Cybercrime - mitigation and prevention
by Panos Arvanitis
Copyright 2023 and beyond. Reproduction in whole or of any portion without prior written consent by the author is prohibited.
The "all eggs in one basket" problem
Unfortunately, online crime is and has been on the rise for some time. As more data is available through "the cloud," cybercriminals do and will continue to try to access your online data; the reward is big and the risk small. When we store our data on cloud services that make the data available anywhere in the world, we are proverbially putting all of our eggs in one basket. Cybercriminals try to access that basket to gain access to financial accounts and other data.
Cybercriminals also to use AI to analyze and imitate you, and to predict your future interactions and passwords. For example, AI can analyze your email interactions with others, the content of your documents, your pictures and their locations, songs that you've listened to, and any data that you've placed on the cloud to predict your future passwords and passcodes. Cybercriminals also use this information to contact friends and family to trick them into sending money and to extract more information that they can use in the future to defraud. People fall victim to crime by providing information to someone they think is a family member or business partner, because they are contacted by a criminal that is impersonating a family member or business partner who had previously fallen victim to online crime.
Cloud companies use varying degrees of security to protect your basket, with many unfortunately leaving security matters to the end user, who is usually not a computer expert and is likely to make mistakes that compromise data.
No use crying over spilt milk
If you suspect or know that you are a victim of online crime, the first thing to do is to protect yourself. Do not to blame yourself. You are unfortunately not alone. Online crime is often perpetrated by enormous foreign operations, often with the backing of foreign states. Cybercriminals may insert operatives at tech companies and cloud providers to open security holes that the criminals can exploit. For example, they can exploit security gaps in computer hardware or software, processors, security cameras, or "smart" products to observe as you enter a password or sensitive information, or to listen in to your conversations. They use the latest technology for sinister purposes and look to exploit people when they are less likely to pay attention (e.g., when someone is ill or is tending to a sick family member). You, as an individual, are no match for the technical expertise and resources that many of the fraudsters have at their disposal.
How to protect yourself and combat online crime
If you are a business or individual that has fallen victim to online crime, or you want to protect yourself from becoming a victim, we recommend that you consult a security expert. This isn't a ploy to get money for our company or the industry. The threat landscape is always evolving. Your level of exposure will be different from others, depending on the devices and services that you use, how they are setup now, and how they were setup in the past. As much as we would like to, it's not possible to give one set of instructions for everyone to prevent or cure fraud. And, your exposure may depend on how others treat your data, how securely the companies that you do business with protect your sensitive data. Some companies fail to adequately safeguard your data, leading to data breaches that you hear about in the news.
Guidelines for improving your online security
Please bear in mind that the steps below are general instructions to help you. They assume that you have fallen victim to crime, but generally apply if you want to protect yourself from becoming victim. Depending on your level of exposure, these suggestions may not all be necessary. These suggestions are not all-inclusive guidelines that can protect everyone. Each individual's situation will vary. These instructions can also, by nature, be rather technical. If you are unsure, please consult a computer security expert.
If your email has been compromised
- Thieves sometimes modify your email so that anything you receive is also forwarded to them at another email address. Check the forwarding settings and rules with your e-mail provider and turn off any email forwarding or processing that you don't recognize.
- Go to your cell phone provider and get a new SIM for your phone(s). Do this at the store, do not do it online. Tell them you have fallen victim to identity theft and they should assist you (though sometimes they resist).
- You can keep the same number(s), though in some scenarios we recommend changing your number.
- If you do change your number, keep your existing number active for a bit so you can receive authentication codes at that number. You may need these codes to login to existing sites to change your password.
- Reset your email password to something completely different and atypical of your usual passwords.
- After or while resetting your password, turn on multi-factor authentication for your email (MFA). MFA means that you will need to provide a code from a text message or an authenticator app (preferred) when you access email from a new device. MFA makes it harder (but not impossible) for a cybercriminal to get into your email again.
Very important - recovery codes:
When you first turn on MFA you may be given one or more recovery codes. Print them or write them down and save them in a safe place, offline. Do not take a picture of them with your cell phone. Do not store them online or on your computer. Do not email them to anyone, not even yourself. Keep them offline.
- If you are setting up MFA for someone who is not technically savvy or for a person in a vulnerable category (e.g., a parent or an older person), consider setting up their MFA using a trusted relative's phone. Cybercriminals specifically target older people and have been known to trick them into sending them the MFA codes.
- Warn your contacts that your email has been compromised. They may have received messages that came from your email account asking for money or account information or bank transfers. Friends, relatives, or business partners may be communicating with someone that they think is you.
- Go to your sent folder and check for messages that you did not send. Thieves usually remember to delete the messages they sent from your account, but sometimes they are careless. If they sent email impersonating you, you may find the messages they sent in your sent folder.
After your email is secured
- For any website that offers it, turn on mutli-factor authentication (MFA or 2FA). MFA means that you will need to provide a code from a text message or an authenticator app to logon to the website.
Very important - recovery codes:
When you first turn on MFA you may be given one or more recovery codes. Print them or write them down and save them in a safe place, offline. Do not take a picture of them with your cell phone. Do not store them online or on your computer. Do not email them to anyone, not even yourself. Keep them offline.
- If you were tricked into sending money from your bank account, close that bank account and open a new one with a new account number and new password, passcode, and/or PIN.
- If you receive statements in your email, then assume that these statements and account numbers have been read by others. Have the account numbers and passwords for those accounts changed.
- Check your credit report for unknown activity. Have the credit reporting agencies mark your credit report with a victim statement. This requests that creditors contact you before opening any new lines of credit.
-
Change the password for each and all of your online accounts (banking, insurance, utilities, any website that uses a password). Do this only after you secure your email, as outlined above. Otherwise, the thieves may also get the new password information (particularly for websites that email the new password in plaintext).
-
DO NOT USE THE SAME PASSWORD OR VARIATIONS OF THE SAME PASSWORD ON DIFFERENT WEBSITES.
-
Do not base your password on anything that you've discussed over email or passwords that you have used before. For example, if you like tulips or have ordered tulips and received an email receipt, do not use the word tulip for your password.
-
-
If you use an online ("cloud") storage service, your documents there may have been accessed as well. Consult a computer security expert about what you can do. There are far too many variations to cover in these guidelines.
- Install trusted, paid antivirus & anti-phishing software on your computer and other electronic devices, even if you use a Mac. The old addage "you get what you pay for" holds true with online protection software too. But keep in mind that even the best software cannot prevent or detect all fraud, the computer user must also be diligent about protecting passwords and online data.
- If you use a program that remembers passwords for you, assume they are all compromised. Change the master code for this program. Change every password that was memorized by that program.
- Go to a website such as https://haveibeenpwned.com/ and check if your email address has shown up in any data breaches. Make sure you change the password for those websites to a unique password, significantly different for each website. If possible, turn on MFA for each website.
Consider your reliance on the cloud
Yes, we are aware that broaching this subject puts us at odd with what many others in the field suggest. The cloud is big business and the source of recurring revenue for large providers. It allows big providers to offer a one-size-fits-all approach that works for many countries in the world and reduces their operating costs. It has simplified administration for computer technicians, offloading technical matters to cloud providers and lowering the bar for who qualifies as a computer administrator. It gives big providers access to large swaths of data that they can use to analyze behavior, target advertising, and to train their AI models. If you are concerned about AI, keep in mind that your cloud data may be what is used to train it.
One solid way to combat online crime is to reduce your online exposure. If you need your data to be accessible all over the world then read no further, the discussion is moot. Otherwise, consider that there are small business and personal cloud devices that allow you to create a limited cloud that is accessible only from locations that you chose, and only to individuals that you select. For example, we use hardware to block access to this website, the one that you're reading this article on, to some countries. We do not make our clients data available to countries that are known to harbor and assist cybercriminals and that do not co-operate with local law enforcement. We have installed localized cloud solutions for personal and business data that are accessible within limited regions, while still being available from mobile devices and for remote work. When properly setup and administered they offer a predictable, fixed cost that is often smaller than the cost to implement and maintain cloud solutions by big providers. And, with a localized solution you don't have to be exposed to the constant cycle on updates and product changes that may be irrelevant to your personal or business needs.
You may not hear often about local cloud solutions because it's not beneficial for big providers to lose the recurring income from big cloud business. Consider discussing your actual business needs with your IT provider or security consultant to explore ways of reducing your operating cost and your exposure to online threats.
Q: I already use MFA but my email was still compromised. Why?
Please follow the instructions above for obtaining a new SIM card, then resetting your password. We highly recommend that you also change your phone number as explained above. You may be a victim of SIM spoofing, which is an advanced cybercrime method, the details of which are beyond the scope of this document.
We also suggest that you change your password because thieves may have gained access to your information before you setup MFA. Whether they still have access to your data or not may depend on your provider.
Q: Can I report online crime to the police or other authorities?
You generally can, and we recommend that you try. Law enforcement agencies work with each other to identify large criminal groups and try to take them down. If you are expecting a personalized response though, keep in mind that, depending on the amount of money involved, your local police department may not be able to do very much. If warrants for other states or countries are required, their options may be limited due to fiscal constraints.
We encourage you to report crime to your local authorities, bearing in mind that their hands may be tied because of the cost and complexity involved. Be reasonable with your expectations.
However, also bear in mind that there's nothing law enforcement can do about crime if citizens do not report it. Give law enforcement an opportunity to act by reporting crime.