions this summer... and to keeping ourselves safe from scammers, cybercrooks and other opportunistic criminals!

Have a happy, healthy and cybersafe August,

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. August 2020 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn   Follow us on Twitter