New research from Tessian reveals the extent to which people post online and how hackers exploit this information for sophisticated social engineering attacks
A new report from Tessian, the human layer security company, reveals that 84 per cent of people post information to their social media accounts every week, with two-fifths (42 per cent) posting every day, and are unknowingly giving away information that helps hackers launch successful social engineering or account takeover attacks.
The report, titled How to Hack a Human, includes findings from a survey of 4,000 professionals in the UK and US and interviews with hackers from the HackerOne community. It reveals that half of people share names and pictures of their children, nearly three-quarters (72 per cent) mention birthday celebrations, and an overwhelming 81 per cent of workers update their job status on social media.
Most worryingly, 55 per cent of respondents admit they have public profiles on Facebook, and just one third (32 per cent) say their Instagram accounts are private, making it very easy for bad actors to access the sensitive information posted on these accounts.
Hackers interviewed in the report explain how cybercriminals use social media posts to help identify their targets and craft highly targeted and convincing social engineering attacks. For example, they can identify new joiners via LinkedIn and target them in phishing scams, spoofing a senior executive within the company that the new joiner has likely never met. With knowledge of who is within a person’s network, too, cybercriminals can easily impersonate someone their target trusts in order to manipulate them into wiring money or sharing information and account credentials.
Harry Denley, a hacker and Security and Anti-Phishing at MyCrypto said, “Most people are very verbose about what they share online. You can find virtually anything. Even if you can’t find it publicly, it’s easy enough to create an account to social engineer details or get behind some sort of wall. For example, you could become a ‘friend’ in their circle.”
Additionally, the ‘How to Hack a Human’ report reveals how Out of Office (OOO) emails are also being used to craft social engineering attacks. The majority of employees (53 per cent) say they share how long they’ll be away in their OOO email, while 51 per cent provide personal contact information and 42 per cent announce where they are going. According to Katie Paxton-Fear, cybersecurity lecturer at Manchester Metropolitan University, and a member of the HackerOne community, “OOO messages — if detailed enough — can provide attackers with all the information they need to impersonate the person that’s out of the office, without the attacker having to do any real work.”
The concern for organisations is that social engineering attacks are only rising. Tessian’s platform data reveals that social engineering-type attacks increased by 15 per cent during the last six months of 2020, compared to the six months prior, while wire fraud attacks also increased by 15 per cent. What’s more, 88 per cent of respondents said they had received a suspicious email in 2020.
The report makes it clear that greater awareness of the threat and educating people on email security hygiene is an important first step to prevent these attacks from being successful. For example, Tessian found that just 54 per cent of people pay attention to the sender’s email address while at work and less than half check the legitimacy of links and attachments before responding or taking action.
Tessian’s CEO and co-founder Tim Sadler also urges people to make securing data as normal as sharing it. He said, “The rise of publicly available information makes a hacker’s job so much easier. While all these pieces of information may seem harmless in isolation — a birthday post, a job update, a like — hackers will stitch them together to create a complete picture of their targets and make scams as believable as possible. Remember, hackers have nothing but time on their hands. We need to make securing data feel as normal as giving up data. We also need to help people understand how their information can be used against them, in phishing attacks, if we’re going to stop hackers hacking humans.”
Read Tessian’s full How to Hack a Human report here.