It seems like every other week, we see new headlines about privacy concerns, especially involving the giants of the online world: Facebook, Google, Apple, Amazon, etc. The issue has become so ubiquitous that many seem to have adopted an “I know they’re watching me, but there’s not much I can do about it, so I might as well carry on” approach to protecting their information. However, that casual attitude can have some serious consequences—because it’s not just corporations watching you online. Social media is a goldmine for criminals looking for their next spear-phishing victim.
What is Spear Phishing?
While phishing attacks target hundreds or thousands of users at once, spear phishing has an extremely narrow focus. A criminal zeroes on one company, and drills down until he has singled out one or two victims. He may then spend days or weeks gathering information on his targets, figuring out how best to phish them for valuable data.
Maybe you're thinking, "Needing to be careful on social media is old news. I already have privacy settings on Facebook," or "How much could someone really get from my LinkedIn profile?" Let’s talk about the second question first.
What Counts as Valuable Data?
What sort of information is obtainable from an online platform? At the bare minimum, most sites require an email to set up. Some also require a phone number, birthdate, or other information. Others, like LinkedIn, have many data fields to fill out; though most are not required, a jobseeker may be inclined to give more information in hopes of boosting their profile.
“If they get my email and phone number, what’s the big deal? Those are changeable.” That’s true, but aside from the time and hassle it would take to change them, think about how your contact info could be used. If a criminal has your name, email and phone number, he’s already got 80% of the information he needs to hack your online identity: bank account, business email, social media, and more.
Most of us would consider our email, phone number, hometown or birthdate as ‘valuable data’ worth protecting. However, a criminal parsing your social platforms can capture much more: what sort of posts you like, the pages you follow, what you’re interested in, names of relatives or pets, where you go on vacation, your work history, the location of your office, the restaurants you frequent, recent milestones in your life, the kinds of things you buy, items you’re trying to sell, and more. All of this can be used to flesh out the profile he’s building on you.
How Could Social Media Hurt Me?
We’ll lay out three examples of how social media can be used to spear phish you, putting your own data and your company’s data at risk.
A good number of people use LinkedIn to search for jobs and business opportunities; after all, that’s what the website is designed for. But let’s say you’re looking for a job. You’ve got your work history and résumé ready to go, and then you get an InMail message from a recruiter, saying that based on your skills, they have a job they think would be a perfect fit for you. At the bottom of the message are two buttons: Yes, I’m interested, or No thanks.
When you click “Yes, I’m interested,” LinkedIn automatically sends your résumé to the recruiter. If this is a criminal masquerading as a recruiter, he now has your address, phone number, email, and enough information about you to cross-reference against profiles on other online platforms to find yours.
Even easier than posing as a recruiter, a criminal can post a fake job opening as a bogus employer and just see who applies.
The night shift manager at ABC Financial is listed on the company’s website. A Google search of his name and company location reveals his Facebook profile, and his profile picture confirms it’s the same guy. In a recent post, he attaches pictures of the ’98 Toyota Corolla he’s trying to sell.
A criminal reaches out, pretending to be a buyer, and is able to extract more information: the manager’s phone number and address, at the very least. If he can draw the manager into conversation, some strategic questions yield a treasure trove of information: ______, his kids, their ages and maybe even their names.
Minors are especially tempting targets for online criminals. Since the vast majority of kids under 18 don’t have credit cards in their name, nobody is actively monitoring their credit score. A malicious actor can build up millions of dollars of debt undetected for years under your child’s name. No one’s the wiser until the kid turns 18 or tries to buy their first car and finds out their credit is completely shot.
While on lunch break, a nurse at a senior living facility posts a selfie on Instagram, geo-tagging her favorite lunch spot. A criminal has been targeting the facility, looking for a way to infiltrate its network. Google and LinkedIn searches have led him to this nurse’s profile, from which he’s been building a list of her habits and hobbies.
Now that he knows that she frequents this restaurant (we’ll call it Taco Grande), he buys a domain similar to the restaurant’s and creates an email address—maybe firstname.lastname@example.org or email@example.com—something that looks close enough to the real thing to be believable. He writes an email offering a downloadable coupon for two free tacos and sends it to all the most common variations of work email addresses to find hers (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, etc.).
When she opens the email and clicks on the coupon, she unknowingly downloads a ransomware file that piggybacks from her device to the entire company network. Within hours, the senior living facility is facing the decision of paying a $3 million ransom to retrieve their data, or dealing with the cost and fallout of hours of downtime while they try to restore from a backup—if they have one at all.
All three of these scenarios are real tactics our resident social engineer has used to successfully infiltrate a company’s network in order to test their security. Why do these methods work?
The main reasons are impatience and overconfidence. As Ferris Bueller said, “life moves pretty fast.” We’re all in a hurry to get things done, and we insulate ourselves with the idea that being phished is something that happens to other people—not us. Criminals are counting on that overconfidence. In a recent post, we talked about social engineering, and how modern phishing techniques don’t look anything like what most people expect. These attacks can be incredibly sophisticated—almost indistinguishable from a real connection or message.
What Can You Do?
There are a number of things that can help improve your online security posture, ranging from specific action items to basic security principles.
- Double-check all of your online profiles to check what personal information it makes available to strangers, or even to connections. For example, your LinkedIn profile may be set to display your email, birth date, or phone number only to your first-degree connections. But if one of those connections is a criminal posing as someone you know, this puts your data at risk.
- If you get a recruiter message on LinkedIn, instead of clicking “Yes, I’m interested,” which automatically sends your résumé, click “No” and then send a follow-up message if you want to pursue the opportunity. This allows you to release your information at your own discretion.
- Restrict your interactions. Every time you engage with a post, page or profile on a social platform, that data is tracked. Do you really want hundreds or thousands of people you don’t know to see everything you do and like? Set your personal profiles to private, and if you have a public profile for business reasons, be careful how much personal information you share on it.
- Awareness is key. The more you understand about how your personal data can be harvested and used, the more deliberate you can be with that information.
- Verify, verify, verify. If you see a job posting, Google the company and look for reviews before applying or engaging with the job offer. If you receive a friend request from someone you were already connected with, reach out to them via other means to confirm that it’s really them. It could be a criminal imitating a friend to get access to your private account.
- For parents: if your kids have social media accounts, talk openly with them about the risks. Help them understand why profile privacy is a must for minors, and talk about what sorts of information should not be shared. Especially with the popularity of platforms like TikTok and Snapchat, young people are pressured to be ‘known’, and may unwittingly reveal their valuable personal data to the wrong people.
Some may feel that following these security principles takes too much time. To those, we quote Benjamin Franklin: “An ounce of prevention is worth a pound of cure.” It’ll take you much longer to regain control of your life and social media in the wake of an attack than to invest the time up front to be safe.