We might think we know about the perils of social media, but perhaps the most dangerous is the use of information you share by cyber criminals...
The use of social media to research, identify and target potential victims has opened a new front in cyber-crime known as social engineering.
And, if you aren’t already aware of it, it’s something against which you need to protect your organisation.
Politicians and policy planners know social engineering to be the use of public policy to achieve particular societal outcomes. However, in information technology it means something altogether more sinister.
In the context of IT, social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Social networks are the obvious place to start since so much information is now shared online willingly. Sharing too much information on social media can enable would-be attackers to guess your passwords, for example – because it’s easy to research pet names, maiden names, etc in this way.
Internet security solutions developer Norton suggests that individuals take a proactive approach to managing their social media settings. It says: “Keep your personal and private information locked down. Social engineering cybercriminals can often get your personal information with just a few data points, so the less you share publicly, the better.”
In particular, it warms against sharing information about your children online. And it reminds users to keep a close eye on what their children are sharing online themselves.
In a business context, LinkedIn is the obvious resource for phishers and not just in terms of trying to steal your login credentials given over half of successful phishing attacks have 'LinkedIn' in the subject line.
Accounts of phishers extracting confidential company information from employee posts illustrate just one of the risks here.
Last year, the Irish Times warned its readers about an invoice scam in which businesses receive an email that appears to be sent from a company it already deals with. The email asks for no money but advises that the supplier’s bank details have been changed. If the business duly updates their payment systems, the next time the supplier company submits a legitimate invoice the money is transferred to the scammers – not the supplier.
This is a worrying scam because often companies will celebrate a new contract win on social media – and sharing this seemingly innocuous information leaves them vulnerable.
LinkedIn profile data is also an important resource for identifying victims. In fact, the Independent has reported that criminal gangs are paying £250,000 a year for criminals to find potential targets for “sextortion” scams. It says cyber security firm Digital Shadows has found evidence online that accomplices with programming skills can earn more than £840,000 a year.
Once these high-net worth individuals have been identified, criminals are using increasingly sophisticated methods of attack to extort huge amounts of money. Cybersecurity Ventures estimated ransomware alone enabled hackers to extort $8 billion in 2018. It expects this figure to rise to $20 billion by 2021.
Security experts warn against connecting with people who you don’t know on social media platforms.
Writing in USA Today, Elizabeth Weise explains why phishers are targeting people using LinkedIn. She says: “LinkedIn can pose dangers to unsuspecting users because people have come to have confidence in it and by extension, implicit faith that all accounts on the platform are legitimate.”
Once you have connected with someone, they potentially have access to your email address – leaving you vulnerable to phishing scams. And there is growing evidence of phishers using the platform’s own messaging service to send InMail messages that include dodgy links. Once clicked on, these links download ransomware or malware to the unsuspecting recipient’s computer.
Because LinkedIn is a professional network, many of the scams include offers of work or employment. Asking people to complete an online job application is an easy way for a hacker to harvest personal information, including financial and social security data.
Social engineering works on the principle that people are the weakest link in your technology infrastructure. Using social engineering techniques allows cyber attackers to target your people instead of your technology.
This means that your organisational defences must be focused on people too: raising awareness to make your people aware of the risks and likely attack vectors and sharing tools that make it easy to report suspect activity.
Essential cyber security training for all staff is a good start. Keep knowledge up-to-date and ensure risk awareness stays fresh by sharing updates about new attack vectors – such as forwarding this blog to all your staff, for example.
Here, information is power. Your policies must make it easy for your staff to have more information – and, importantly, to ensure your hackers can access as little as possible.