A fraudster’s best friend may be sitting right on your wrist. Cybercriminals are taking advantage of a new breed of scam via fitness trackers and health apps, according to cybersecurity company NordVPN.
And like many other data thieves, they’re feasting on what consumers have allowed social media networks to glean from gadgets like Fitbit and popular exercise apps.
All it takes is craftily befriending users to share their exercise goals. Once that box is checked, then it’s off to mining personal information or manipulating them into sending over money.
“The trend in fitness tracker fraud shows it’s no longer enough just keeping an eye out for scammers while on your mobile or laptop — now they could be targeting you on the treadmill,” Marijus Briedis, cybersecurity expert at NordVPN, said.
“Once a scammer has you in their sights, what begins as bonding over a recent workout can quickly turn into a form of social engineering where they seek to mine as many personal details as possible while your guard is down. This can ultimately lead to attempts to manipulate you with fake personal stories, investment ‘opportunities’ or even identity theft.”
Stopping the scammers in their tracks
This is such a new wrinkle that there's no single switch to flip to stop these fraudsters, yet, there are individual app permissions you can turn off to protect what’s most important to you.
Note: iOS and Android app permissions may be named differently, depending on the version of your operating system, so it may take a bit of extra digging to determine what’s what.
When it comes to fitness apps, the first line of defense is to avoid sharing any personally identifying information and keeping a basic ‘vanilla’ profile on your online groups, using an avatar or no picture at all.
“As with romance scams, beware of any requests from strangers, chats that veer away from fitness topics, or attempts to move the conversation onto another website or app,” Briedis added.
But, don’t stop there.
"While some running or cycling apps will request special access to your location settings to track your favorite routes, there’s no excuse for a blood pressure checker getting hold of your call history or being able to see your photos. As a minimum, make sure that any fitness apps you add allow you to delete your data,” he said.
The phone camera
If you give an app access to your camera, you’ve made the app developer very happy. With that permission, an app can take pictures and record videos as you might expect, but the Nord VPN researchers caution that some apps may misuse this permission to access your camera without your knowledge. When that happens, all bets are off and a fraudster can invade your privacy.
If you don’t want that to happen, you should only grant access to your camera to trusted apps that actually require camera functionality, such as your camera app.
“Sometimes camera requests make sense for other apps too. For example, social media apps may need it for video calls or posts, while other apps may require it to scan QR codes,” the researchers said. “But if you need help determining whether you trust the app enough, you can always grant access to your camera only when the app is in use.”
Another entry point for someone who wants to invade your life and plunder your personal privacy is your phone’s microphone. Just like the camera, you should inspect which apps can access it, too. Some make perfect sense – like Google Assistant or texting via voice – but if you don’t see a significant reason for an app to access your microphone, stay on the safe side and deny the request.
Files and media
Apps with access to your files and media can read, modify, or delete the content on your device, including your sensitive files, photos, and videos. Some of the more notorious ones are apps that claim to clean junk files and save battery life.
Trusted brand apps that truly need access to your photos, such as Google Photos, or security software that needs to scan your files for malware, such as Norton, should be safe, but any off-brand apps should be chosen carefully.
One line that apps like to wave their foot over hoping to cross into a person’s every move is the one with location settings. Google Maps? No problem. But, do you want Facebook to know where you are at all times?