A total of 84 per cent of people post sensitive information to their social media accounts which helps hackers launch attacks at least once a week, with 42 per cent posting this data daily, according to new research.
The report from security firm Tessian, entitled “How to Hack a Human”, included findings from a survey of 4,000 professionals in the UK and US, alongside interviews with hackers from the HackerOne community.
The report found that half of people share names and pictures of their children, 72 per cent mention birthday celebrations, and 81 per cent update their job status on social media.
The report added that 55 per cent of respondents had public profiles on Facebook, and only 32 per cent said their Instagram accounts are private, which Tessian claims makes it easy for bad actors to access sensitive information posted on these accounts.
Hackers interviewed in the report discussed how cybercriminals use social media posts to identify their targets and craft targeted social engineering attacks.
They provided of an example of cybercriminals identifying new joiners via LinkedIn then targeting them in phishing scams, “spoofing” a senior executive to trick them into sending money or sharing valuable information.
Additionally, the report said that Out of Office (OOO) emails are also being used to craft social engineering attacks, claiming that 53 per cent of respondents share how long they’ll be away in their OOO email, 51 per cent provide personal contact information and 42 per cent announce where they are going.
Katie Paxton-Fear, cybersecurity lecturer at Manchester Metropolitan University, said: “OOO messages — if detailed enough — can provide attackers with all the information they need to impersonate the person that’s out of the office, without the attacker having to do any real work.”
Tessian’s platform data said that social engineering-type attacks increased by 15 per cent during the final six months of 2020 year-on-year, while wire fraud attacks also increased by 15 per cent and 88 per cent of respondents said they had received a suspicious email in 2020.
In addition, the report said just 54 per cent of people pay attention to the sender’s email address while at work, and less than half check the legitimacy of links and attachments before taking action.
The report concluded that greater awareness of threats and education about email security hygiene is an important first step to prevent these attacks from being successful.
“Most people are very verbose about what they share online,” said Harry Denley, a hacker at MyCrypto. “You can find virtually anything. Even if you can’t find it publicly, it’s easy enough to create an account to social engineer details or get behind some sort of wall. For example, you could become a ‘friend’ in their circle.”
Tim Sadler, Tessian’s CEO and co-founder, said: “The rise of publicly available information makes a hacker’s job so much easier.
“While all these pieces of information may seem harmless in isolation — a birthday post, a job update, a like — hackers will stitch them together to create a complete picture of their targets and make scams as believable as possible.”
He added: “Remember, hackers have nothing but time on their hands. We need to make securing data feel as normal as giving up data. We also need to help people understand how their information can be used against them, in phishing attacks, if we’re going to stop hackers hacking humans.”
Recent Stories