Social Media: The Key Ingredient For Social Engineering Attacks
4 December 2017 00:00
Social media has now become a gold mine of easily-accessible information for online crime, packed with sensitive and (what should be) personal data - providing the perfect ingredients for social engineering attacks.
It's quite easy to picture a sort of Swordfish-esque hacking scenario when picturing cyber crime in action. But, in contrast to an intense and fast-paced Hollywood blockbuster scene, cyber criminals can now get all they need simply by visiting your social media accounts. Not quite as entertaining, eh?
Well, although this sort of scenario doesn't sound half as thrilling, digging into the repercussions of over-sharing on your social media accounts will certainly liven things up a bit. That's because social media has now become a gold mine of easily-accessible information for online crime, packed with sensitive and (what should be) personal data. In other words, bad employee social media habits mean that we're dishing out the needed ingredients for a successful social engineering attack - and on an almost daily basis.
What is social engineering?
Social engineering is the art of manipulating people so they will part ways with their confidential information - with anything from passwords to banking details in their line of scope. It's normal to think that this sort of thing wouldn't happen to us or our business, or even thinking that we're immune to falling for a scam, but 60% of employees in the workplace were victims of social engineering in 2016.
When individuals are targeted, they can be easily tricked into giving away their private information, making a legitimate-looking transfer, or even handing over access to their computer. Criminals use social engineering tactics as it is a lot easier for them to manipulate people into gaining their trust, rather than trying to hack into their software.
Oversharing personal information on social media
You may have heard that Facebook have the ability to create a virtual profile of us simply by keeping track the things we do, like and say when using their social platform. Although not in as much depth, cyber criminals can do the same.
Even details such as where you have been or an upcoming work trip can have any effect on social engineering. The best example of attacks that apply this publicly available information to online scams is with the business email compromise (BEC) technique (otherwise know as email account compromise (EAC)).
A BEC attack tends to target a high-ranking employee or one who has access to wire transfer payments. The target is found via their social media where the attacker also has accessed to a host of valuable information - then comes the social engineering attack used to gain access or gain further information.
In many cases, the attacker will impersonate either a c-level exec or a trusted figure, such as a supplier or solicitor, via a phishing email. Cyber criminals can even use this technique to build further relationships and establish trust with their target.
How to avoid social engineering attacks
Educating employees on the social engineering risks of over-sharing on social media is the key to preventing a loss of financial or personal information. Of course, it's difficult to encourage employees to completely avoid sharing sensitive information on social media, but raising security awareness on what your company deems unacceptable to share, along with how this information can be used to target the business, is a good starting point.
It's also important to focus on educating end users to spot the tell-tale signs of social engineering (our blog on "the 4 social engineering scams your employees are falling for" is great for an initial insight into the main threats!). One important detail to mention, however, is that simply explaining the basics of phishing and social engineering is not enough, as there are no clear metrics for whether or not people are actually taking these messages on board.
The answer to this problem?... Phish your end users!
Phishing your employees is a great way of educating your end users on real-world phishing scams. Try our phishing simulation service (for free) to see exactly how this works.