Oversharing online while working from brings unique risks.
As folks share desktops for screen shares on calls while presenting at conferences, or even post pictures on social media of their home office, what might a scammer do with this information? Accidentally exposed insights make their jobs of targeting us easier, while the ongoing pandemic – a situation where people are overly anxious, stressed, away from support groups, and balancing work and family life in the same physical space – increases our vulnerability to these attacks.
Making it Personal.
E-mail scams (phishing) are a preferred form of attack for many criminals. They are often simple to launch, and have a reasonably high success rate. One way those rates have increased is through personalization.
“Dear user” turns into “Dear [your name]”. Scammers will purchase exposed credentials off the dark web and even display your old passwords within their messages to you to give them a feeling of legitiamacy.
Oversharing on social media and in large untrusted settings leaks additional personal information through home-working photos and visuals – even that seemingly-harmless background shown during video calls. Family members (in person or photos) often feature in the background of video calls, along with your hobbies, favorite sports teams and television shows, and other personal insights that can be used.
Photos tagged with #WorkFromHome, #WorkingFromHome, #HomeOffice have also revealed:
- Birthday parties (celebrated on Zoom or Teams), thereby exposing birthdates.
- Home addresses, through photos revealing addresses on Amazon parcels or postal mail.
- Names of family members, children and pets.
The variety of information that may be exposed in such contexts is endless and is only limited by what will fit into your home office or on your desktop (be it a bedroom, living room, or actual office).
Let’s say you are emailed an ‘e-gift card’ on your actual birthday by a long-lost friend looking to reconnect. Many people would be more likely than usual to open the gift card attachment because the date is correct, unaware that it is actually a piece of malware or ransomware, and that the fraudster knows your birthday because it was posted online months earlier.
Along with the more typical secure remote working considerations such as VPNs and managed credentials, you also need to worry about oversharing University data.
Analysis of images of home-working environments has revealed work email inboxes, internal emails, names of individuals in emails, private web pages, potentially sensitive internal business correspondence, software installed on computers, and internal identification numbers of devices.
For example, an attacker may contact an employee under the guise of a known vendor or supplier, drawing on information gathered from an email.
Or, they may get in touch with the employee, pretending to be from the IT department and with a request that the staff member update key software that only internal employees would be aware of.
In both cases, employees may be tricked into providing more sensitive files or data, directed to download malware, or exploited through a range of other attacks.
What Should I Do?
- Always be mindful of what’s in the background of your photos or video conference calls. This way, you are always in control over the information you expose – wherever it ends up!
- For video conference calls, consider using a virtual background. Most popular software clients allow these, and they work pretty well.
- Only share what you have to during screen sharing.
- Blurring backgrounds works too, and makes most objects indecipherable.
- Think twice about sharing photos of your #WorkFromHome, #WorkingFromHome, #RemoteWork, #HomeOffice setup.