When you think of oversharing online, you may think of social media posts describing intimate details of your relationships, what you had to eat that day or even embarrassing photos of you from the weekend. However, have you ever considered that ‘innocent’ information, such as your date of birth, general hobbies, tweets and even your job title could be enough information for your account to be breached? In the eyes of malicious hackers, everyone is oversharing.
For hackers, collecting overshared information about you and your business is just one element in an overall social engineering strategy. Social engineering is the term used for a broad range of malicious activities accomplished through human interactions; it uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. As part of their social engineering strategy, hackers usually trick their potential victims using spear phishing campaigns. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business which is often used to steal data for malicious purposes and can furthermore install malware onto a targeted user’s computer or mobile.
In order to secure yourself and your organisation, it is essential that you understand the way hackers can exploit your emotions and what information you share online. To help you understand, we have created a potential scenario which is often reality for some people.
How Hackers Can Exploit You and Your Data
By analysing your public social media accounts, online hackers are able to find out your full name, date of birth, general location, your educational history and even your political interests – all which can be used to build a potential spear phishing campaign.
To make matters worse, hackers can also find this information about your family members if you have an open Facebook friends list and public twitter account.
A hacker has found a gentleman’s details in an online data breach including his full name and email address and decides to research the victim. The hacker finds the victim’s Facebook page, which is free of any privacy settings.
The victim’s Facebook page provides the hacker with information such as his name, birthday, previous schools, his current employer and even the family pet’s name. Furthermore, the hacker is able to view the victim’s relationships, which lists who is wife and two daughters are.
Through analysing the victim and his family’s Facebook accounts, the hacker is able to see the family’s photos, general hobbies, interests and favourite brands.
What could a hacker do with this information?
1. They can use this information to guess current passwords.
2. They can use this information to try and answer password security questions.
3. They can use this information to steal your identity. Fraudsters only need your full name, date of birth and address to take our loans, credit cards and mobile phones in your name – all which can be found on Facebook and online directories.
4. The hacker can create a spear phishing campaign – if successful, they could gain access to your online accounts, including your social media, email, online banking and more.
Example of a Spear Phishing Campaign
Through analysing your Facebook and Twitter accounts, the hacker has found out that you have two teenage daughters who regularly tweet. Some of their tweets include screenshots of their phones which show their mobile network as being O2. Furthermore, the hacker has saw on your own personal twitter that you have been tweeting O2 support about network issues.
Knowing this, the hacker could then create an emotionally charged spear phishing campaign by creating what seems to be an email from O2 alerting you that one of your daughters has went over their intended bill by £50. This may make the victim very angry, meaning they won’t pay attention to the validity of the email and may immediately click on a malware infected PDF attached in the email to find out more. The victim may also intent to pay the bill immediately – revealing their personal details to the hacker.
In order to avoid having a spear phishing attempt in your inbox, always be vigilant and take the appropriate steps to make your personal details more secure.
Keep your social media accounts private.
Keep your Facebook ‘About’ section to a minimum if your Facebook is public.
Change your privacy settings to only allow friends to view your friends list, or no one at all!
Avoid posting sensitive information, such as your date of birth. Encourage your friends to message you privately when it is your birthday, instead of on Twitter or on your Facebook wall.
Don’t tag your exact location every time you go out/socialise. A hacker can carefully study your life to perfect their spear phishing campaign.
Carefully study each email you receive, no matter how alarming it is.
Read the senders email address and check if it is genuine.
Study the layout of the email to determine if it is similar to official emails you have received in the past.
Watch out for spelling and grammatical errors, as this is a sign of a phishing attempt.
Don’t make rapid decisions. If you are convinced the email is genuine, still double check by calling the company or sender using a customer service number that is displayed online and not in the email.
If an email involves you and another person, confirm with the other person that the context of the email is correct or not.
A hacker has found the details of an employee in a large data breach, exposing their full name and work email address. The hacker has tried to find the employee on Facebook and Twitter, with no avail. However, the hacker has found the employee on their public LinkedIn account, which highlights which company they work for, as well as other colleagues in the office. Researching further, the hacker has found the company website with a ‘Meet the Team’ page, detailing who the CEO is, as well as other key members of the organisation.
Example of a Spear Phishing Campaign
By researching the company website, the hacker has found out who the Finance Manager is through the Meet the Team page and has guessed their email address as it is similar to the format of the email found in the data breach. Also using the team page, the hacker has found the details of the CEO, including their name and title.
Using this information, the hacker has sent the Finance Manager a spoof email pretending to be the CEO, asking for the transfer of funds to facilitate a new project. As the Finance Manager usually does as the CEO says without question, they transfer the funds over, losing the business £10,000.
In this scenario, the hacker is taking advantage of the Finance Manager’s fear of challenging the CEO. In order to avoid this occurring in your organisation, you can:
Engage every member of staff in your organisation with Cyber Security Awareness Training.
Always double check the email address that the email has been sent from.
Review your Cyber Security Policies to ensure that they are robust and up to date.
Challenge any random or stark decisions, even if it is the CEO. Contact them personally on their mobile number or ask other members of staff for advice.
Company Websites - If you showcase your team on your company website, refrain from publishing too many details about who works within your finance department, as well as any personal assistants. Furthermore, avoid posting employee email addresses publicly – encourage your audience to contact a general enquiries inbox.
Don’t use your work email for personal matters, such as signing up for social media accounts, personal newsletters, mobile apps and dating sites.
Study the email in question and be sure it matches to previous emails from the supposed sender. Is the CEO being too nice in an email? Are they unusually demanding? If their email signature is different, this may also be a sign of a phishing attempt.
To avoid being phished yourself, create a unique email style that is easily recognisable. For example, ending every email with your initials instead of your full name and job title is something a hacker would miss.
Review your LinkedIn privacy settings.
Make your profile visible to all your network and connections only. If you are public to all LinkedIn members or even the public, ensure that you don’t publicise too many personal details.
Never advertise your email address on LinkedIn, despite the networking opportunities. If someone wants to get in touch, they can use LinkedIn’s messaging system.
- Curious Frank
Are you curious about cyber security? We'll be frank about it! From security consultations, cyber security training, digital foot-printing, extensive security tests and more, Curious Frank the best range of services to help individuals and organisations be more cyber secure. Find out more.