New research from Tessian reveals the extent to which people post online and how hackers exploit this information for sophisticated social engineering attacks.
The new report reveals that 84 per cent of people post information to their social media accounts every week, with two-fifths (42 per cent) posting every day, and are unknowingly giving away information that helps hackers launch successful social engineering or account takeover attacks.
The report, titledย How to Hack a Human, includes findings from a survey of 4,000 professionals in the UK and US and interviews with hackers from theย HackerOneย community. It reveals that half of people share names and pictures of their children, nearly three-quarters (72 per cent) mention birthday celebrations, and an overwhelming 81 per cent of workers update their job status on social media.
Most worryingly, 55 per cent of respondents admit they have public profiles on Facebook, and just one third (32 per cent) say their Instagram accounts are private, making it very easy for bad actors to access the sensitive information posted on these accounts.
Hackers interviewed in the report explain how cybercriminals use social media posts to help identify their targets and craft highly targeted and convincing social engineering attacks. For example, they can identify new joiners via LinkedIn and target them in phishing scams, spoofing a senior executive within the company that the new joiner has likely never met. With knowledge of who is within a personโs network, too, cybercriminals can easily impersonate someone their target trusts in order to manipulate them into wiring money or sharing information and account credentials.ย
Harry Denley, a hacker and Security and Anti-Phishing at MyCrypto, said: โMost people are very verbose about what they share online. You can find virtually anything. Even if you canโt find it publicly, itโs easy enough to create an account to social engineer details or get behind some sort of wall. For example, you could become a โfriendโ in their circle.โ
Additionally, the โHow to Hack a Humanโ report reveals how Out of Office (OOO) emails are also being used to craft social engineering attacks. The majority of employees (53 per cent) say they share how long theyโll be away in their OOO email, while 51 per cent provide personal contact information and 42 per cent announce where they are going. According to Katie Paxton-Fear, cybersecurity lecturer at Manchester Metropolitan University, and a member of the HackerOne community, โOOO messages โ if detailed enough โ can provide attackers with all the information they need to impersonate the person thatโs out of the office, without the attacker having to do any real work.โ
The concern for organisations is that social engineering attacks are only rising. Tessianโs platform data reveals that social engineering-type attacks increased by 15 per cent during the last six months of 2020, compared to the six months prior, while wire fraud attacks also increased by 15 per cent. Whatโs more, 88 per cent of respondents said they had received a suspicious email in 2020.ย
The report makes it clear that greater awareness of the threat and educating people on email security hygiene is an important first step to prevent these attacks from being successful. For example, Tessian found that just 54 per cent of people pay attention to the senderโs email address while at work and less than half check the legitimacy of links and attachments before responding or taking action.ย
Tessianโs CEO and co-founder Tim Sadlerย also urges people to make securing data as normal as sharing it. He said, โThe rise of publicly available information makes a hackerโs job so much easier. While all these pieces of information may seem harmless in isolation โ a birthday post, a job update, a like โ hackers will stitch them together to create a complete picture of their targets and make scams as believable as possible. Remember, hackers have nothing but time on their hands. We need to make securing data feel as normal as giving up data. We also need to help people understand how their information can be used against them, in phishing attacks, if weโre going to stop hackers hacking humans.โ
Read Tessianโs full How to Hack a Human reportย here.
Photo by Sora Shimazaki from Pexels.
Since youโre hereโฆ
More than 30,000 readers per month enjoy the content we publish on PA Life. PA Life sits right at the heart of the PA and EA community, providing advice, profiles, How To guides, reviews and more.
Weโd like you to be part of our community too and you can sign up to theย newsletter, which is completely free of charge. As well as two weekly round-ups of the top stories, you will also have access to our bi-monthly magazine.
Click here to sign up to our newsletter.