The Weekly Review: Episode 21 with Dr. Read Hayes, Tony D’Onofrio, Tom Meehan, and Guest Peter Trepp

This podcast originally appears in the LPRC website.

In this special episode of CrimeScience: The Weekly Review from the Loss Prevention Research Council (LPRC), Peter Trepp, CEO and president of FaceFirst, gives his take on the future of privacy, delving into expectations of privacy, legislation, security, technologies and more. Co-hosts Dr. Read Hayes, Tom Meehan, CFI and Tony D’Onofrio discuss upcoming collaborative LPRC initiatives, the recent Jacob Blake incident, digital risk protection, Microsoft’s Zero Trust security, ransomware, the D&D’s crime report and global retail data.

Podcast:  Play in new window

Subscribe:  Apple Podcasts | Android | RSS

My Go-To Tool for Image Searching

Are you looking for a good tool to search for images online? TinEye is a great image search and recognition tool. The reverse image search allows you to search by image and find where that image appears online. It is great from research and investigations. Check it out, here https://tineye.com/.

The Weekly Review: Episode 20 with Dr. Read Hayes, Tony D’Onofrio, and Tom Meehan

This podcast originally appears in the LPRC website.

This quarter, 253 deaths took place in retail locations, an increase of 45 percent from the second quarter. And why is total revolving credit card debt down by 10 percent? In this episode of CrimeScience: The Weekly Review from the Loss Prevention Research Council (LPRC), Dr. Read Hayes, Tom Meehan, CFI and Tony D’Onofrio discuss this and more, including COVID-19 vaccine testing, LPRC initiatives, virtual SOC, increased online sales, fraud risks, chargebacks, puppy scams in the age of COVID-19, BOPIS, technologies in retail, and the fastest-growing retailers. 

Podcast:  Play in new window

Subscribe:  Apple Podcasts | Android | RSS

My Favorite Weather App

With the recent weather I thought it would be a good time to share my favorite weather app with you. MyRadar (https://myradar.com/) is an easy-to-use, all-in-one weather app with extremely accurate radar and weather predictions. This app is available on the Appstore, Android store, and windows app store.

Unraveling the Mystery of the Dark Web

This article originally appeared in Loss Prevention Magazine.

Investigators Can Use the Dark Web as a Tool to Discover Potential Threats to Retail Brands

The dark web burst into public awareness in 2013 when the FBI shut down Silk Road, an online black market, and arrested its founder, Ross Ulbricht. The FBI found him through an elaborate sting operation involving an undercover law enforcement agent posing as a drug dealer on the dark web. Through this undercover operation, the FBI was able to find and locate a Silk Road administrator, who gave them access to information about Ulbricht’s Bitcoin account.

When Ulbricht discovered the administrator had been arrested, he asked the undercover agent posing as a drug dealer to murder the admin. Investigators staged the torture and killing and sent photos of what they said was the corpse to Ulbricht. Ultimately, these questionable tactics led to Ulbricht’s own arrest.

The media immediately picked up on such an exciting topic. The dark web was known for facilitating illegal activity, including money laundering, drug sales, and even murder. The appeal of the secrecy and mystery behind the dark web led to many articles and news reports; unfortunately, this coverage also propagated a lot of misinformation.

The Dark Web Explained

The dark web is one of many layers of the Internet, and a lot of terms are associated with this subject. The surface web, also known as the open or clear web, is the part of the Internet we are the most familiar with. It refers to all the websites that are automatically indexed by search engines, which makes them relatively easy to access. Despite being the most well-known part of the Internet, the surface web makes up less than five percent of the Internet.

The deep web, or invisible or hidden web, makes up the largest portion of the Internet—between 92 and 96 percent. It is an online repository of back-end information and includes financial transactions, public records, medical records, and password-protected sites. Deep web addresses consist of a random string of alphanumeric characters, and these websites are encrypted but still accessible using a regular Internet browser. This content is not automatically indexed, so it is a lot harder to find information on your own. Many services exist to help law enforcement and other investigators access the deep web, such as TLO and Accurint, a LexisNexis service.

Tor was designed to be safe, not fast, so it is much slower compared to the Internet we are used to. It is important to remember that the Tor network is a service that is independent of the Tor browser, which is simply a tool to access this network.

Like the deep web, the URLs are composed of random alphanumeric characters, but with most often the top-level domain (TLD) of .onion for anonymous sites or .onion.to for non-anonymous sites. Tor sites are sometimes referred to as Tor hidden services, onion sites, or simply onions. The very common misconception is that the dark web and the deep web are the same; in fact, though their web addresses seem similar, it is the .onion top-level domain that indicates a dark web site and requires a special browser to be accessed.

The dark web’s primary purpose is anonymity, not illicit activity. People use the dark web when they want to protect their identities, for whatever reason. Tor was developed in the 1990s by the United States Naval Research Center as a military-grade application designed to help clandestine operators protect their identities while transferring information. The dark web uses a relay methodology to hide a user’s identity behind three proxy layers. Each relay has its own geographical location, which makes it very difficult to trace a user.

One of the weaknesses of this system became apparent soon enough: although foreign hackers could not identify the specific users on Tor, they could be sure that they were all US government agents, since no other government was on the dark web. The federal government resolved this issue by making the dark web available to the public in the early 2000s; by increasing the number of users on the dark web, it became significantly more difficult for foreign governments to identify US clandestine agents and operations. The Internet Frontier Foundation, which is largely funded by the federal government, picked it up and continued to develop the code. In 2006, they officially announced the Tor project to the public and made the Tor browser available for use.

Today’s dark web is a versatile tool, which is what led to the creation of online black markets such as Silk Road and AlphaBay, which was shut down in 2017. Though Ulbricht claimed to have founded Silk Road based on the libertarian ideal of a completely free market, Silk Road was best known as a platform for selling illegal drugs.

The FBI investigation and subsequent shutdown of Silk Road gained global attention. The story of Silk Road’s rise and fall essentially drove the dark web to become what it is today: a hotbed of online black markets.

Users can track their orders and interact with customer service agents, just like they can with any other online retailer. Setting up a cryptomarket does not require a high degree of technological experience. Like e-commerce sites on the surface web, templates exist for dark web sites as well, which means that anyone can easily start selling on the dark web.

These sites even sort illicit goods into categories such as fraud, drugs, counterfeit items, weapons, software and malware, stolen credit card and financial information, and stolen personal identifying information, which often have specific search controls to allow potential buyers to search the listings by location, social security number, birth year, credit limit, and much more.

After his arrest in 2013, Ulbricht was convicted of money laundering, computer hacking, conspiracy to traffic fraudulent identity documents, and conspiracy to traffic narcotics by means of the Internet. He is currently serving two life sentences without the possibility of parole. Many people have criticized the FBI for its dubious methods of investigating and arresting Ulbricht, even going as far as to accuse the FBI of entrapment. However, Ulbricht was clearly guilty of his crimes. Despite having created Silk Road with possibly good intent, he eventually got caught up in the greed of monetizing the platform, which is what actually led to his arrest.

Unlike Ulbricht, the founder of AlphaBay, Alexandre Cazes, created his online black market in 2014 with the specific goal of creating the “largest eBay-style underworld marketplace,” a claim he made on the AlphaBay website. Through AlphaBay, Cazes made over $23 million in revenue and lived in luxury in Thailand where he owned many mansions and even had multiple wives. He was arrested in 2017 and found dead of apparent suicide in his jail cell in Thailand days later. AlphaBay was officially shut down a few days later.

How People Pay on the Dark Web

The leading form of payment on the dark web is cryptocurrency, with Bitcoin being the most common type of cryptocurrency exchanged. Cryptocurrency is a digital currency, where transactions are recording on a public ledger, usually a blockchain, and every process is protected by cryptography, which is simply the practice of secure communication.

People on the dark web use cryptocurrency because it is decentralized, digital, and almost completely anonymous. No banks or governments can control cryptocurrency. Instead, cryptocurrency is controlled by its users and a blockchain to maintain its integrity. As a digital currency, cryptocurrency can be instantly exchanged online without needing a physical representation of its value, such as paper money.

Cryptocurrency is a pseudo-anonymous system. Although it is impossible to trace transactions back to their senders or recipients because the blockchain only has a record of each user’s public identity, you could theoretically find out a user’s identity if you had the private key to their account.

When users purchase goods on the dark web, such as drugs, they usually transfer cryptocurrency to be stored in escrow, just like someone does when they buy a house. The cryptocurrency sits in escrow until the buyer confirms they have received their order. This prevents sellers from ripping off buyers.

However, sellers on the dark web don’t often try to rip people off. To them, the dark web is simply another method of delivery for products they have already been selling. Though they are criminals, these sellers operate just like typical businesspeople. They are motivated by money, which is what keeps them honest. This incentivizes them to sell high-quality products and provide good customer service in order to entice buyers to return.

Sellers on the dark web provide customer support the same way as many other e-commerce retailers by contracting overseas customer service call centers. These call centers, often located in countries like Romania and India, are simply providing a service, whether they are doing so for a legitimate retailer or for someone on the dark web who sells drugs.

The Dark Web and Retail Asset Protection

How does all this secretive and potentially illegal activity relate to retail? The dark web is where people go when they want to learn about something or communicate without others knowing who they are. Although drugs are the most common illegal commodity found on the dark web, there are more immediate threats for private retailers—stolen credentials, stolen credit card information, counterfeit merchandise, and hacking tools, just to name a few. Criminals can even use the dark web to learn about company security policies, which stores are best to steal from, and which EAS tags a company uses, so they can learn how to defeat them.

Because the dark web is primarily used for secure communication, it can facilitate organized retail crime planning, research, and discussion. People can also use the dark web for hacking as a service (HaaS), where a hired hacker serves as a contractor. Some of the services offered in hacking as a service include gaining access to another person’s social media accounts, denial of service (DoS) and distributed denial of service (DDoS) attacks on websites, network infrastructure attacks to bring down communications, and even command and control of a huge botnet army. Hiring a hacker is just as much a crime as hacking itself since inducement to commit a crime is itself a crime under US law.

According to a hacking-as-a-service website called “Hire An Hacker,” many hacking-as-a-service websites intentionally use bad English to disguise their identities and make it harder to figure out where they are located. Other hacking services include Facebook account hacking as their most requested service, along with smartphone hacking, backdoor computer access, database modification hacking for websites, and even a way to fix one’s credit score. Service costs start at $350 for “easier” jobs, such as email account hacking, and can go up to nearly $2,000 to hire someone to deface or even completely delete a website.

Hackers can also facilitate identity and credit card fraud by stealing this information and selling it on the dark web. In 2016, credit card fraud totaled $24 billion in losses, half of which affected cardholders in the United States.

In April 2017, the then-unidentified group called the Shadow Brokers published a collection of the National Security Agency’s (NSA) most coveted hacking tools, including ways of exploiting most versions of Microsoft Windows, allowing essentially anyone to download cyber weapons. The authors of the WannaCry ransomware attack, a worldwide cyber attack in May 2017 that encrypted users’ data and held it for ransom in exchange for Bitcoin payments, used the EternalBlue exploit originally developed by the NSA and later released by the Shadow Brokers. The Shadow Brokers also offered a subscription service for the latest hacking malware for tens of thousands of dollars a month.

Some dark web users believe they are impossible to trace, so they will keep the same usernames they employ on the surface web. This makes investigators’ jobs a lot easier. Furthermore, because the dark web is not automatically indexed, criminals must advertise their products and services. There are even directories for providers of illicit services. Forums, both on the surface web and the dark web, discuss the relative merits of various dark web marketplaces and services. All this makes it surprisingly easy for investigators to locate bad actors.

On the other hand, investigative targets can be tough to pin down because dark web sites come and go quickly. They must constantly adapt to changing circumstances, like pressure from competitors or law enforcement activity. When these illicit marketplaces gain visibility, their operators often simply move outside the United States. In fact, most of the most prolific fraud sites technically exist on the surface web and often don’t bother with the dark web. They use top-level domains based in countries with lax fraud policies, such as Samoa (.ws), Cameroon (.cm), Cocos Islands (.cc), or Oman (.om).

Protecting Yourself from Cyber Crime

Fighting back against cyber crime is really a war, and as in any war, you need to have a strategy. It is important to prepare a plan for deterring cyber crime and responding to an attack. This can make all the difference between a minor incident and a major financial and public relations nightmare.

Understand your company’s information systems. Use data inventory and data mapping to gain a thorough understanding of what you are trying to protect. Include all the obscure data sources that are easy to overlook.

Classify the data. Some information is highly sensitive and valuable, while other information is not. You must create a clear process for distinguishing the various level of information sensitivity.

Create clear guidelines for data access. Not every employee needs to have access to all the information in a company. Structure this access based on need.

Secure the data. Use encryption and passwords to protect your information, regardless of its level of sensitivity.

Define cyber crime clearly, so everyone understands. All employees must be aware of current threats and issues, including those affecting the company’s customers. What reaches them could eventually reach you, so if they understand and report cyber crime early on, you can respond much more quickly.

Conducting Investigations on the Dark Web

Even with your company’s measures to protect itself from cyber crime, as a security professional, sometimes you feel the need to do more. Though only a very small portion of the Internet is on the dark web, you still might find it helpful to use the dark web when conducting investigations. Below is a how-to guide for searching the dark web.

Search for dark web URLs on a regular search engine. Even though the dark web is generally not indexed, it is possible to use a search engine to see what non-anonymous dark web sites exist. Use the search term [something illegal] inurl:.onion.to. For example, you can use this tip to see if dark web sites have shoplifting master lists for specific retailers or how-to guides for defeating various types of EAS tags. The caveat is that this method will only capture a very small amount of the information. It’s a quick and simple trick and will yield less that 5 percent of what is actually available on the dark web.

Check your company policy before starting an investigation on the dark web. Although using the dark web is completely legal, many companies have strict policies against it.

Use a computer dedicated for searching the dark web. An even greater risk is that bad actors could discover your information and access your system, so you do not want to put your personal or work computer at risk. Instead, buy a cheap computer for this specific purpose.

Download the Tor browser. The Tor browser is the most common way to access the Tor network. Other browsers and methods are available, but the Tor browser is the most secure way to date.

Connect to the dark web using a virtual private network (VPN). A VPN adds another layer of anonymity and prevents third parties from seeing your web traffic. Instead of using your home or work network, connect to a VPN while conducting your investigations on the dark web. Do not use a VPN provided by your workplace, as this defeats the purpose of protecting your work from any potential attacks.

Create a new email address for the dark web. Once you are logged into the Tor network, create a new email address that you will only use on the dark web. Do not log in with any other email addresses.

Do not use any identifiable or personal information. Do not use your real name, photos, previous usernames or even passwords you have used before on the surface web. This will put you at risk of being traced back to your personal or work accounts.

Do not download content from the dark web. If you want to save content you need for an investigation, use the screen capture tool or a screen recording software. If you feel it is necessary, work with a technical expert or download content into a “sandbox,” a virtual space isolated from the rest of your computer to protect it from any possible malware.

Myths and Misconceptions

People often associate the dark web with weapons, drugs, human trafficking, and child pornography. But a 2016 study by Terbium Labs showed that only 47.7 percent of .onion domains hosted illegal activity.

There are many fabricated stories about the dark web, often created and spread by the media and most of which are untrue or simply impossible. Below is a list of the most common myths and misconceptions and why they are not true.

Myth: It is illegal to access the dark web. Accessing the dark web is completely legal. Furthermore, the content of the dark web is mostly legal—over 50 percent of the dark web does not contain illegal or illicit content. Some people fear that searching the dark web will bring law enforcement knocking at your door. That’s what criminals are worried about. As a retail security professional, your only concerns should be the bad guys themselves.

Myth: The dark web is only for criminals. The dark web was made for anonymous, not illegal, activity. That means that many dark web users just want to research or communicate without revealing their identities. These users can range from citizens of countries with strict Internet censorship laws who want to read the news to protestors who are fighting against oppressive governments to LGBT citizens of a country where homosexuality is illegal. Licensed physicians even post free drug-related advice on forums. They know drug addicts are less likely to seek out medical advice on their own, which means health care professionals need to go out and find them on their own.

Myth: Terrorists use the dark web to communicate. Though terrorists could easily use the dark web to communicate with one another, there are many other encrypted forms of communication that are more easily accessible. They typically use popular messaging platforms such as WhatsApp, Signal, and Telegram, which are more accessible and exist on multiple platforms such as smartphones.

Myth: The dark web is where mass shooters buy weapons. This is not an issue of concern in the United States, where someone can purchase a military-grade assault rifle at a gun show much more easily. However, the person who killed nine people and injured twenty-one others in Germany in July 2016 bought his gun from the dark web since firearm laws are much stricter in Europe. German police were able to discover his use of the dark web via two separate investigations into other attempts to use the dark web to obtain weapons.

Myth: You will be hacked if you go on the dark web. If you use the same safe Internet practices you use on the surface web—don’t share your personal information and don’t download content from an untrusted source—then you will not be hacked on the dark web.

Myth: You can “stumble” upon scary sites. The dark web is part of the deep web, which is not automatically indexed, as explained earlier. This means you have to actively look for sites on the dark web. It is impossible to “accidentally” come across criminal content. That can only happen if you are seeking it out.

Myth: “Red rooms” are everywhere. Red rooms refer to the supposed websites where people live stream themselves mutilating or even murdering someone for “entertainment.” However, they are mostly urban legend when it comes to the dark web. The Tor network is too slow to stream live video. If red rooms do exist, they would be found on the surface web, and it is highly unlikely that you would find one.

A New Tool

The dark web has a mysterious and dangerous reputation and a very colorful history. However, it is actually a simple concept to understand and use in your work. Like any investigations, you need the right tools, a clear idea of what you are looking for, and a healthy level of caution to protect yourself and your organization. With a solid understanding of the dark web in mind, you can use this new tool to your advantage and discover potential threats before they come actual attacks against your company.


Tom’s column is featured in every issue of Loss Prevention Magazine. To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.

The Weekly Review: Episode 19 with Dr. Read Hayes, Tony D’Onofrio, Tom Meehan and Featured Guest Greg Buzek

This podcast originally appears in the LPRC website.

In this episode of CrimeScience: The Weekly Review from the Loss Prevention Research Council (LPRC), Greg Buzek, founder and president of leading apparel retailer IHL Group, joins Dr. Read Hayes, Tom Meehan, CFI and Tony D’Onofrio to discuss COVID-19’s impact on retail, inventory distortion, artificial intelligence, computer vision, the millennial unemployment rate, global retail sales, virtual SOC and much more. 

Podcast:  Play in new window

Subscribe:  Apple Podcasts | Android | RSS

How Retailers Can Use Computer Vision to Adapt to Changing Times

By: Ben Skidmore
This article originally appeared in Loss Prevention Magazine.

Interview with Tom Meehan, CFI

Meehan is chief strategy officer and chief information security officer for CONTROLTEK. In his dual role, he leads the company’s solutions development strategy and retail-specific strategic initiatives, while championing information security technologies and protocols for CONTROLTEK and its partners. He is an LP expert in cyber security, retail technology, and information technology. He currently serves as Innovation Team Chair with the Loss Prevention Research Council, retail technology editor at LP Magazine, and cohost of the LPRC podcast.

Loss prevention professionals have been faced with the robust job to combat shrink, discourage theft, increase efficiency, improve performance, lower costs, support safety…and the list goes on. The coronavirus pandemic has sped up these challenges and threats exponentially, while presenting the added layer of health safety to the mix.

In the turbulence of this change, keeping up to date is a constant challenge, and digital technologies have frequently been discussed and continue to be the answer as future-proof options for retailers. One of the most widely discussed technologies is artificial intelligence (AI), and one of the forms of AI most easily applicable to the retail environment is computer vision.

What is computer vision and how does it work?
Computer vision is an emerging technology that enables retailers to harness the power of video to automate the process of identifying threats in real time, leading to quicker and better decisions. In simple terms, it is defined as a field of artificial intelligence that replicates the complexity of the human vision system to enable computers to “see” and understand the visual world. Using content from digital images, videos, and deep-learning models, computer algorithms mimic the way human vision acquires, processes, analyzes, and understands visual information to identify and classify objects.

There are several types of computer vision features used in different ways, but simply put, when a computer is supplied with images, it uses algorithms to analyze for distinctions such as shapes, colors, borders, distance between shapes, and other patterns to identify a profile of what the picture means. When these algorithms are complete, the computer will theoretically be able to use this learned data to find other images that match that profile.

How can a retailer use computer vision?
Though computer vision has a lot of potential applications that haven’t been fully discovered, for retailers the solutions already exist. Facial recognition technology is a form of computer vision that has been tested and proven in retail. It is particularly useful in helping retailers detect shoplifters and alert when known bad actors enter stores. A cloud-based computer vision platform even allows retailers to access information across multiple locations.

Computer vision technology can also provide traffic and behavior analytics by using real-time, accurate visitor counts and classification, so retailers can understand customer traffic by knowing a customer’s path through the store, where they spend time, and how much time is spent there. Powerful, deep-learning technology allows retailers to know the behaviors and demographics for optimized marketing, sales, and rewards program effectiveness.

How can computer vision help retailers with challenges presented by COVID-19?
Because of its endless potential, computer vision technology can be adapted to address current challenges, such as the pandemic. Computer vision features that have been adjusted in response to COVID-19 challenges include temperature screening, mask compliance, and occupancy verification. Thermal imaging, originally intended to detect intense heat for early indication of fire, can be used to screen temperature and detect elevated body temperature of individuals entering a facility. Mask detection to identify a person as a robbery threat can be adapted to detect a face mask for health compliance. Facial recognition can determine unique customer counts for occupancy verification allowing retailers to stay within social distancing guidelines.

What are your thoughts on the accuracy of thermal imaging?
You must ensure you have the correct camera or imager and have a clear understanding of its ability and limitations. Thermal imaging that is widely available isn’t medical grade. It simply uses the sensor to detect body temperature. Like any noncontact temperature screening, there are many variables one must consider, such as ambient temperature, abnormal body temperature related to the environment, distance, and the weather. So, yes, this technology can detect an elevated body temperature, but it’s just one way of helping to keep your customers and employees safe.

How can someone integrate computer vision technology into an existing loss prevention strategy?
Like most AI solutions, computer vision is what you make of it. Investing in computer vision solutions on a smaller scale won’t prevent you from expanding its use in the future, and its future-proof design means you can integrate computer vision as your retail loss prevention methods change.

CONTROLTEK’s solution CMatch AI is scalable with the ability to operate as a standalone, plug-and-play device or as a cloud solution to save information for enterprise-level monitoring. The automation of CMatch AI eliminates the need for human interaction to support public health and safety, reducing labor costs and providing real-time information. CMatch AI helps retailers reopen stores safely and streamline compliance with new COVID-19 policies, while remaining adaptable for what changes may come.


To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.

Cyber-Security Strategies during COVID-19

This article originally appeared in Loss Prevention Magazine.

Cyber crime has always been an issue, and the era of COVID-19 is no exception. In recent months, bad actors have been taking advantage of both individuals and businesses during this vulnerable time through phishing scams with COVID-specific themes, anything from fake websites to access your coronavirus stimulus check or impersonating regional health authorities to share fake news.

The pandemic has also seen a wave of bad actors attempt to infiltrate major corporations, with the hope that they have been overwhelmed by pandemic-related issues and have weaker cyber-security protocols. In June, Amazon Web Services reported that they had to defend themselves against a significant denial-of-service (DDoS) attack with a peak traffic volume of 2.3 terabytes per second (TBps), the largest ever reported. Before that, the previous largest DDoS attack recorded was 1.7 TBps, mitigated by NETSCOUT Arbor in March 2018. The Australian government also came under cyber attack in June, from what the prime minister described as a “malicious” and “sophisticated” state-based actor.

The best way to protect ourselves from cyber criminals is for both the public and private sectors to work together to prevent bad actors from accessing our systems while also educating the public about how to identify and avoid phishing scams and other malware.

Working Together to Prevent and Respond to Cyber Crime

Private companies often have more-advanced technological innovation that can not only prevent bad actors from infiltrating their systems but also track and analyze these attempts. This technology can be very helpful for law enforcement to find and arrest cyber criminals, which will offer justice to victims of cyber crime while also increasing the risk of cyber crime, making it less enticing to others.

In April 2020, the World Economic Forum launched the Partnership against Cybercrime initiative with the goal of unifying the public and private sectors in working to prevent cyber crime. This initiative involves creating a global framework where governments and private companies can collaborate to improve the effectiveness of cyber-crime investigations and enhance the potential of disruptive actions against cyber-criminal infrastructures.

Educating the Public to Protect Themselves from Cyber Crime

The sudden and unplanned shift of so many office employees to long-term remote work has introduced a wide range of challenges for both businesses and individuals. For example, video conference meetings on Zoom have become a necessary replacement for regular in-person meetings, but these virtual meetings are not always secure. Zoom meeting rooms can be easily found and infiltrated by unwanted visitors, or even transcribed and posted online without meeting participants’ consent.

Shifting to remote work also means companies have had to move sensitive information to online servers, so employees can access these files, which opens up their organizations to the possibility of unauthorized external access. While many businesses are incorporating cyber-security strategies in their organizations as they grow, one large group has not caught up: schools. In an effort to keep up with the digitization of education, public schools have moved a lot of resources and teaching tools online, but they often lack the dedicated funding and resources to secure this data—and these obstacles already existed before learning moved online during the COVID-19 pandemic. Because of this, schools struggle to follow industry-wide best practices for cyber security, such as having a dedicated cyber-security expert review and update their security protocols and regularly patching system vulnerabilities. With so many teachers and students abruptly moving everything online, anything from Zoom class meetings to online school portals, if not properly encrypted or otherwise secured, can become an opening for a cyber criminal to infiltrate the school’s system. These vulnerabilities can lead to cyber criminals accessing sensitive information via school VPNs or Remote Desktop Protocol and even sending ransomware to unsuspecting students and teachers.

Major organizations, like university campuses and businesses, have more secure systems in place to protect users who are accessing the Internet. However, with everyone working and going to school from home, their private home WiFi networks are often not equipped with the layers of security a commercial network typically has. This has led to more people becoming vulnerable to phishing attempts and other malware that normally would be filtered out by their organization’s cyber-security protocols.

On top of this, COVID-19 has created a very vulnerable environment for the public—we are all afraid of contracting the virus or unintentionally infecting others. This fear is very easy for bad actors to take advantage of in phishing scams and provides them with a foothold to access your private information, such as via an email claiming that employees at your work have tested positive for COVID-19 and asking you for sensitive company information.

Fortunately, the same rules for identifying and avoiding malware still apply:

  • Do not click links or open attachments in an email from an unfamiliar email address.
  • Do not click ads while you’re browsing the web, even if it’s for a legitimate website. It’s always safer to visit the website directly or search for the sale the ad is promoting.
  • Do not give out private information, such as your social security number or a two-factor authentication code, over the phone, via email, or on a website that isn’t verified. Secure organizations, such as your bank, will not ask for personal information that way.

Another step for individuals to take to protect themselves is to enable any security protocols they can find on their router. This is as simple as looking up exactly which kind of router you have and how to log in and turn on the security features.

As the COVID-19 pandemic continues to create long-term demands for remote work and more online activity, we must be vigilant in not only maintaining our cyber-security strategies but also in being proactive to prevent cyber attacks and address any possible vulnerabilities before they pose a problem. One of the most important lessons we are learning during this pandemic is that we are stronger and more successful when we work together, and that is clear in the steps we must take to protect our businesses and to educate the public in proper cyber security.


Tom’s column is featured in every issue of Loss Prevention Magazine. To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.

The Weekly Review: Episode 18 with Dr. Read Hayes, Tony D’Onofrio, Tom Meehan

This podcast originally appears in the LPRC website.

In this episode of CrimeScience: The Weekly Review from the Loss Prevention Research Council (LPRC), Dr. Read Hayes, Tom Meehan, CFI and Tony D’Onofrio discuss vaccines and therapeutics for COVID-19, the recent cyberattack on Twitter, social engineering and cybersecurity during COVID-19, the top five surveilled cities in the United States, Amazon’s sales innovation, deaths related to COVID-19 by population and more.

Podcast:  Play in new window

Subscribe:  Apple Podcasts | Android | RSS

Do You Use Two-Factor Authentication?

Two-factor authentication, a secondary authentication method for logging into email, social media, banking or corporate accounts, is an easy way to protect your accounts. When you log in from an unrecognized computer or mobile device, the service provider sends a text message to your cell phone. This ensures no one can access your account with only your password. While this is not foolproof, it is an easy way to add a layer of security to your accounts.