“Today, somebody reached out via the contact form on my website, claiming to have interacted with me on Freelancer.com. I told them that I don’t have a profile there. They proceeded to inform me that somebody must be using my name and photos.”
This is how fellow freelancer Kat Boogaard started a Twitter thread that describes the out-of-body experience she had when a scammer impersonated her on the platform. The crook created a fake profile with her personal information and testimonials and used her reputation to pitch clients from all over the world.
If her situation sends shivers down your spine, you’re not alone. With so much of our work and information online, it really can happen to any of us. But let’s not freak out. There’s a better, more constructive way to use our anxious energy and protect our freelance biz, including an early warning system for scammers and impersonators.
Wondering what makes me qualified to dispense this kind of advice?
I’ve been working in the cybersecurity industry for the past 6 years and I’ve picked up a ton of useful know-how along the way. I know it works because I use this setup myself, constantly improving it with reliable tools and expertise. Not only do I feel much more at ease but I also offer my clients the level of follow-through which I promise in every aspect of my work.
Your clients expect security and privacy as a default
Maybe you’ve never thought about this. Maybe your customers never asked. But it’s good for both you and them to ensure you have a setup that protects your business. Besides liability insurance (which is a topic for a different guide), a minimal investment of time, effort, and a bit of money go a long way to keep your assets safe.
Plus, as a business owner, you have legal responsibilities that also cover data protection, especially if you’re in the EU (GDPR) or California (CCPA). You can’t afford to ignore this, even more so if you have access to confidential data (for which you probably signed an NDA).
But before we dive into the practical details, let’s take a look at your freelance writing business from an attacker’s perspective.
What do cybercriminals and scammers want from me?
TL;DR Money, data, and access.
Online criminals and crooks are very, very good at monetizing anything they can get as a result of a cyberattack.
Let’s look at some examples:
- They can encrypt your data (local files, stuff you have in cloud storage such as Google Drive, external hard drives connected to your main device) with malicious software called ransomware and ask for a certain amount of money to give you a decryption key that restores access to it.
- They can send you fake emails (phishing), text messages (smishing), IMs that seem to come from legitimate sources, and even call you (vishing) to direct you to a website they control and that asks for things like your debit or credit card information.
- They will use automatic tools that try email/username and password combinations (brute-force or credential stuffing attack) to break into your accounts, where you probably have scanned documents, contracts, and invoices with tons of personal and customer information. A computer can try up to 100 billion combinations per second (!), so cracking short passwords takes seconds. It doesn’t help that attackers can buy lists of hundreds of millions of leaked login credentials for as little as $20 on the dark web – true story.
- They can redirect your traffic (clickjacking) to websites that hide malicious code under seemingly legitimate pieces of content (links, ads). The goal is to infect your device with a keylogger, a malicious piece of software that records everything you type, including usernames, passwords, and personal data, which they will later use to break into your accounts, including online banking, email, insurance, medical platforms, etc.
- They will try to infiltrate your email address and intercept emails containing invoices, changing your bank account to one they control. When your customer makes the payment, they transfer the money into the attacker’s account instead of yours (business email compromise).
- With access to your email address, they can also send malicious emails on your behalf (email spoofing) and try to bait your customers into clicking infected links, effectively compromising their devices and accounts – with you as a starting point.
- They will try to trick you into revealing information about your clients or giving them access to websites, folders, or data that belongs to your customers, effectively using you as a stepping stone to their final target (supply chain attack).
And these are just seven of the most common examples, to which I can add loads others such as impersonation and identity theft, which is what happened to Kat. Many of these cyberattacks and online scams can have long-term consequences that take time, effort, and sometimes money to deal with.
To you, your business is not just special, it’s how you make a living. To cybercriminals, you’re just another potentially lucrative victim they target in automated attack sequences. These attacks reuse information from data breaches, dark web forums (where credit card details get traded for as little as $18), and simply what you post online every day (including your pets’ names, maiden name, and other details you may use as security questions for your accounts).
Wondering if your data has ever been involved in a data breach?
Here’s how to check: go to Have I Been Pwned and put in your work and personal emails (it’s super safe and run by a reputed cybersecurity researcher).
Given that freelancers usually have a pretty large digital footprint, you’ve probably already been caught up in a data leak. I know I have!
I don’t mean to make you paranoid. All I’m trying to inspire is caution and a bit of awareness of this particular topic.
Now roll up our sleeves because I’m about to show you what you can do to make it hard for cybercriminals to compromise your business.
Let’s get practical – security layers for your freelance biz
Step 1: Do an in-depth review and setup
You can use this as your checklist for a spring cleaning for your digital assets.
You can choose to do it once and you’ll still get loads of benefits from it, but doing it twice a year is super valuable. You’ll need a few hours at first but, once you get the hang of it, I assure you that it’s a much faster and more effective process.
- Make a list of your Internet-connected devices (laptop, desktop, smartphone, tablet, router, printer, smartwatch, voice assistant, e-reader, etc.)
- List the types of information you have stored on your devices (articles, briefs, contracts, offers, screenshots, pictures, applications, passwords, etc.)
- Make a list of online services you use and highlight the ones you use most frequently (email, cloud storage, social media, online signature service providers, project management software, etc.)
- Define how valuable each asset is to you (online accounts, work stuff, apps, pictures, emails, etc.)
- Turn on two-factor authentication for those important accounts and set strong passwords for your essential accounts and devices
Important: This is the perfect moment to start using a password manager.
This piece of software isn’t just great for security, it also supports productivity. It helps you save and manage all your passwords and you only have to remember one master password to access them on any device (you can also use your fingerprint or face ID for that). A password manager is also good for sharing passwords with clients and helps them do the same – safely. I’ve been using LastPass for the past 5+ years, but Dashlane is also a great option.
- Adjust the privacy and security settings for your most important accounts (Google, Microsoft, LinkedIn, Twitter, DocuSign, Asana, Trello, Notion, Facebook, etc.)
- Set up backup emails for your essential accounts so you can regain access in case something happens and you’re locked out.
- Uninstall all unnecessary applications from your devices, especially those you use for work.
- Delete any online accounts you don’t use anymore (if they’re from an EU-based or California-based provider, you can also ask them to delete your data entirely under the right to be forgotten).
- Back up all your important assets on an external hard drive or in the cloud or, ideally, both! The best policy is to have 3 backups in separate places, so if one fails, you have the other, and then the other, and then… you get it 🙂
- Update all your software across your devices, from your operating system to your smartphone and desktop apps, as they almost always include crucial security updates.
- Install an antivirus or an antimalware product on all the devices that support it and set regular scans to run automatically. I’ve been using Bitdefender for almost a decade and Malwarebytes for almost 5 years, but any of the solutions in this top 10 are reliable.
Important: Here’s how to set up an early-warning system to find out if malicious actors are using your personal information across the web.
Set up a monitoring solution such as Bitdefender Digital Identity Protection to get alerts when malicious actors use your email addresses and other personal details, when your data leaks on the dark web, or when impersonators try to use your good reputation for fraud.
I was amazed to see how accurate this service is and how fast it alerted me of the recent LinkedIn breach. I feel much more at ease knowing it’s patrolling the web for me and that I can find out fast if something the likes of which Kat went through happens to me so I can limit the damage.
- Strengthen the security and privacy settings in your browser, as it’s one of the pieces of software cybercriminals target most often. This includes deleting add-ons you don’t use anymore and cleaning your browsing history and cache once in a while (I do it once a month).
For this last bit, you can try using Brave, a browser that has the same features as Chrome but moves faster, doesn’t hoard resources, has an integrated ad-blocker, and more security options while also supporting all the add-ons you may use in Chrome.
I also use the Malwarebytes browser extension which filters the internet traffic in your browser, blocks ads, scams, and attacks that can infect your device.
The CyberGhost browser extension (for Chrome and Firefox) also comes in handy. It works like a VPN just for your browser, keeping your IP private and ensuring secure access to websites. Plus, you can change your IP to look like you’re coming from another country and read extra articles on HBR, Wired, Medium, and other paywall websites.
Step 2: Build safer online habits
Once you run through this cleanup process and set up the tools you need, it becomes much easier to pick up a few additional habits that improve your security. Everything you do in this area has a compound effect and future you will be thankful you did this now and didn’t postpone it until something bad happened.
- Gradually move your passwords to a password manager and save you from setting weak passwords and reusing them and will also expedite your work by removing a lot of login friction
- Keep your software up to date with a simple swipe on your smartphone or by setting your apps and operating system to update automatically (where possible). Alternatively, you can add a weekly reminder for this in your calendar.
- Pay attention that the websites you use have HTTPS which secures the data you submit to them. This is more difficult to do on mobile so try to only do important operations such as accessing your online banking account either from the official app or from your laptop/desktop
- Share files online securely through trustworthy services and avoid sending personal data via instant messaging platforms (IDs, documents, invoices, bank details, and especially passwords!)
- Choose secure online communication platforms that use encryption (such as Signal or Telegram) and don’t share your data with third parties (like WhatsApp does – ugh)
- Set limits on your credit and debit cards, even more so if they’re tied to your business account
- Monitor your bank statements for changes each month or set up SMS alerts for transactions over a certain amount if your bank offers the option
- Never install apps outside the official app stores as they can be laden with malicious software.
Stage 3: Run periodic check-ups
I’m pretty obsessed with keeping my digital life in order so it doesn’t overwhelm me, so I like to run periodic reviews of my security and privacy setup. I do this with a keen focus on my main accounts and I recommend you do the same to make sure things are in top shape.
- Delete your browser’s history, cookies, and cache
- Uninstall unnecessary applications and add-ons (especially from your browser!)
- Disallow access of third-party apps to your main accounts and apps (e.g. you may have tested Google Docs plugins in the past and forgot about them – these can turn malicious and infect your documents and even compromise your clients)
- Check for software and firmware updates for your devices and run those updates
- See if there are any new privacy or security features you can turn on or a feature or permission you can turn off for added protection.
I know this may be a lot to take in at first but trust me when I say that it’s doable and you don’t need a strong technical background to do this.
Security and privacy products have gotten substantially more user-friendly over the last decade and also more reliable. The myth of the antivirus product that slows your system to a halt is very, very outdated. For example, I run Bitdefender Internet Security 2021 on a 2013 Mac laptop and it works like a charm!
If you’re keen to take your cybersecurity education further, here are a couple of resources I created that mix super practical advice with a bit of fun because security education doesn’t need to be tedious and technical:
- Cyber Security for Beginners
- Cyber Security for Small Business Owners
- The Daily Security Tip
- Heimdal Security.com
I’d love to hear from you and how you used this guide! I hope it serves you well.