As the COVID-19 pandemic continues, identity theft and cyberattacks also continue. In fact, the health crisis and its ensuing unemployment benefits have created new opportunities for hackers. “Essentially, because of COVID and the CARES Act, states have seen a dramatic increase in unemployment fraud,” said Joseph Murdock, CISSP, instructor of information systems in the Business School.
CARES, COVID, and Unemployment Fraud
Many Colorado residents, including those in the CU Denver community, have been affected by data breaches such as the Colorado unemployment fraud scheme. The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) is a $2.2 trillion economic stimulus bill that included increased unemployment benefits. Murdock explained that cyberattackers are using personally identifiable information (PII) to file fraudulent unemployment claims to access CARES Act funds. However, the information came from data breaches that happened before the pandemic—months and years ago. “Previous data breaches are facilitating the fraudulent claims,” Murdock said.
Colorado is not the only state struggling to identify which unemployment claims are real and which are fraudulent, but the state has been considerably affected. According to Murdock, “Up to 50% of Colorado claims could be fraudulent, based on what has been reported. COVID has definitely provided extra opportunity for attackers to use breached PII. This is another ramification states are having to deal with in the age of data breaches.”
Cyber Breaches Involve PII and Government Data
One data breach in particular directly affected the University of Colorado. Accellion, a cloud provider that facilitates large file transfers for the university and more than 3,000 companies worldwide, recently announced that its system had been hacked. While the company initially said the breach affected approximately 30 companies, that number has grown as Accellion continues its investigation. The university acknowledged that at least some of its data was stolen. “Kudos to the CU System and President Kennedy for being transparent and proactive,” Murdock said.
While hackers carry out phishing and phone scams to obtain PII and commit identity fraud, there are also more nefarious data breaches being disclosed. For example, the SolarWinds hack, also recently identified, affected more than 18,000 large companies that use SolarWinds software, including Microsoft and various U.S. federal agencies. The culprit? Most likely Cozy Bear, a Russian hacker group with ties to multiple Russian intelligence agencies. “This is state-sponsored,” said Murdock. “They’re trying to collect intelligence. Preventing these data breaches is why real-world experience for our students is so important.”
Business & Computing Students Enter Cyberdefense Competition
Murdock helps his graduate students in part by coaching them for the National Collegiate Cyber Defense Competition (NCCDC). CU Denver’s Transamerica Cybersecurity and Digital Forensics Club, a team of eight students representing the Business School and the College of Engineering, Design and Computing, recently qualified for the quarterfinals in the Rocky Mountain Region. Most cybersecurity competitions involve capture the flag (CTF), in which teams are looking for a file or information in a file. “The NCCDC competition is much more complex,” Murdock explained. “Each team is given a replica network system for a business or organization, and their job is to go through, secure it, and defend it in real time against attackers known as a red team.”
The team also has to communicate with theoretical supervisors and C-level business leaders throughout the competition. Sponsored by Raytheon, the competition is perhaps the most important national competition—precisely because teams have to “protect a company from a data breach as it would happen in real life.” Jazmin Barraza, a computer science major and NCCDC team member, said, “I have learned from and connected to people within the cybersecurity field, and I have also been exposed to different hacking techniques that have helped me learn more about vulnerabilities within companies and software.”
U.S. Needs Workers Who Specialize in Cybersecurity
Another way CU Denver is preparing students for real jobs in cybersecurity is by ensuring the programs like the MS in Information Systems are aligned with industry needs and governmental standards. Both the Business School and the College of Engineering, Design and Computing are in the process of applying for certification from the National Security Agency to be designated as a National Center of Academic Excellence in Cybersecurity. CU Denver is also hoping to attract more cybersecurity students by hosting a GenCyber virtual camp for high school students this year.
Murdock emphasized that in the current economy, cybersecurity is one field that continues to grow. According to CyberSeek.org, a project supported by the U.S. Department of Commerce, the state of Colorado currently has more than 19,000 vacant jobs in cybersecurity. Nationally, there are more than 520,000 job openings. The National Initiative for Cybersecurity Education (NICE) recently stated, “The challenges and opportunities before us to address the cybersecurity workforce needs of employers will require a whole nation approach.”
Murdock discussed how recent data breaches and cyberattacks underscore the need for more employees who specialize in cybersecurity. In the current economic downturn, cybersecurity remains a field with a very low supply of workers, making the programs in cybersecurity at CU Denver financially and strategically valuable. “Honestly, data breaches are going to continue to escalate. Organizations will continue to try to protect their assets while hackers continue to try and breach company systems,” Murdock said.
“Assume that all of your data is out there on the Internet and act accordingly,” Murdock warned. “You can try to live off the grid, put your tin foil hat on, and go into the woods, but lots of companies already have your information.” He offered these helpful strategies for protecting yourself against cyberfraud.
Monitor Your Credit
Every year, request your free annual credit report from all three credit reporting agencies.
Don’t Reuse Passwords
It may be difficult to remember different passwords, but it’s worth it. Using the same password for Facebook as you do for your bank account is a horrible idea.
Beware of Phishing Emails and Calls
If an email looks odd, don’t click on it. If someone calls asking for personal information, don’t provide it. Large organizations like Microsoft or the IRS aren’t going to call you personally.
File Taxes Early
Although it’s not particularly enjoyable to file income taxes, Murdock advises you do it early—before identity thieves file fraudulent reports using your identity.
See Resources at the University of Colorado Office of Information Security.