Are you Rolling Out the Red Carpet for Hackers?

What’s more dangerous than a
hacker with killer tech skills?

A guy in a basement somewhere who knows your dog’s name and your wife’s birthday. Most malware and cyberattacks are internal jobs; experts say that 63 percent of data breaches come from internal sources. No matter how sophisticated your online security may be, people, it turns out, are still people. And they’re very susceptible to social engineering.

Social engineering is the act of using a person’s social inclinations to gain access to personal or corporate information. We’ve known about these attacks for decades (the first phishing email was documented in 1995), but millions of us still fall prey to them every day.

Hackers can find a treasure trove of personal information from social media. A recent Wall Street Journal technology article says, “Armed with all that publicly available intel, a cybercriminal can cobble together a profile of you—and use it in countless ways to break into your company’s network.”

Hackers find clues to your password in your Facebook posts about your family or friends’ birthdays, the death of your beloved family pet, your favorite sports teams and your next vacation destination. (Snap quiz: how many of your passwords contain a pet’s name or a significant date like a child’s birthday or anniversary?)

They also use social posts to create believable phishing emails. The Wall Street Journal article cites Rachel Tobac, CEO of SocialProof Security, a hacker-led vulnerability-assessment and training firm. “About 60 percent of the information I need to craft a really good spear phish is found on Instagram alone,” she says. “By scouring somebody’s social-media accounts, I can usually find everything I need within the first 30 minutes or so.”

That includes information that can be used to spoof you to your office team, sending emails that ask them to click through to a link for the office party or company outing. Unsuspecting coworkers click through the link and install malware or allow hackers into the company network where they can do mischief or commit serious crime.

Corporate losses from phishing are significant. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC (Business Email Compromise) attacks in the second quarter of 2020 was $80,183, up from $54,000 in the first quarter of the year. Company losses also come from lost productivity, incident response time, damaged reputation, lost intellectual property, and compliance fines.

The Work from Home trend during pandemic lockdowns provided more opportunity for hackers since employees at home might be using shared computers and had less stringent security. Hacks also found plenty of opportunity by spoofing delivery services; emails tracking late or delayed deliveries or announcing that hand sanitizer was now back in stock proved to be irresistible clickbait.

There are some steps you can take to limit the tricks phishers and hackers use to gain access. First, think twice before posting personal information on social accounts, taking online quizzes, or answering the cute questionnaires your friends are sharing. These can all make it easy to guess passwords or personalize phishing emails enough to lower your guard.

Eliminate check-ins and tags on photos or selfies; these geo locator tags allow hackers to piece together your recent travel and make phishing emails more compelling. “I enjoyed meeting you at the Social Marketing conference; here’s the information I promised you.”

Speaking of selfies, cyber security experts recommend that you move away from your computer monitor if you’re taking one in your office. Hackers can look for screen shots that display software or even more sensitive information. You’d be surprised at the number of office selfies that show a sticky note with a username or password.

In January 2018, A false alert warning of an inbound missile was broadcast in Hawaii, causing panic in millions of residents and tourists. A photo taken of the operations officer of Hawaii’s Emergency Management Agency for an AP news article in July of 2017 included a sticky note with a password. (Another sticky note reminded him to “sign out.”)  The agency denied that the two incidents were related, but it does raise questions about how savvy even high-level executives are about their personal security.