Just a little bit of exposed personal data can go a long way for a hacker

Hackers today use our exposed personal data against us. More than 90% of the time, cyberattacks are specifically crafted from users’ public data. To a hacker and to cyber specialists in general, this exposed, publicly available information is known as OSINT, or Open-Source Intelligence. OSINT can be any publicly available information a hacker can find on a target, such as data from LinkedIn, Instagram, and other social media sites, data brokers, breach repositories, and elsewhere. Hackers use this data to craft and power social engineering attacks. It is the data that tells the attacker who is a vulnerable and valuable target, how best to contact them, how to establish trust, and how ultimately to trick, coerce, or manipulate them. Social engineering attacks fool people into performing a desired action and criminals use social engineering to lure targets into handing over personal information, opening malicious files, or granting access to sensitive data.

In this post, we highlight some of the ways in which bad actors use our information in social engineering campaigns. Understanding the various ways in which even a limited amount of exposed personal information can be weaponized by social engineers can help us not only become more vigilant and cautious but will hopefully also motivate us to take proactive measures to protect ourselves and our companies before attacks happen.

Hackers need—and harvest!—personal information to craft attacks

In order to identify, choose, and plan attacks against potential targets, threat actors must first conduct OSINT reconnaissance. Hackers have a variety of tools that automate this process. They begin by searching for information and selecting a vulnerable target, and then using the target’s data to create a compelling story that will trick them. The social engineer uses one of several means, such as an email, social media, or a phone call, to contact the target and establish trust. If the communication is convincing enough, the victim will be fooled and unwittingly click a malicious link or give the attacker sensitive information that will be used against them or their company. 

On account of the essential role that public data plays in social engineering attacks, it behooves us to be aware of, and especially limit, the amount of personal information we share online. The larger our digital footprint is, the larger our attack surface is and the more visible we are to social engineers. The more information attackers have on a target, the easier it is for them to craft convincing, and ultimately successful, social engineering attacks. The less visible we are, the less attractive we are to hackers and the less paths to compromise there are to be exploited.

While deleting oneself entirely from the internet in the 21st century is not viable, by carefully manicuring what you share and with whom you share it, you can significantly reduce your visible attack surface and prevent social engineering attacks.

Even a little bit of exposed information can be dangerous

Hackers don’t need much personal information to wreak havoc on your life. They can do a significant amount of damage with just your cell phone number. Typing your number into a people search site, for instance, can reveal your personal information to an attacker in just a few seconds. This information can then be used for social engineering, identity theft, doxing, or other malicious actions, such as taking over your email and other accounts. 

With only your phone number, a hacker can easily determine your email address. They can then contact your mobile provider and claim to be you, route your number to their phone, log into your email, click ‘forgot password,’ and have the reset link sent to them. Once they have your email account, all of your other accounts are potentially vulnerable. This is one reason to avoid using the same username and password across multiple accounts! 

Once acquired, a hacker could also decide to ‘spoof’ your phone number. This makes your number appear on a caller ID even though it is not you. Using this method, a bad actor can impersonate you to trick one of your friends or colleagues, or call you from a spoofed number, one that you may recognize or trust, in an attempt to socially engineer you or to record your voice for use in another scam.

The fact that a hacker can do so much with just a limited amount of information should make us think twice about what we share publicly, even if it’s only our phone number. To see some of your exposed personal data, get your free report below.

GET YOUR FREE REPORT

See your exposed personal data

Exposed data and credential compromise

Hackers can also do a lot of damage with exposed login credentials. Usernames, email addresses, and corresponding passwords become available on the dark web (and the public web!) once they have been involved in a data breach. You can find out if your personal data has been compromised in a breach by checking haveIbeenpwned.com, for example. Whenever this type of information gets exposed, it can leave users vulnerable to credential compromise.

Credential compromise, also known as ‘credential stuffing,’ happens when an attacker obtains a list of breached username and password pairs (“credentials”) from the dark web and then uses automated scripts or ‘bots’ to test them on dozens or even hundreds of website login forms with the goal of gaining access to user accounts. There are massive lists of breached credentials available to hackers on the black market and, since most people reuse passwords across different accounts, it is inevitable that some of these credentials will work on other accounts, either personal or corporate.

Once hackers have access to a customer account through credential stuffing, they can use the account for various nefarious purposes such as stealing assets, making purchases, or obtaining more personal information that can be sold to other hackers. If the breached credentials belong to an employee, the hacker can use that access to compromise a company’s systems and assets. 

Since credential compromise relies on the reuse of passwords, avoiding the reuse of the same or similar passwords across different accounts is critical. Always use strong passwords that are difficult to guess and change them frequently. Additionally, using multi-factor authentication, which requires users to authenticate their login with something they physically have and something they personally know, is a good defense against credential stuffing since an attacker’s bots cannot replicate this validation method. 

Recent real-world examples reveal the dangers of exposed personal data for companies

Companies should be especially wary of the role exposed personal data of employees plays in cyberattacks. Three recent examples that made headlines highlight how just a limited amount of exposed employee information can be used to craft a successful social engineering campaign and breach organizations. 

Twilio and Cloudflare

In August, hackers targeted two security-sensitive companies, Twilio and Cloudflare, as part of a larger ongoing campaign dubbed “Oktapus” that ultimately compromised more than 130 organizations and netted the attackers nearly 10,000 login credentials. In the case of Twilio, the hackers began by cross referencing employee public data from Twilio’s LinkedIn roster (the starting point of most attacks) against existing exposed 3rd party breach data sets (e.g., haveibeenpwnd.com) and data broker data (e.g., white pages). This gave the attackers a list of personal information of employees to target. The hackers then created a fake domain and login page that looked like Twilio’s (twilio-sso.com or twilio-okta.com). Using the acquired personal data, they then sent text messages to employees, which appeared as official company communications. The link in the SMS message directed the employees to the attackers’ fake landing page that impersonated their company’s sign-in page. When the employees entered their corporate login credentials and two-factor codes on the fake page, they ended up handing them over to the attackers, who then used those valid credentials on the actual Twilio login page to access the systems illegally. 

exposed personal data

Although Cloudflare was also targeted in this way, they were able to stop the breach through their use of FIDO MFA keys. Even though they were able to keep the attackers from accessing their systems through advanced security practices, Cloudflare’s CEO, senior security engineer, and incident response leader stated that “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached.”

Indeed, the exposed personal data used to power the Oktapus attacks shows how dangerous even a small amount of public data can be in the hands of a social engineer.

Cisco 

In another example from May of this year, the corporate network of multinational security company Cisco was breached by hackers with links to both the Lapsus$ and Yanluowang ransomware gangs. In this case, the hackers acquired the username or email address of a Cisco employee’s Google account along with the employee’s cell phone number. They targeted the employee’s mobile device with repeated voice phishing attacks with the goal of taking over the Google account. The employee was using a personal Google account that was syncing company login credentials via Google Chrome’s password manager. The account was protected by multi-factor authentication (MFA), however, so the hackers posed as people from the technical support departments of well-known companies and sent the employee a barrage of MFA push requests until the target, out of fatigue, finally agreed to one of them. This gave the attackers access to the Cisco VPN through the user’s account. From there the attackers were able to gain further access, escalate privileges, and drop payloads before being slowed and contained by Cisco. The TTPs (techniques, tactics, and procedures) used in the attack were consistent with pre-ransomware activity.

Uber 

Most recently, the ride-hailing company Uber was breached by a hacker thought to be linked to the Lapsus$ group, who gained initial access by socially engineering an Uber contractor. The attacker had apparently acquired the corporate password of this contractor on the dark web after it had been exposed through malware on the contractor’s personal device. The attacker then repeatedly tried to login to the contractor’s Uber account, which sent multiple two-factor login approval requests to the contractor’s phone.  Finally, the hacker posed as Uber IT and sent a message asking the contractor to approve the sign-in. After successfully exhausting the contractor, the approval was granted, and this provided the hacker with the valid credentials needed to gain access to Uber’s VPN. Once inside, the hacker found a network share that had PowerShell scripts. One of these scripts contained admin credentials for Thycotic [a privileged access management solution]. Once the hacker had access to this, he was able to get access to all other internal systems by using their passwords. 

The Uber hack is a prime example of how, with only a limited amount of exposed personal data and some social engineering, a hacker can easily trick, manipulate, or coerce a human and compromise a company’s systems. See our key takeaways and remediation recommendations.

Limiting exposed personal data to prevent attacks

The examples provided here illustrate some of the common ways our personal information can be successfully weaponized by today’s hackers. It is now more urgent than ever for people and companies to know and manage their exposed public information proactively to help prevent attacks. Attackers are opportunists who care about their ROI. By limiting exposed personal data, it becomes more difficult and therefore more expensive for threat actors to succeed in social engineering attacks. Companies that recognize this fact pattern and take action to protect their employees will be more likely to avoid expensive and damaging breaches.

An electric utility company takes cybersecurity beyond the perimeter

The challenge


This client, like most utilities, possesses a strong culture of safety and a similar commitment to security. As a utility, it also operates in one of the 16 sectors designated by the US Cybersecurity and Infrastructure Security Agency (CISA) as part of the United States’ critical infrastructure. This means that the organization faces a specific set of requirements, which include disciplined cybersecurity practices.

Traditional cybersecurity has focused mainly on the internal environment and on data layers within the organization. For that reason, the organization sought a solution that expanded the purview and practice of cybersecurity beyond its walls. Management felt the need to identify and address vulnerabilities in the data “out there,” where more than 90% of cyberattacks now originate.

They also wanted an external perspective to support an outside-in approach to security. They wanted to know how malicious actors could gather information about users to mount an attack on the company. What could those actors find on social media profiles and what messages could they use to launch socially engineered attacks? What could they learn about the organization’s hardware and software and its methods of authentication? What could they learn about its supply chain: What products does it buy? From whom does it buy these products? How does it pay its vendors? What could attackers learn about the leadership team, the Board, employees, investors, and other stakeholders that would make the organization vulnerable to attacks?

Another goal was to broaden the conversation about cybersecurity within the organization. Given the exposures that can be unwittingly created by users with legitimate access to the organization’s systems, leaders had come to see that cybersecurity is everyone’s responsibility. They also wanted to go beyond simply training and coaching people on how to “be careful” when using their laptops and devices; they wanted easy-to-use tools to support users’ efforts to keep systems secure.

Before learning about Picnic, the security team had worked to understand which publicly available data could create vulnerabilities and, to address reputational risk, what people were saying about the company. Yet these efforts were ad hoc, such as monitoring social media feeds, and they employed few tools, such as customized scripts and open-source tools. They wanted to harness data science to see across the internet and to identify the controls they really needed to have in place.

In sum, the security team realized that their environment lacked a defined perimeter, which meant that firewalls, endpoint protection tools, and role-based access controls could no longer provide the needed level of security.

The solution

Picnic provided both ease of enrollment for employees and tools that enabled employees to easily remove publicly available data on themselves.

Picnic’s capabilities let a user simply agree to be deleted from multiple sources of public data gathering, which Picnic handled for both the user and the organization.

The Picnic Command Center enabled analysts from the security operations team to seek out types of data that expose the organization to risk. That, in turn, positioned the team to educate employees about ways in which an attacker could use a particular type of information against themselves or the company. This created a clear division of responsibility: The organization flagged the risks while the employees controlled the data they deleted or left up.

The organization presented Picnic as a benefit to employees, which it is. Although other identity protection tools are presented that way, they are primarily geared to post-event remediation. In contrast, Picnic enables each employee to identify and deal with their publicly available data in private, so they can lower their individual risk, and by extension risk to the organization. Each employee gets to make changes dictated by their own preferences rather than their employer’s. With information from Picnic, they were able to, for example, adjust the privacy settings on their social media accounts so that only specific family members and friends can view them. Whatever steps they took reduced their exposure to attack—a benefit to them and to the organization.

Clear and consistent communications during rollout clarified both the rationale and use of the tools. Integration with the organization’s existing technology was straightforward, with Picnic tools fitting readily into existing solutions. The client/Picnic team took an agile approach to both the development methodology and operational implementation.

The impact

Picnic has assisted the security staff in identifying vulnerabilities and assisted employees in monitoring and limiting their risk exposures. The tools have provided protective controls for employees while minimizing extra steps and added work on their part. It has also helped the security staff to more effectively identify where potential threats might originate and the various forms that attacks could take.

Yet the impact of Picnic extends beyond what the platform itself does. It has enabled the security staff to launch a broader and deeper conversation about cybersecurity at the organization. This has created the opportunity to better understand, explain, and contribute to the organization’s culture of security. The security staff does not usually use the term “culture of security” with employees but the leadership team discusses it and works to create that culture. Picnic has accelerated that effort.

Picnic has also reduced burdens on the security team. It has helped to establish that everybody needs to maintain high awareness of how their social media settings or internet presence create risks. By their nature, the tools dramatically increase employee engagement in cybersecurity in ways that training sessions or video tutorials cannot.

The Picnic toolset has delivered capabilities that allow security staff to see risks outside of their corporate walls and to mitigate them. The security team can now not only alert users to the risks they face; they have also initiated new controls, such as multi-factor authentication on items that could be of use to an attacker. They have added new controls over remote access and other attack vectors where an attacker could access personal information from a data log or a compromised website. The organization is also using password reset tools that make users’ lives easier, while increasing their efficiency and effectiveness.

While no single solution can eliminate every data security issue, Picnic has broadened the organization’s view of its threat landscape and positioned it to better address risks. It has also reduced its attack surface, broadened the conversation about cyber risk and security, and delivered increased security to employees and the organization. This has occurred in the context of Picnic’s sound and sustainable methodology, process, and program for identifying and addressing social engineering threats.

1 https://www.cisa.gov/critical-infrastructure-sectors

RedTeam Raw, Episode #1: Marcello Salvati on how he became a leading Red Teamer (and Cyber Security Expert)

In the very first episode, Picnic’s own Director of Global Intelligence, Manit Sahib, talks with InfoSec legend Marcello Salvati, most famously known as the creator of CrackMapExec and SilentTrinity. He is the founder and CEO of Porchetta Industries, Security Engineer at SpaceX, and is known on Twitter as @byt3bl33d3r. We discuss his perspectives on InfoSec, advice for those getting started in this space, how he got to where he is now, overcoming burnout and managing time, red team stories, and where he thinks InfoSec is heading over the next 10 years.

Like and subscribe for future episodes of RedTeam Raw here: https://www.youtube.com/channel/UCVn3…

FOR LAPSUS$ SOCIAL ENGINEERS, THE ATTACK VECTOR IS DEALER’S CHOICE

By Matt Polak, CEO of Picnic

Two weeks ago, at a closed meeting of cyber leaders focused on emerging threats, the group agreed that somewhere between “most” and “100%” of cyber incidents plaguing their organizations pivoted on social engineering. That’s no secret, of course, as social engineering is widely reported as the critical vector in more than 90% of attacks.

LAPSUS$, a hacking group with a reputation for bribery and extortion fueled by a kaleidoscope of social engineering techniques, typifies the actors in this emerging threat landscape. In the past four months, they’ve reportedly breached Microsoft, NVIDIA, Samsung, Vodafone and Ubisoft. Last week, they added Okta to the trophy case.

For the recent Okta breach, theories abound about how the specific attack chain played out, but it will be some time before those investigations yield public, validated specifics. 

As experts in social engineering, we decided to answer the question ourselves—with so many ways to attack, how would we have done it? Our thoughts and findings are shared below, with some elements redacted to prevent malicious use.

How Targeted was this Social Engineering Attack?

To start, we know that Okta’s public disclosure indicates the attacker targeted a support engineer’s computer, gained access, installed software supporting remote desktop protocol (RDP) and then used that software to continue their infiltration:

“Our investigation determined that the screenshots…were taken from a Sitel support engineer’s computer upon which an attacker had obtained remote access using RDP…So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.”

For attackers to successfully leverage RDP, they must:

  1. Be able to identify the location of the target device—the IP address.
  2. Know that the device can support RDP—Windows devices only.
  3. Have knowledge that RDP is exposed—an open RDP port is not a default setting.

Let’s take a look at each of these in more detail: 

How Can an Attacker Identify Target Devices to Exploit RDP? 

Sophisticated attackers don’t “boil the ocean” in the hope of identifying an open port into a whale like Okta—there are 22 billion connected devices on the internet. In fact, LAPSUS$ is a group with a history of leveraging RDP in their attacks, to the point that they are openly offering cash for credentials to the employees of target organizations if RDP can be installed—quite a shortcut. 

Putting aside the cultivation of an insider threat, attackers would rightly assume a company like Okta is a hard target, and that accessing it via connected third parties would be an easier path to success.

Our team regularly emulates sophisticated threat actor behaviors, so we started by mapping the relationships between Okta and different organizations, including contractors and key customers. Cyber hygiene problems are often far worse for large organizations than individuals, and our methods quickly uncovered data that would be valuable to threat actors. For example, Okta’s relationships with some suppliers are detailed here, which led us to information on Sitel / Sykes in this document. Both are examples of information that can be directly weaponized by motivated attackers.

Two killer insights from these documents:

  1. Sykes, a subsidiary of Sitel, provides external technical support to Okta. 
  2. Sykes uses remote desktop protocol as a matter of policy.

This information makes an attacker’s job easier, and would be particularly interesting to a group like LAPSUS$—an RDP-reliant contractor with direct access to Okta’s systems is a perfect target.

Recon 101: Exploit Weak Operational Security Practices

With a target company identified, we ran a quick search of LinkedIn to reveal thousands of Sitel employees discussing different levels of privileged access to their customer environments. These technical support contractors are the most likely targets of attacks like the ones catching headlines today. Despite the investigation and negative publicity associated with this attack, more than a dozen Sitel employees are still discussing privileged access in the context of their work with Okta (nevermind the dozens of other companies). 

Now that we have defined this group, our focus narrows to deep OSINT collection on these individuals—an area where Picnic has substantial expertise. OSINT stands for open-source intelligence, and it is the process by which disparate pieces of public information are assembled to create a clear picture of a person’s life, a company, a situation, or an organization. Suffice to say that our standard, automated reconnaissance was sufficient to craft compelling pretext-driven attacks for most of our target group. 

To cast this virtual process in a slightly different light, imagine a thief casing your neighborhood. Good thieves spend weeks conducting reconnaissance to identify their targets. They walk the streets and take careful notes about houses with obscured entryways, unkempt hedges, security lights and cameras, or valuables in plain sight. 

Social engineers are no different: they are essentially walking around the virtual world looking for indicators of opportunity and easy marks.  

Before we explore how to go from reconnaissance to the hardware exploit, let’s recap:

  1. We are emulating threat actor behaviors before Okta’s breach.
  2. We conducted organizational reconnaissance on our target: Okta.
  3. We identified a contractor likely to have privileged access to the target: Sitel.
  4. We narrowed the scope to identify people within Sitel who could be good targets.
  5. We further narrowed our focus to a select group of people that appear to be easy targets based on their personal digital footprints.

All of this has been done using OSINT. The next steps in the process are provided as hypothetical examples only. Picnic did not actively engage any of the identified Sitel targets via the techniques below—that would be inappropriate and unethical without permission. 

Identifying the Location of the Device for RDP Exploit

There are three ways that attackers can identify the location of a device online: 

  1. Pixel tracking
  2. Phishing
  3. OSINT reconnaissance

Just as we conducted OSINT reconnaissance on people and companies, the same process is possible to identify the location of the target device. By cross-referencing multiple sources of information such as data breaches and data brokers, an attacker can identify and leverage IP addresses and physical addresses to zero in on device locations. This is always the preferred approach because there is no risk that the attacker will expose their actions. 

Pixel tracking is a common attacker (and marketer!) technique to know when, and importantly where, an email has been opened. For the attacker, this is an easy way to identify a device location. Phishing is similar to pixel tracking: a clicked link can provide an attacker with valuable device and location intelligence, but pixel tracking only requires that an image be viewed in an email client. No clicks necessary. 

Pixel tracking and phishing are examples of technical reconnaissance that were more easily thwarted pre-COVID, when employees were cocooned in corporate security layers. With significant portions of knowledge workers still working at home, security teams must contend with variable and amorphous attack surfaces.

For social engineers, this distribution of knowledge workers is an asymmetric advantage. Without a boundary between work-life and home-life—the available surface area on which to conduct reconnaissance and ply attacks is essentially doubled.

Social engineering’s role in the RDP exploit

According to Okta’s press release, an attacker “obtained remote access using RDP” to a computer owned by Sitel. Based on threat actor emulation conducted by our team and the typical LAPSUS$ approach, it is clear that social engineering played a key role in this attack, which was likely via a targeted spear phishing campaign, outright bribery, or similar delivery mechanism, which would have provided attackers not only with device location information needed for the RDP exploit, but also important information about the device and other security controls. 

Remember that social engineers are hackers that focus on tricking people so they can defeat technical controls. Tricking people is easy when you know something personal about them—in fact, our research indicates attackers are at least 200x more likely to trick their targets when the attack leverages personal information. 

The amount of time, energy, and resources required to complete this reconnaissance was significant, but it was made easier by the two key documents found during our initial recon on the target. While there are other breadcrumbs that could have led us down the same path, many of those paths offered less clear value, while these two documents essentially pointed to “easy access this way.” Finding these documents quickly and easily means that hackers are likely to prioritize this attack path over others—the easier it is, the less time and resources it consumes, and the greater the return on effort. 

Key learnings for cyber defenders

Recognize you are at war. Make no mistake about it, we are in a war that is being fought in cyberspace, and unfortunately companies like Okta and Sitel are collateral damage. Just as in a hot war, one of the most successful methods for countering insurgent attacks is to “turn the map around” to see your defenses from the perspective of the enemy. This outside-in way of thinking offers critical differentiation in the security-strategy development process, where we desperately need to change the paradigm and take proactive measures to stop attacks before they happen. I wrote another short article about how to think like an attacker that might be helpful if you are new to this approach.

Be proactive and use MITRE—all of it. The prevailing method used by cyber defenders to map attacker techniques and reduce risk is called the MITRE ATT&CK framework. The design of the framework maps fourteen stages of an attack from the start (aptly called Reconnaissance) through its end (called Impact)—our team emulated attacker behaviors during the reconnaissance stage of the attack in this example. Cyber defenders are skilled at reacting to incidents mainly because legacy technologies are reactive in nature. MITRE recommends a proactive approach to remediating the reconnaissance stage to “limit or remove information” harvested by hackers. Defenders have an opportunity to be proactive and leverage new technologies that expand visibility and proactive remediation beyond the corporate firewall into the first stage of an attack. Curtailing hacker reconnaissance by removing the data hackers need to plan and launch their attack is the best practice according to MITRE. 

Get ahead of regulations. Federal regulators are also coming upstream of the attack and have signaled a shift with new SEC disclosure guidance, which requires companies to disclose cybersecurity incidents sooner. Specifically, one key aspect of the new rule touches on “…whether the [company] has remediated or is currently remediating the incident.” New technologies that emulate threat actor reconnaissance can make cyber defenders proactive protectors of an organization’s employees, contractors, and customers long before problems escalate to front page news. These new technologies allow companies to remediate risk at the reconnaissance stage of the attack—an entirely new technology advantage for cyber defenders. 

Every single attack begins with research. Removing the data that hackers need to connect their attack plans to their human targets is the first and best step for companies who want to avoid costly breaches, damaging headlines, and stock price shocks.

Think Like a Hacker to Stop Attacks Before They Strike

By Matt Polak, CEO of Picnic

Cyber threat intelligence indicates that there is a high probability of digital retaliation against Western companies and governments that have supported Ukraine or distanced from Russia. Russia has validated this intelligence and their cyberwar strategy is evident: they harvest personally identifiable information (PII) about individuals and use it to power social engineering schemes to conduct attack and compromise campaigns that cause damage, collect intelligence, and generate income.

Organizations that have cut (or iced) ties with Russia, or those supporting Ukraine, are most likely to be the direct targets of Russian cyber aggression and retaliation. There are three things you should know about how threat actors like Russia operate: 

  1. Their #1 attack vector is social engineering.
  2. Their #1 target is high-value employees.
  3. Every attack begins with reconnaissance of public data footprints (i.e., OSINT data).

Unfortunately, existing controls are not likely to stop sophisticated social engineering attacks: training doesn’t work (people can’t be trained to spot these well crafted attacks), and technical controls like mail gateways and endpoint protection can be defeated with staged operations that identify (to evade) such technical controls.

In addition to the #shieldsup activities that are ongoing, below are some simple steps companies concerned about retaliation should take immediately.

What Should You Do

  1. Embrace the attacker’s mindset
  2. Identify your targets
  3. Remediate
  4. Repeat

1. Embrace the Attacker’s Mindset

Start by approaching this problem as the attacker. Ask yourself some key questions:

  • What systems would I want to gain access to?
  • What security controls, if exploited, would lead to catastrophic damage?
  • Who has access—either to the systems themselves or to the controls?
  • Who do you think would make the best target if you were the attacker? Why?

This last question is key and leads into the next activity: identify your targets.

2. Identify Your Targets

Make a list of your people as follows:

  • Group 1: People (probably your C-Suite and Board) whose personal brands and reputations are intertwined with your company’s brand and reputation.
  • Group 2: People who work directly with and support “Group #1”
  • Group 3: People with privileged access to your “crown jewels”
  • Group 4: People who work directly with and support “Group 3”
  • Group 5: If not already considered, the people who have privileged access to your organization’s security controls
  • Group 6: People who work directly with and support “Group 5”

I recommend putting these people into a spreadsheet for simple management, since you’ll want to capture some additional information on each one.

First, for person in each group:

  1. Add their LinkedIn profile (assuming they have one) to your spreadsheet
  2. Add their work and personal (if available) emails to the spreadsheet

Create a few columns on which you can track some basic data about each person with a simple Yes or No.

For their LinkedIn profile:

  • Does the person list a specific geography where they are located?
  • Does the person list anything in their profile that would suggest they would be an attractive target? Words like “administrator” or listing technologies or processes they are responsible for are dead giveaways.
  • Does the person list any contact information on the page?

For their work and personal emails:

  • Run through whatever breach repos (sites on the public, deep, and dark web where people’s usernames, passwords, and other personal information are stored and sold) you have access to and denote the quantity (as a count) of cleartext credentials available for each person.

When you are done, your spreadsheet should look something like this, sorted by seniority:

You can use some basic approaches to analyze this kind of data that leverages your knowledge of your company and its security practices, as well as the questions you asked yourself upfront when you thought like the attacker.

For example, as seen above, you might decide that people with the most amount of breaches in their work emails are important to triage first. In this view, the EA to the CEO is most likely to be targeted, so you might increase sandboxing for their account, have a direct 1:1 security coaching session with them, and make some reasonable requests to modify personal data to neutralize oversharing in social media. At a minimum, you should make sure that none of the cleartext credentials you found are being used in your company’s infrastructure, and ideally not used in an employee’s personal life. After all, attackers want to find the easiest path in, and it’s usually smooth sailing into unmonitored personal email and interconnected social media.

If you want to apply more analysis, you could associate a score of 1 point with any “Y” and weight everything equally. Doing so would yield a target list that looks quite different and makes your RDP Admin (yikes!) the #1 target for attack:

What’s equally valuable about this exercise is knowing who is not the most likely to attack. Maybe your gut instinct told you that your Security Tools Admin was likely your top target, but your quick analysis shows this person would be difficult to target, which would de-prioritize them in the eyes of an attacker.

Organizations have limited human analyst resources capable of solving problems that computers can’t solve, so knowing where to invest valuable staff resources is critically important in our current elevated threat environment.

There are many approaches that can yield valuable insight into how to secure your organization based on the view of the attacker. Remember, the way the attacker prioritizes their targets is based on reconnaissance of public data. Seniority is a useful metric, but it’s only one consideration. Oftentimes it is those people who are accessible rather than valuable who are the first line of attack for hackers who seek to leverage credential escalation and lateral movement. For example, the executive assistant to the CTO could be easily overlooked by an internal security organization, but someone in this role likely has shared access to certain systems that are sensitive, and therefore would likely be a prime target for an attacker.

3. Remediate

Now that you know who is most likely at risk, we recommend a quick scrub of OSINT data to make your team harder to target. In order of priority:

  1. Passwords. Confirm that all cleartext credentials are not in use and ideally banned from your systems and also ask employees to confirm they are not using these credentials either.
  2. LinkedIn. Go back to the list of words or phrases that powered your evaluation of LinkedIn. Send a quick email to your team asking them to change or remove these words with an explanation as to why. (see “resources” below for a sample communication)
  3. Data Brokers. Find and remove data brokers, which are an easy source for threat actors looking for PII on your employees. To do this, run a series of Google searches for the people in your list such as: “Full Name” + “work email”; “Full Name” + “personal email”; and “Full Name” + “home address”. Results will commonly include data brokers such as Whitepages, Spokeo, MyLife, and ZoomInfo. These data broker sites support removal requests, though the process can take time and is not uniform. If you want help with this, please contact me or comment.

4. Repeat

This type of exercise should be run continuously in good times and in bad. Digital footprints and employee populations are in constant flux, and so are attacker motives and methods. Building capacity for this type of capability will help build a security culture and create good operational security practices that should be the backbone of any security strategy.

Remember, hackers scout your organization to find an easy way in so they can compromise your people, your company, and your brand (in that order).

Picnic solves this problem at scale, so if you want to learn more about how to come upstream of the attack to stop hackers, please get in touch with us to schedule a demo.

Resources

After reducing the attack surface of the human, the next step would be to consider something like what has been proposed by Krebs Stamos Group, who provided helpful advice for those exiting the Russian market (or icing) ties with Russian connected organizations.

Sample Communication

[EMPLOYEE],

In light of [COMPANY’s] position in the global market and recent actions with respect to Russia, we conducted a threat assessment to identify ways to protect our highly valued employees like you from hackers who might retaliate against [COMPANY].

Hackers are targeting the personal lives of employees to gain access to company systems, so it’s important we take this threat seriously for both the company and you.

Based on the threat assessment we conducted, we are asking employees with the following information in their LinkedIn profiles to change or remove it.

Please remove the following references:

  • System Name 1
  • System Name 2
  • System Name 3

We believe that by removing these references it will make you less likely to be the target of malicious activity, which will make you safer online both at work and home.

This small change will make a big difference for you and your colleagues.

Thank you for your help,
[NAME]

How to sharpen your corporate social media policy for today’s threats

Using social media is, without a doubt, one of the most popular online activities that internet users engage in. Businesses have also discovered how to leverage social media to create opportunities for their brands. However, the use of these platforms has also created many risks. Not only can a bad social media post spiral into a full-blown PR crisis, but social media has become a data channel that cybercriminals exploit regularly to steal sensitive corporate information or cause huge reputation damage. Many businesses create a social media policy for their organization but often don’t understand how to fully protect themselves.

The Social Media Policy

It is said that 3.96 billion people and 88% (and rising) of companies currently use social media platforms worldwide. Despite its high usage, social media culture is still relatively new territory for both employers and employees. Businesses have recognized that unwise social media can create detrimental outcomes, but the social media policies these companies develop show a level of naivete when it comes to understanding risk.

The corporate social media policy is often a document that resides in a company’s intranet rarely unchanged from the date of inception. It is often a standard practice to include the social media policy at point of employee on-boarding as part of the contractual process between employee and employee. Typically, the contents of the policy are centered around the do’s and don’ts of employee usage, regulatory or compliance obligations and will explain expectations in terms of employee conduct online. For example, Dell Global’s Social Media Policy is reported to be as follows:

  1. Protect Information
  2. Be Transparent and Disclose
  3. Follow the Law, Follow the Code of Conduct
  4. Be Responsible
  5. Be Nice, Have Fun and Connect
  6. Social Media Account Ownership

The overall goal is to set expectations for appropriate behaviour and ensure that an employee’s usage will not expose the company to legal problems or public embarrassment.

The example policy is also remarkably vague. There are probably a couple of reasons for this. Today’s HR departments are very sensitive to employee privacy concerns. There may be a reluctance to lay down specific rules for behaviour that may seem subjective and intrusive.

However, there is a difference between something that is embarrassing and something that is dangerous. Many companies like this are clearly not concerned about network security implications and how employee actions online may compromise both personal and corporate security. The reality is that there is a real need for specific rules (or at least “tips”) regarding how employees present personal data about themselves on social media.

Social media content is highly susceptible to cybercriminals

Social media usage exposes company networks to hacks, viruses and privacy breaches. How? Social media encourages people to share personal information or Personally Identifiable Information (PII). Even the most cautious and well-meaning employee can give away information they should not or accidentally disclose sensitive company information. With this data, cyber criminals who use social engineering techniques can more effectively exploit the gullibility and misplaced trust of many social media users – having serious consequences for those users and their employers’ networks.

All it takes is one mistake. According to the latest EY Global Information Security Survey 59% of organizations had a “material or significant incident” in the past 12 months. Research also found that 21% of organizations have been infiltrated by malware via Facebook and 13% report that their organization has been infiltrated by malware via YouTube. So, what can be done to reduce the risk and ensure your employees and your brand are protected?

The Social Media Policy: What you can do to safeguard against potential attacks

The first step should be to implement a detailed and effective social media policy. While 80% of businesses report having a social media policy in place, the reality is the majority of policies (58%) could be described as general in nature – only 28% have a detailed and thorough policy. So, what additional guidance should your social media policy include? Be focused on data exposure as much as reputation. Here are just a few examples of some rules to publish to get started:

  1. Don’t accidentally describe your tech stack: If you are a technical person, like an engineer, you may want to post your technical proficiencies online. However, combined with your job title, you could end up describing the technical infrastructure of your company, which, of course, may give information to a hacker or social engineer that they need to attack the company. So, what might seem like a clear description of your current employment and career path, in today’s world, you are only revealing information that won’t actually help you but might harm you if it falls into the wrong hands.
  2. Don’t post your resume online: Yes, your LinkedIn page is a resume…but it isn’t. Resumes typically contain personal contact information that can be protected by LinkedIn’s UI structure. Remember that resumes are artifacts from old one-to-one communications between job seeker and employer. In today’s world, you are only revealing information that won’t necessarily help you, and but might actually harm you if it falls into the wrong hands.
  3. Pay attention when providing personal information online: In general, we all should be wary of giving out information that helps make us personally identifiable. For example, middle name, birth place, marriage status, check-in and sharing current location status. Each of these bits of information are innocent in themselves, but used in combination with other information, social engineers are equipped with more tools to attack you or leverage your personal data to get access into sensitive parts of your company.
  4. Help employees spot suspicious activity: While employees can be your weakest link when it comes to potential cybersecurity risks, they can also be your greatest asset in protecting your company. Educating and teaching employees on how to spot and identify suspicious activity such as dubious links or downloads will also go a long way in reducing potential attacks and malware intrusion in your computer systems.

For any businesses, social media platforms can be a gateway to reaching larger audiences. However, they have also gained the attention of cyber-criminals who are more than willing to use them against you. Considering the average data breach costs companies in the U.S. $7.91 million, protecting company, customer, partner, and employee data cannot be understated. Businesses with a holistic social media policy in place will be in a better position to protect both their employees and organization against potential attacks.

Psychology is the social engineer’s best friend

Social engineering cyber-attacks have rocketed to the forefront of cyber-security risk and have wreaked havoc on large and small companies alike. Just like a Renaissance actor drawn to Shakespeare’s genius work, the modern social engineer is attracted to the ever-growing pool of information fueled by data brokers. These criminals ply their trade by exploiting the vulnerabilities of an individual and their tactics are known as phishing, baiting, scareware, and tailgating, just to name a few. What is so unique about the social engineer is that their methods are designed to take advantage of the common traits of human psychology.

Social engineers may simply send phishing emails to the target of their choice, or they could work to build a relationship with the target in person, through conversation, or even through spying. Most victims are only guilty of trust. For example, take the case of Barbara Corcoran, famous Shark Tank judge. She fell victim to a phishing scam in 2020 resulting in a loss of roughly 400,000 USD. The social engineer simply posed as her assistant and sent emails to her bookkeeper requesting renewal payment on real estate investments.

In order to combat social engineering, we must first understand the nuances of the interaction between social engineer and target. First and foremost, we must recognize that social engineering attacks are a kind of psychological scheme to exploit an individual through manipulation and persuasion. While many firms have tried to create technical barriers to social engineering attacks, they have not had much success. Why? Social engineering is more than a series of emails or impersonations. It includes intimate relationship building – the purposeful research and reconnaissance into a person’s life, feelings, thoughts, and culture. The doorway to social engineering success is not a firewall – it is the human response to stimuli. As such, we should analyze these attacks through a psychological lens.

In Human Cognition Through the Lens of Social Engineering Cyber Attacks, Rosana Montañez, evaluates the four basic components of human cognition in psychology centered around information processing: perception, working memory, decision making, and action. Together, these pillars of cognitive processing influence each other and work together to drive and generate behavior. To illustrate by way of example: when driving on a highway, you must first evaluate your surroundings. Where are the cars around you? Is there traffic ahead? What is the speed limit? Next, you must use your working memory to pull information from past experiences. The brain sends out a code; last time there were no cars around you, and you were below the speed limit, you were able to change lanes to go faster. With this new information, you now have a decision to make. As the driver, you use this information, and perform the action of changing lanes.

In the context of cyber-attacks, social engineering is a form of behavioral manipulation. But how is the attacker able to access the complex system of cognition to change the action and behavior of the target? To further dissect cognition, Montañez considers how “these basic cognitive processes can be influenced, for better or worse, by a few important factors that are demonstrably relevant to cybersecurity.” These factors are defined as short and long factors and may be the opening that attackers can leverage to strengthen the success of their attack. Short term factors include concepts of workload and stress. Long term factors evaluate age, culture, or job experience.

In a recent study, researchers evaluated phishing behavior and the likelihood an employee would click a phishing link. It was found that those who perceived their workload to be excessive were more likely to click the phishing email. Cognitive workload causes individuals to filter out elements that are not associated with the primary tasks. More often than not, cyber security is not actively thought about and therefore results in the greater likelihood of being overlooked. This effect is known as inattentional blindness and restricts a person from being able to recognize unanticipated events not associated with the task at hand.

Stress also may be responsible for weakening the ability of an employee from recognizing the deceptive indicators that are present in cyber messages or phishing emails. Other factors such as age or culture, domain knowledge, and experience have anticipatory principles that can determine the likelihood for being deceived. As most would expect, having more cyber-security knowledge and experience in a given job reduces the risk of cyber-attacks victimhood. Similarly, as age increases there is a decrease in risk for cyber-attacks because of job experience and accumulated cyber-security knowledge. However, eventually the impact of age and experience reaches a plateau and inverts when seniors (with less experience in modern technology) become exposed. Interestingly, gender or personality were inconclusive when evaluating their impact on cyber-attack susceptibility.

So how do we go about defending against cyber-attacks and improving the untrustworthy mind? The short answer is we don’t. As the age-old security acronym PICNIC suggests, the Problem exists “in the chair” and “not in the computer.” Across many different studies and the experiences of companies themselves, training methods that ask people to make conscious efforts to defend against social engineering cyber-attacks have been unsuccessful. If technological barriers don’t work and cognitive responses can’t be changed, then what is the answer? The solution requires addressing the condition that attracts the social engineer in the first place – data exposure. Companies that manage data exposure will reduce the attack surface, and thus, take the psychological advantage away from the social engineer.

Ethan Saia

Social engineering in the workplace

Everyone is familiar with the case in which the proverbial “little old lady” is duped out of her life savings by a villain contacting her through the phone or email. The “Nigerian Scam” or “Advance-fee Scam” is once such classic scam you may know. The victim is offered a large sum of money on the condition that they help the scammer transfer money out of their country.  

The problem is that just knowing about these classic scenarios gives most people a false sense of security. The thought is, “It would never happen to me!” The first problem with this is that there are many types of these sorts of social engineering attacks that may not be so easy to recognize. The second problem is that most think this only happens at home.

In this article we will refresh our understanding of social engineering. We will review the currently known shapes and sizes of such attacks with a special focus on how they are used on employees in the workplace.

Social engineering: A review

Social engineering is a term that encompasses a broad-spectrum of notorious and malicious activities. The common, defining attribute is the ability to exploit the one weakness every person and organization has: human psychology. Instead of relying on programming and code, social engineering attackers use phone calls, e-mails and other methods of communication as their main weapon. They trick victims into willingly handing over either personal information, or an organization’s proprietary secrets and sensitive data.

Let’s focus on the seven most common social engineering attacks.

1.     Phishing

Phishing is one of the most common techniques. In most cases phishing uses fake forms and websites to steal vulnerable users’ personal data and login credentials. A phishing attempt commonly tries to accomplish one of three things:

  • Obtain sensitive and personal information such as names, date of birth, addresses, debit or credit card number, and Social Security Numbers.
  • Redirect users to malicious websites by creating misleading and shortened links and hosting a phishing landing page.
  • Incorporate fear, threats, and exploit a sense of urgency to manipulate the users into responding quickly without thinking rationally.
2.     Pretexting

As the name implies, in this social engineering attack, the fraudsters focus on creating a fabricated scenario or a good “pretext.” In a basic attack, the scammer typically claims they need certain information from you to confirm your identity. Once obtained, this information becomes the key to stealing your more personal data and/or to stage secondary attacks such as full identity theft.

In advanced pretexting, the target may be corporate. The key piece of information obtained may help them either exploit or abuse a company’s physical or digital weakness. For example, a cyber-fraudster may impersonate a third-party IT auditor and convince the targeted organization’s security team to grant them entrance into a secure building.

Pretexting fraudsters often masquerade as employees, such as HR or finance personnel. Such disguises help them access and target C-level executives. Verizon reported similar findings in its DBIR in 2019.

3.     Baiting

Baiting is somewhat similar phishing attack but is distinguished by the fraudster’s promise to giveaway an item or prize. Often the bait may be as simple as free movies or music downloads but will require the victim to hand over login credentials.

That’s not to say that baiting is strictly an online phenomenon. Baiters will use physical media when required. In July 2018, KrebsOnSecurity experienced and reported a baiting attack campaign that was targeting local and state-level government agencies within the United States. The attackers sent out envelopes that were Chinese postmarked and contained a compact disk (CD) along with a confusing letter. The idea was to exploit victims’ curiosity and have them use the CD containing malware that would infect their computer system.

4.     Quid pro quo

A quid pro quo attack is similar to baiting but whereas baiting promises goods, quid pro quo promises services. As an example, in recent years fraudsters impersonated the United States Social Security Administration. They contacted the targets, informed them there was an error in the system, and then claimed they needed the victims to confirm their Social Security Numbers. The ultimate goal was identity fraud using these credentials.

5.     Tailgating

Tailgating (also known as piggybacking) involves someone without any appropriate authentication following authorized personnel into a restricted area. Often the attacker may impersonate a delivery person and wait outside the target destination. When the unsuspecting employee gains access and opens the door to get in, the attacker will ask them to hold the door for him as well. This type of social engineering attack mostly targets mid-size enterprises as most large companies use keycards for building access.

6.     Watering hole

Just as animal predators wait by their prey’s favorite watering hole, cybercriminals target websites that may be popular with a target demographic in order to attack such visitors. If, for example, someone wanted to target financial services professionals, they might inject a popular financial site with malicious code. Merely visiting the site would compromise the website visitors’ browsers with code that could monitor the activities or even reach deeper into the system and control computer microphones and cameras.

7.     Vishing

Sometimes known as Voice Phishing, Vishing is a type of attack when a fraudster uses advanced IVR (interactive voice response) software on a standard telephone to entice you into repeating your confidential information on a recorded line. Vishing is not only about requesting your data; it crops your voice to over-come any voice-activated defenses that you may have access to within your company or for any services.

A common attacking technique used along with IVR is to prompt a victim to provide passwords and PINs. Each time the victim tries to enter a password or PIN, it will fail and notify the user that it is an incorrect attempt. This will cause the employee to panic and try several personal passwords. Hackers will harvest and exploit PINs and passwords later.

Ways to Recognize a Social Engineering Attack

A social engineering “ask” is often recognizable as one of the following:

Someone asking for assistance

Social engineers are good at using language that instills fear and a sense of urgency in you. The idea will be to rush you into performing an action with no time to think rationally. For example, someone who is urging you to carry out a wire transfer might be a scammer or hacker. Stop, think, and ensure that you will be conducting a legitimate transaction.

Asking for donations

Cyber fraudsters like to exploit your emotions and generosity by asking for donations for a charitable cause over the phone or through emails. They will also give you instructions on how you can send your donation to the hacker’s account. These social engineers may first research social media to learn the types of causes you support to better find a leveraging point.

Asking for information verification

Another notorious tactic that social engineers use is to present a problem that you can solve only by verifying your information. Often the problem requires the victim to fill in an online form asking for your personal information. The messages and form may look legitimate with all the correct branding and logos, but the moment you enter your information, the information immediately goes to social engineers.

Prevention from social engineering

There are five primary ways you can prevent yourself from falling for a social engineering attack:

Know your crown jewels

Learn the specific pieces of information, personal or corporate, that might be valuable to a social engineer or a hacker. Think of this information as the crown jewels. Identifying sensitive information allows you to set up walls to protect it.

In any corporate environment, the specific ‘crown jewels” may be different depending on department or person. Legal, IT and Finance may all have specific areas or sensitive data that others in the company may not have access to or even know about. This means social engineering protection applies to everyone.

Verify identities

Email hacking is a common threat that either imitates or takes control of legitimate email accounts. For example, if there is an unexpected request to take action online, ensure that the person you are dealing with is legitimate by calling that person and confirming that they have sent you the email message in question.

Slow down

Social engineers will go to the extreme lengths to instill panic, fear, and a sense of urgency in you. You must never let anyone rush you or prevent you from taking the time to consider carefully. See any effort to push you to take action quickly as a potential red flag.

Verify before your click

If you see a shortened link such as bit.ly link, etc., be wary. Such links are often used as carriers of malicious URLs or viruses. To verify if the link is legit, check it using a link expander. Search Google for “link expander” to see many resources that are easy to use.

Education

The most crucial and effective preventive measure is subject matter knowledge. Continue to educate yourself on current malicious tactics – they are always changing. If you are a business owner, educate your employees on social engineering threats. The health of your business may depend on it.

A closer look at phishing attacks

Cyber fraud is lurking everywhere across the internet and one of the most effective tactics on victims is “phishing.” Phishing is a term for the use of disguised and misleading emails, text, and instant messages to trick email recipients into believing that they are receiving a message from a trusted source. By posing as a bank, employer, or government authority, the attackers steal personal information and data such as login credentials, Social Security, credit card details, etc.

Phishing attacks can seem innocuous on the surface. An attack might look like a simple email message from the recipient’s company asking them to click on the link or download an attachment. However, when the link is clicked, the user is taken to a fake website where they are asked to take some action, like entering their credentials. Often the “ask” is the download of an innocent looking file which may actually install spyware or malware on their computer.

History and prevalence

Phishing is not a new phenomenon. One of the oldest and most common types of cyberattack, it can be traced back to the 1990s. Over time, users may have become savvier, but phishing messages have become more sophisticated and authentic in presentation. According to Verizon’s Data Breach Report, almost one-third of all data breaches in 2019 were a result of phishing attacks. Ultimately, its proliferation is the result of human trust – something that can be a challenge to firewall.

Phishing attack intent

Most commonly, an attacker will replicate an email that will look like an authentic email from a trusted source. The more convincing the disguise, the more likely they are to succeed. In tandem, the attacker will set up website landing pages that mimic a website that the victim trusts.

The intent is to get recipients of their messages to do one of two things:

Surrender sensitive information

Your personal information is literally the key to riches for phishing criminals. In many cases, attackers simply want your money. How do they get it? They lure you to a false landing page that looks like something your bank may host. If you “sign in” to your bank account in this case, you are really just handing over your bank account credentials to the attacker. Once they have them, it’s game over. They can go directly to your real account and empty it immediately. Millions of such emails are sent annually to would-be victims.

Keep in mind, it not always just about money from private citizens. The same process is often used on the corporate level to acquire secure documents – ideas, financial documentation, legal documentation, product specifications, etc.

Download malware

Malware is all about taking control of the host’s computer for nefarious purposes. And Phishing is the preferred method for malware infections.

A typical malware injection scenario may resemble the following path: The Phishing attacker imitates a company’s HR department and asks the targeted recipient to download an important form or document, such as a job seeker’s resume. This attachment is typically a zip file or a Microsoft Word document with embedded malicious code. In most cases this will be ransomware, code that takes control of the victim’s computer in some debilitating fashion until the users pays the hackers to unlock it. According to a report, 93% of phishing attacks had ransomware attachments.

Types of phishing attacks

There are many types of phishing attacks, and they all have colorful names – but they are all dangerous. Some of the most common:

Spear phishing

Whereas most Phishing targets a wide range of victims, Spear phishing is focused on defrauding a specific individual. Metaphorically, instead of casting a net or dropping a hook to see who takes the bait, the attacker focuses the attack in a personalized way.

Often targeted victim information is gathered through social media sites such as Facebook and LinkedIn. With this specific personal information, the attacker uses spoof email addresses and sends messages that appear to be coming from a trusted source, such as a friend, family member, employer or a co-worker.

For example, a spear-phishing fraudster may target an employee working in the finance department and pretend to be the department’s manager requesting the employee quickly transfer a large sum of money to an account.

Whale phishing

Whale phishing, also known as whaling, is a type of spear phishing that targets high-value individuals, company board members or CEOs. These targets have authority within their organization as well as access to important data.

Being an executive doesn’t mean you are not vulnerable. Note that most board members are not full-time employees, so they often use their personal email addresses for official or business-related correspondences. Personal emails are more susceptible to phishing attacks because they may not provide the same protection offered by a corporate email system. While whaling is a more time-consuming and sophisticated activity than other cyberattacks, if successful, it can reap big rewards for hackers.

Clone phishing

Clone Phishing employs a higher degree of disguise as it uses the content of an actual, legitimate email that contained a link or an attachment and was previously delivered to the victims.

After the attackers create the clone email, they replace the link or attachment with a malicious version or source and send it using a spoofed email address, impersonating an original sender.

These clone phishing messages may claim to be an updated version of the original email or the company resending the original email.

Filter evasion

Here, cyber attackers use images instead of words to make these phishing messages harder to detect with anti-phishing filters. However, more sophisticated filters can identify and recover hidden text within a malicious image using optical character recognition (OCR).

Website forgery

Website forgery uses a JavaScript code to alter the website’s address bar to lead users to malicious websites. Attackers place an image of a legitimate URL over the fake website’s address bar.

Phishing attackers use potential flaws within trusted websites’ scripts against the victims. Such attacks are difficult for a common user to spot without a specialist’s help.

Covert redirect

Covert redirect is where a link appears to be legit but takes the victim to attackers’ website. Typically, victims get an error message during log-in and the site asks them to enter their username and password again.

This type of phishing attack may also redirect the victims to fake websites covertly using malicious browser extensions. Attentive users will notice the malicious URL will be slightly different from the trusted URL.

Voice phishing

Fake websites, fake messages, malicious links, and attachments are not the only phishing attacks plaguing us. Voice phishing uses fake caller IDs that appear legitimate. These calls will ask you to dial a number to discuss an issue related to your bank account. Once you dial the number, it will ask you to enter your card details, your account number and your PIN code to verify your identity. Once you do that, the phone disconnects, and the attackers have your details.

Tabnabbing

Tabnabbing is another technique that takes advantage of multiple open tabs in a victim’s browser. The technique is to open a fake web page silently on the already opened tab in a browser when the user tries to open a legitimate website. The user mistakenly falls for the fake page, considering it to be original, and end up handing out information to the hackers.

Protect yourself from phishing

The best way to protect yourself from phishing attacks is research. Google the terms above and, by looking at samples, familiarize yourself with the hallmarks of fraud, as well as how to verify that you are on a legitimate website.

Some quick tips:

  • Check website URLs for spelling mistakes, especially if the link is mentioned in an email asking for sensitive information.
  • Be cautious about the URL redirects. Links that send you to a different website than what you expected might be a phishing attack.
  • If you have any doubts that the email may not be from the original source, contact them to confirm if they have sent you any message whatsoever.
  • Do not post personal information, such as birthdays, home addresses, and phone numbers on social media. Always set your privacy settings to the highest level possible.

Be cautious

Phishing attacks are a common and ever-present threat. Keep your security tight and never share personal details over email, phone, or in a message. You never know when you are exposing yourself to cyber attackers out there.

How to spot a phishing email

Would a Company Send Me That?

We’ve all heard of a phishing email. If you haven’t heard of a phishing email, now is the time to familiarize yourself with this must-know threat lurking online. In this article, we’ll show you how to spot a phishing email and examples of common phishing emails.

What is Phishing?

Modern-day fraudsters attempting to obtain sensitive information from a person or organization by posing as another person or a company online is known as phishing. They might be after your user information, such as passwords or usernames, or credit card and banking information. Employers should also be concerned as fraudsters have been known to steal sensitive or damaging information from employees or gain control of an entire company’s software.

According to a report by Symantec, 96% of phishing scammers are focused on intelligence gathering.

Scammers are known to use the information gained through phishing for:

  • Identity theft
  • Intellectual property theft
  • Industrial or Government Espionage
  • Corporate Sabotage – ex. stealing patent secrets
  • A total takeover of a website or online controls
  • Stealing money

How Does Phishing Work?

We frequently receive emails from our banks, our work IT administrators, or a trusted social media site. The email might ask for details, to log in with a username and password, or simply to click a link. Phishing is when a scammer sends you one of these emails in an effort to steal your information or gain access to your network. The perpetrator is setting a trap for users by pretending to be an authority figure, a legal entity or a company you recognize.  

It’s a lot like fishing, where an angler casts bait on the hook in the river. Eventually, a fish falls for the trap and bites on the bait. Fraudsters lure you to what seems like a legit request from a trustworthy source and wait for you to click on it. 

Instead of ending up at the end of a fishing pole, phishing victims may find themselves in a damaging situation. The consequences of a phishing attack could be the installation of malware on your computer or mobile phone or your phone or computer being frozen due to ransomware. One of the worst outcomes is your personal and sensitive information being exposed to the fraudulent entity. 

The results of phishing can be very devastating, whether you are an individual or a company. It may enable the fraudulent party to steal your bank account credentials, credit card details, and other sensitive information such as your driver’s license and social security numbers. This could lead to unauthorized purchases, identity theft, and money stolen from your bank account. 

According to the Data Breach Investigation from Verizon, 70% of online espionage was due to Phishing.

All of this might seem scary and treacherous but once you know the signs of a phishing email, you will be able to protect yourself and your employees.

Types of Phishing Emails

There are various ways impersonators and fraudsters attempt to make phishing look like a request from a company or person you trust. There are three major types of phishing. 

Email Phishing

Like fishermen casting a wide net hoping to catch the most fish possible, email phishing is all about numbers.  

An attacker sends out a fraudulent email or a message to thousands of people. Even if a small percentage of people end up clicking a link or providing their user information, an online imposter could end up with a significant amount of money and information. 

Scammers go to extreme lengths to make their emails and messages look legit. It can be difficult to tell the difference between a real email and a phishing attempt unless you look closely. Fraudsters will use the same taglines, same logos, and even signatures to mimic the authentic organization. Even the links within the email appear to be from the company they are impersonating.

Did you know that over 7,700 companies get attacked by an email scam every month? According to research, approximately 56% of all the emails you receive are spam, which includes phishing and other email scams. 

Spear Phishing

Spear phishing is a more focused attack aimed towards a specific organization or a person.

It is probably the most sophisticated form of phishing, where the impersonator does a lot of research on their part to know about the company or an individual.

To target individuals, they may look at your online habits, shopping history, websites you visit frequently, and your social media. 

For a company phishing email, they may look into your websites, social media, employees, financial commitments, and even the company structure for useful information. The perpetrator will send out an email to the most relevant employee for a project. An example phishing email might look like an email sent to the project supervisor of a specific campaign.  

The email will appear as if it was sent from the organization; it will feature the company’s logo, images, the same font, and might even have a signature from a higher-up at the company. The email will request the project supervisor to click on the enclosed invoice, which is password-protected and can only be open if the accounts manager enters his credentials. The attacker will then use this information to gain full access to the company’s network for more sensitive information and financial gains. 

According to the Symantec Internet Security Report, 71.4% of targeted attacks used spear-phishing techniques. 

Whaling

Whaling is a phishing technique that takes it up a notch. In these cases, attackers target senior management or people in power.

The subject and content of these phishing emails will be more in-line with something only a senior member in a company’s hierarchy has an authority to deal with, for example, a legal notice threatening for a penalty, or a customer’s complaint. 

Other forms of Phishing

There are other known forms of phishing, such as website forgery, where impersonators go through the hassle of actually creating a duplicate website. The cloned website looks exactly like the original, except if you look closely, the website link will be slightly different from the original. For example, a bank clone website may have the address www.ebay.shopping.com.

Similarly, Covert Redirect is another method, where the phishing email may have a link that looks legit. However, once you click on it, it will take you to the attacker’s website.

Voice phishing is more linked to the mobile world. For example, you may receive an email or a message that appears to be from your bank asking you to call to resolve an urgent matter. Once you dial the number, they will ask you to enter your name and account number and use that information for nefarious purposes.

How do I Spot a Phishing Email?

It is of utmost importance that you know how to recognize the signs of a phishing email. This will prevent you from falling for a company phishing email or one targeting individuals.

Are you sure that the email you received from your bank is actually from your bank? Or is it just one of the myriads of phishing emails floating in the sea of the World Wide Web? It is time you learn some techniques on how to spot a phishing email. 

A Legit Email will Never Request Your Personal Information

Always remember no matter how professional or authentic an email may look, no legitimate organization will ask you to offer up your bank account number, credit card details, or social security number. If you receive an email that requests your account information, consider it a phishing email. This email will ask you to enter your credentials by either clicking on an attachment or a link. This alone is a big indicator that it is a phishing attempt. 

It is All in the Name

Legitimate business partners and companies such as your bank, eBay, PayPal, etc. will always address you by your name in an email such as Dear Mr. /Ms. (your name). Whereas, a phishing email is sent out to thousands, so it will use a generic salutation such as “Dear User” or “Dear Valued Customer,” etc. Some perpetrators might leave the salutation out altogether, hoping that you would not notice. Take a second to look closer and spot this common sign of a phishing email.

Domain Emails Should Match the Address

You may notice the familiar name of your bank account manager, or of a company colleague and you might do what the email asks you to. Remember to hover your mouse over the “from” address in your email. This will reveal the email address it is sent from. If it looks dodgy, then it actually is. 

A legitimate company will have the domain address that matches their website. For example, an email from PayPal will have [email protected], not [email protected]. Get in the habit of checking the e-mail address.  

Watch for Spelling Mistakes

It might be easy to laugh at or overlook silly spelling or grammar mistakes, but these errors are the easiest way to weed out the phishing attempt sitting in your inbox. Reputable companies make the effort to appear professional and have pride in the content sent to their clientele. Therefore, legitimate communication from companies won’t feature spelling errors.

Be wary of emails featuring frequent mistakes. Hackers are hoping that you don’t take the time to read an email carefully and will miss a spelling error or two and follow a link or provide your information.

Clicks versus a Call

Phishing emails will often ask you to click a website link. A reputable company will provide many avenues for you to contact them or access your information. Hackers will force you to visit their fraudulent website. Visiting fraudulent websites or following links in phishing emails can lead to installing a virus or malware on your system.

If a company really wants to speak with you, they will request you call a secure phone number or provide the information in an email. 

Beware Unsolicited Attachments

Why would your bank or any other company send you a word file or a photo as an e-mail attachment? They wouldn’t and this is probably one of the most effective and harmful tools in a hacker’s arsenal. If you get an unsolicited email with an attachment, just report it or delete it without clicking on anything.

Confirm Legitimate URLs

Appearances can be deceiving, and phishing emails are no exception. If you get a phishing email with a seemingly legitimate link, chances are it will direct you somewhere fraudulent. Always question the legitimacy of the link in question. Don’t click the link. Hover your mouse over the link to reveal where the link intends to take you.  

If the link appearing in the URL seems fishy or does not match the website you’re expecting, it is a phishing attempt. A secure and authentic link will begin with https://.

According to APWG, over a quarter of a million phishing websites were reported in the 3rd Quarter of 2019 alone.

Ways to Protect Yourself

After seeing some example phishing emails and the tactics scammers use, you should feel prepared to spot a phishing email. It is essential to know how to safeguard yourself or your business against phishing. It’s important to be vigilant and to pay attention to the details.

If you get an email with a suspicious attachment or asking you to provide some personal information, think before you react. Use common sense and logic to identify a phishing email.

In addition to the knowledge and skills you have, you can increase your security with reliable internet tools and features. It’s important to choose what you use for your security wisely and use multiple tools if possible.  

2FA or Two-Factor Authentication

Two-factor authentication (2FA) is the most effective way to counter phishing scams. Many service providers are asking users to upgrade to 2FA. Apple and Google users may have already been prompted to upgrade to two-factor authentication.

Two-factor authentication is based on two separate pieces of information to verify the legitimacy of the user. The first piece of information will be your username and password, and the second can be a security question or a code sent to you separately.

Many banks apply this to avoid any unauthorized purchase or money theft. Once you login to the account using your login credentials, your bank will send either a text message or email a one-time passcode. This passcode needs to be entered into the webpage or app to authenticate that it is really you making a transaction. 

Even though this sounds like a hassle, it can protect you or your company in the face of a phishing attack.

If you or a your employee end up falling for the phishing attack and give out your login credentials, they will be safe because the attacker will not be able to get past the second security barrier because the additional log-in information will be sent to your email or phone, not the hacker’s. 

Make sure to opt for 2FA, or if you are a company, it in your best interest to implement this security feature into your current IT infrastructure. 

Password Management 

It’s in your organization’s interest to use a strict password management policy. Create a policy that passwords must contain a combination of various alphabets, numbers, and special characters and that passwords must change frequently. Old passwords should be not reused.

As an individual, you should practice the same strategy. Change your password with regular intervals and do not use older passwords. 

Security Software

Install security software on your computer and smartphone. Security software notifies you about a potentially harmful emails and attachments that may contain malware, ransomware, or a virus. 

Controlled Access

In environments like schools and colleges, a policy that states “Do Not Click on External Links” must be enforced. Not only does it save children from phishing scams but also from their exposure to other harmful material. 

What If I Have Already Clicked On a Phishing Link?

You may have been busy or distracted. You may have been in a hurry and clicked a malicious link by mistake. Do not panic; follow these steps to prevent further damage. 

  • Disconnect your device
  • Back up Your Files
  • Scan your laptop or mobile phone device for malware
  • Change your Passwords
  • Report the attempted phishing attack to your local law enforcement agency’s cybercrime division
  • And most importantly, be careful in the future. 

Phishing Projection: 2021 and Beyond

The level of sophistication in phishing attacks will increase in the future. As technology changes and evolves, human error will always be something for hackers to exploit as they create more sophisticated phishing attacks.

The more technologically advanced society becomes, the more connected society becomes. Phishing and other malicious attempts by hackers are not to be taken lightly. Stay vigilant and pay attention to what you get in your inbox to spot a phishing email.