Work from Home Brings Out the Worst in Hackers

We've long known that cyber criminals are opportunists. But, the past few months has proven these crafty crooks are at the top of their games during a crisis. 

In no circumstance is that more evident than in the burgeoning work-from-home trend. The lax data security and privacy controls present in most home offices has opened the virtual floodgates for all kinds of data attacks and explicit hacks against organizations and the people they serve. 

Read on to learn how you and your colleagues can fight back against the cyber opportunists, as well as some other simple tips for protecting your own personal data during these chaotic times. And, stay tuned for my 20th published book, " Security & Privacy when Working from Home & Travelling," expected to publish from CRC Press in a few months.

Special Note:  I'm up for the 2020 Cybersecurity Woman of the Year! Most thrilling of all, I'm nominated in the Law Profession category. This is more proof that the connections between the law, cybersecurity and privacy are growing stronger by the day. Please consider voting for me before July 15!

Supporting more women in this field is a meaningful endeavor. As Steve Morgan recently pointed out, more women than men earn post graduate degrees, yet just 14 percent of Fortune 500 CISOs are female. Why do you believe that is? Share your ideas by sending an email. I may write on this topic soon and would love to include insights from Tips readers. 

beaconstwoData Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

Perfect for privacy-conscious work-from-homers, That One Privacy Site hosts the  VPN Comparison . The resource ranks various qualities of different VPNs (virtual private networks), from logging and activism to security and price, with a simple three-color scale. Yellow signals something of a concern, while red spotlights a major concern and green stands for "generally good." This is a much-needed tool for this day in age, when anyone going online from a home Wi-Fi network should be using a VPN. 

Text security app Signal is making it easier to send sensitive information via text. A privacy-protecting encryption tool, it's a much safer alternative than simple texting. A great number of business users have turned to texting as a means for fast communication while distanced from coworkers. What they forget or fail to consider is texts are highly susceptible to interception; they are also stored on servers, and therefore, vulnerable to law enforcement, lawyer and government agency review. Not the greatest way to send confidential information!

MIT Technology Review is maintaining what it calls a COVID Tracking Tracer. The online resource documents and compares the various apps launched to detect users' individual COVID-19 exposure risks. This is especially important as privacy-invading solutions, such as digital immunity passports stored on phones, begin to circulate as real possibilities. Among the features analyzed by the Tracer are details on what the tracing efforts are, how they work and what policies and processes have been put in place around them. Kudos to the publication for helping insert transparency in an otherwise murky and fast-evolving space. 

Amazon, IBM and Microsoft (and possibly others) have pulled their facial recognition tools from the market, particularly from law enforcement use, until such tech is regulated in ways that protect privacy. The companies have also committed to addressing the many bias problems that exist within the tech. These flaws create huge privacy harms, like incorrectly identifying someone as a criminal or suspect based on inherently biased algorithms.

Senator Tom Davis of South Carolina earned a Beacon mention this month for drafting legislation to ensure best-practice privacy protocols are followed in the state's contract tracing program. As the Senator rightly points out, "failure to legally establish these protocols will result in many South Carolinians refusing to participate in contact tracing.

**Privacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
russianRussian Hacker Group Targets U.S. Workers at Home
Ransomware is Evil Corp's attack of choice
The BBC is reporting that Russian hacker group Evil Corp has attempted to break into at least 31 organizations using ransomware sent to remote employees. Authorities are also concerned U.S. voting systems are on their list of targets. The group's leaders have been indicted of hacking schools and religious organizations in the past, as well. So it seems no industry segment is off limits for these two, who by the way, are still at large. 

Here are a few tips to keep your organization and its employees safe from Evil Corp and the many other organized hacker groups around the world:
  • Establish or update information security and privacy policies and procedures that cover ransomware. Create motivating strategies to encourage employees to read them. 
  • Train employees on spotting signs of ransomware, as well as appropriate responses and reporting of suspected incidents. 
  • Create a "no click" culture in which all employees avoid clicking on links from unknown individuals. 
  • Encourage employees to check links embedded in emails and texts on at least two different malicious link testing sites before clicking. Some options:
  • Remind all workers and third-party contractors that your organization's information and cyber security and privacy officers are available for any questions they have on cyber safe behaviors at work. 
Ex-Navy captain's private conversation live streamed on a Facebook
For those who work from home, this is an especially important issue to think about...

Especially in this day and age, private conversations can't be assumed to be private at all. One couple in the U.S. learned that lesson the hard way recently when a chat they were having at home was inadvertently live streamed on Facebook. Worse, the conversation included disparaging remarks about African Americans, Asian Americans and women.

It wasn't until retired Captain Scott Bethmann picked up his phone and saw outraged comments that the couple realized what happened. Naturally embarrassed, Bethmann resigned shortly thereafter as alumni trustee. He also issued an apology statement, but of course, the damage had already been done.

Facebook users have long complained that it feels like the social media giant is spying on them. Things like ads eerily reminiscent of a recent conversation make people understandably apprehensive about the app.  Seeing an ad for something you were just talking about is one thing, but having an entire private conversation shared on social media is another. It has the potential to hurt others, damage your reputation and even end your career.

To protect your private or sensitive business conversations from finding their way onto social media, take the necessary precautions to disable the Facebook microphone setting on your mobile device .
For iPhone and iPad users: Go to Privacy >> Microphone >> Facebook >> Slide button from right to left to turn off

For Android users: Launch Settings App >> Tap Apps in Device section >> Facebook >> Permissions >> Microphone >> Slide Button from right to left

Take these steps and you should be protected from Facebook accessing your microphone without your knowledge. At least for now... Facebook is notorious for changing its security and privacy settings, so check in on yours every few months.

And, word to the wise, be mindful of what you say, regardless of whether you think anyone (or anything) is listening in. A growing number of IoT devices with onboard mics is making it increasingly difficult for people to speak privately anywhere they are.

GDPR solves family dispute over private photos... or does it?    

When EU regulators put the  General Data Protection Regulation (GDPR) into place two years ago, they may not have considered all the long-tail implications of their law. Or maybe they did...

In May, a woman in the Netherlands was ordered by a court to delete photos of her grandchildren from her social media accounts. The children's mother had asked her to remove them, and when she didn't, the children's mother got the police involved. The issue made it all the way the courtroom where a judge commanded the grandmother take the photos down or be fined 50 euros a day until they were erased. 

Because the GDPR framework gives people the "right to be forgotten" or the right to have all data a company stores on them removed, the judge saw fit to force the grandmother to comply with the mother's request. 

This case demonstrates how easily laws passed with certain intentions can be applied for unanticipated reasons, like a family spat. Because the GDPR is still so new, I imagine we'll see plenty of other wild, and precedent-setting, cases over the next few years. 

In other GDPR news..

Although the Austrian ministry has published private citizen's personal information online since 2009, that practice largely went unnoticed until recently. The Chamber of Commerce suggested entrepreneurs look at the register as a way to find certain data they needed to register for economic aid related to COVID-19. All of a sudden, Austrians, including President Alexander Van der Bellen, discovered their data was open to and searchable by the public.

As a result, several parties  are currently considering taking legal action against the ministry based on the GDPR, and experts believe they could be successful. 
delicateJust How Anonymous is that 'Anonymous' Survey?
Some 'private' surveys actually can be tied to the taker

Have you ever participated in an "anonymous" survey only to feel like the sender had a lot more information about your responses than they let on?

Or maybe you've been on the other end. Have you sent a survey and reassured participants all responses would be completely anonymous? 

I recently received such a request, stating the survey was "completely anonymous," but I didn't have time to take the survey. A few days later, I opened an email that said, "I see you didn't take the survey. Please click here to do that." Suddenly, I didn't believe that survey was as private as it claimed. 
If a unique code was attached to my email address (code that triggered a follow-up to those people who didn't participate), the survey wasn't truly anonymous. It may have used some level of pseudonymityHowever, the link provided did not have such a code. So, there was some other type of tracker being used. 

And, as I learned after taking the survey, some of questions asked for details that could provide enough information to let the survey sponsor know I did not participate based upon a combination of city, state, zip code, etc.

Now to be fair, the people who send surveys aren't usually the ones who design them... meaning they use a third-party software to conduct the research. If the survey provider tells them their platform respects privacy, they likely take that information at face value. 

It may also be that "anonymous" referred only to the content of a participant's responses and that a taker's answers would not be tied to her or him. But, after the unwelcome note that someone "saw" I hadn't taken the survey, I was even questioning that.

Unfortunately, indicating a survey is "completely anonymous" when it's apparent that it's not is a highly effective way to get people NOT to participate. Even if it isn't your intention to be misleading, such deceptive, untruthful promises destroy trust.

I'm definitely not suggesting people should not conduct or participate in surveys. I'm not even suggesting surveys must be anonymous. I'm saying that if people are told the information they're sharing is "completely" unidentifiable, it should be. 
Methods for keeping surveys anonymous depend on the type of survey software being used. Researchers may simply want to know the number of people taking the survey. That can be accomplished by counting unique IP addresses. But after counting, IP addresses should always be deleted. You may also want to explain your process to participants to add to their confidence that their IP addresses are not being used for anything else, nor stored in a potentially insecure manner. 
CARES Act Scams Add Insult to Injury
Scattered Canary steps up its game during the pandemic

With many people worried about their physical and financial health, they are understandably hungry for solutions. This has given scammers the perfect opportunity to strike, catching consumers with phishing attempts, ransomware attacks and more.

Governments across the world are stepping in to help those facing economic ruin as a result of the pandemic. And, as we know, where money is being distributed, scammers are sure to show up.

That's exactly what the Nigerian group "Scattered Canary" has been caught doing. In May, security researchers found the group  draining money from several government-funded benefits programs built to ease the financial pains of COVID-19. 

The scammers filed fraudulent unemployment claims in multiple U.S. states, while also receiving CARES Act payouts from the Internal Revenue Service. Their gains are expected to total as much as  $5.4 million.
The elaborate COVID-19-related schemes are in addition to scams Scattered Canary was already running on Social Security and financial aid.
Tips readers, these criminals prey on your personally identifiable information. One of the best ways to find out if your data has been compromised is to request and review your credit reports. Every person in the USA has a legal right to obtain detailed credit reports free every year from each of the three major credit reporting agencies: Experian, Trans Union, and Equifax.
Typically, I advise consumers spread out their requests for these reports. However, given the fact fraudsters are operating in overdrive to take advantage of the global pandemic, it may be a good idea to obtain all three reports at once. If you see incorrect information on those reports, contact the creditor or your bank directly. If a scam is to blame, let the FTC and the  Attorney General in your state know, as well. 
shop6 Ways to Shop Safer Online
Steps you can take to limit your risk.  

Because so many people are turning to online shopping as a way to mitigate their exposure to COVID-19, the world faces increased risk of payment and other fraud taking place online. Here are six simple ways you can shop safer online:

1. C heck to see if the business has a history of complaints. In the U.S., the Better Business Bureau (BBB) and Consumer Financial Protection Bureau (CFPB) are good resources. Numerous grievances over poor service and products can also signal low prioritization of data security and privacy.

2. Use to check the age of a URL. If it was recently created, it may very well be a spoofed site. Cyber actors have gotten really good at spoofing legitimate sites, but they usually only keep the cloned sites up for brief periods of time to avoid getting caught. 

3. Look for encryption. Never make a purchase on a site with a URL that does not contain HTTPS (S for security) as a prefix, or an icon of a padlock in the left side of the URL bar for Chrome browsers, etc. 

4. Find (and read) the site's security policy and privacy notices. There is usually a link to them at the bottom or along the left side of the home page. I f you can't find these, do not make a purchase on the site. If they do, look through them for the following:

In the security policy
  • A high-level overview of the ways in which data is secured, from the time it's collected to the time it's no longer needed. 
  • How the business will contact you in the event of a data breach.
Within the privacy policy
  • A clear description of how personal data is collected, used, shared and protected. 
  • Choices consumers have around access and deletion of their personal information.
Within both
  • Specific contact information for data security privacy questions. This should be a name or title with the company and a way to reach that individual, like an email or phone number. If a site only provides a postal mailing address, avoid it.
5. Look for security and privacy web seals (e.g., TrustGuard, Site Lock, McAfee Secure). A lack of seals is not a deal breaker. However, it does provide an extra layer of confidence because it indicates  an objective third party has inspected the site and validated its security and privacy controls. 

6. Only provide the personal data that's absolutely necessary to make a purchase. If you're buying a toaster, for instance, the retailer does not need your birth date. The less data you give a business, the less potential for consequences from misuse, breaches or other digital accidents.  TIP: My privacy professional friends and I often use January 1, 1980 for such purposes. There are a lot of us getting birthday greetings on New Year's day!

whereWhere to Find the Privacy Professor  

On the air... 


Do you have an information security, privacy or other IT expert or luminary you'd like to hear interviewed on the show? Or, a specific topic you'd like to learn more about? Please let me know!

I'd also love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox,, iHeart Radio and similar apps and sites. 

Some of the many topics we've addressed... 
  • student privacy
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

Advertising Now Available!

Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

I hope you enjoyed this month's collection of delicious-looking smoothie photos. I heard from so many last month about their appreciation for our dessert images. I even got a pointer to this recipe from Tips reader Jill who swears it's true to its title as the best banana bread. Thank you for sending, Jill!

We deserve a break from the seriousness every now and then. That said, so much of the chaos and uncertainty remains and requires a lot of diligence. I join my data security and privacy community in working overtime to help spread tips and tricks to help you avoid the tricks and traps set by scammers. 

Thank you for continuing to be a loyal reader, and please share with others!

Best regards,

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. July 2020 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn     Follow us on Twitter