Tessian reveals just how much, and how often, people divulge about their lives online and how attackers take advantage of it. With insights from both professionals and hackers, the report explores how cybercriminals use an abundant and seemingly cheap resource — the personal information people share on social media and in out-of-office alerts — to craft social engineering attacks.
Workers overshare online: Social media overload
84% of people post on social media every week, with 42% posting every day – openly sharing huge amounts of information about their hobbies, interests, relationships, and locations.
Half share the names and pictures of their children, and 72% mention birthday celebrations, unknowingly giving away information that helps hackers launch a successful social engineering or account takeover attack. This isn’t helped by the fact that 55% of people surveyed have public profiles on Facebook and just 33% have set their Instagram accounts to ‘private’.
An overwhelming 93% of workers in the U.S. also update their job status on social media, while 36% share information about their job and 26% post about their co-workers or clients.
While these posts seem harmless, cybercriminals will use this information to select their targets and method of attack. They can identify people within a target’s trusted network and impersonate them over email.
What’s more, new employees may not realize they are being scammed, given that they have fewer reference points to verify whether the ‘senior executive’ contacting them is real or fake.
Hacker, Harry Denley, Security and Anti-Phishing at MyCrypto said in the report, “Most people are very verbose about what they share online. You can find virtually anything. Even if you can’t find it publicly, it’s easy enough to create an account to social engineer details or get behind some sort of wall. For example, you could become a ‘friend’ in their circle.”
Given that the number of social engineering attacks is only increasing, these figures are worrying. Tessian reports a 15% increase in social engineering-type attacks during the last six months of 2020, compared to the six months prior. Wire fraud attacks – whereby attackers try to steal money – had also increased by 15%.
TMI in your OOO
93% enable their out-of-office response when they’re on vacation, but most aren’t thinking about the fact that these emails also contain valuable information for malicious attacks.
53% of people share how long they’ll be away, while 51% provide their personal contact information. In addition, 48% share a point of contact and 42% announce where they are going.
According to Katie Paxton-Fear, Cybersecurity Lecturer at The Manchester Metropolitan University, “OOO messages — if detailed enough — can provide attackers with all the information they need to impersonate the person that’s out of the office, without the attacker having to do any real work.”
The need for cybersecurity awareness
The report also revealed that a lack of cybersecurity awareness could play a factor in how successful social engineered attacks are on email. While at work, just 54% of people pay attention to the sender’s email address and less than half check the legitimacy of links and attachments before responding or taking action. This is particularly concerning given 88% of respondents received a suspicious email in 2020.
“The rise of publicly available information makes a hacker’s job so much easier,” said Tim Sadler, CEO at Tessian. “While all these pieces of information may seem harmless in isolation — a birthday post, a job update, a like — hackers will stitch them together to create a complete picture of their targets and make scams as believable as possible.
“Remember, hackers have nothing but time on their hands. We need to make securing data feel as normal as giving up data. We also need to help people understand how their information can be used against them, in phishing attacks, if we’re going to stop hackers hacking humans.”