Nearly three quarters of people post information on social media that could make them vulnerable to a cyberattack, according to a new report from security company Tessian.
The report, titled “How to Hack a Human,” found that 84% of people post on their social media accounts every week, with 42% posting every day. Many of these people, Tessian found, are unwittingly revealing information that could help hackers launch social engineering or account takeover attacks.
The report included findings from a survey of 4,000 professionals in the UK and US, and interviews with hackers from the HackersOne community. It found that 50% of people share names and pictures of their children. Seventy-two percent mentioned birthday celebrations, and 81% of workers update their job statuses on social media.
Fifty-five percent of respondents said they had public profiles on Facebook, and only 32% said their Instagram accounts were private.
Hackers interviewed for the report said that cyber criminals use social media posts to help identify targets, and craft highly targeted and convincing social engineering attacks. For example, hackers can identify new joiners to LinkedIn and target them in phishing scams by impersonating a senior executive in the company, who the new joiner has likely never met. Cyber criminals can also use knowledge of who is in a target’s network to impersonate someone the target trusts in order to convince them to send money or share account credentials.
“Most people are very verbose about what they share online,” said Harry Denley, a hacker and security and anti-phishing expert at MyCrypto. “You can find virtually anything. Even if you can’t find it publicly, it’s easy enough to create an account to social engineer details or get behind some sort of wall. For example, you could become a ‘friend’ in their circle.”
The report also found that out-of-office (OOO) emails are being used to craft social engineering attacks. Fifty-three percent of employees say they share how long they’ll be away in their out-of-office emails, 51% provide personal contact information, and 42% say where they’re going to be while they’re away.
“OOO messages – if detailed enough – can provide attackers with all the information they need to impersonate the person that’s out of the office, without the hacker having to do any real work,” said Katie Paxton-Fear, cybersecurity lecturer at Manchester Metropolitan University and a member of the HackerOne community.
Social engineering attacks are becoming more frequent, according to Tessian. The company’s platform data revealed that social engineering attacks spiked by 15% during the second half of 2020 compared to the six months prior, while wire fraud attacks also rose by 15%. Eighty-eight percent of survey respondents said they had received a suspicious email in 2020. The survey also found that only 54% of respondents paid attention to a sender’s email address while at work, and less than half checked the legitimacy of links or attachments before responding.
“The rise of publicly available information makes a hacker’s job so much easier,” said Tim Sadler, co-founder and CEO of Tessian. “While all these pieces of information may seem harmless in isolation – a birthday post, a job update, a like – hackers will stitch them together to create a complete picture of their targets and make scams as believable as possible. Remember, hackers have nothing but time on their hands. We need to make securing data feel as normal as giving up data. We also need to help people understand how their information can be used against them in phishing attacks if we’re going to stop hackers hacking humans.”