The dangers of oversharing: Why your digital footprint may be putting you at risk online
By Matt Middleton-Leal, General Manager EMEA and APAC at Netwrix
Anyone familiar with Netflix’s You – which tells the story of a bookstore manager who becomes obsessed with an aspiring writer and turns to social media and the internet to track his target – will be acutely aware of the potential dangers of sharing aspects of our lives online. A fairly extreme cautionary tale and insight into the methodology of a cyber stalker it may be, but a reminder nonetheless of just how revealing our digital footprints can be.
Data is a highly valuable commodity these days, and with most of us regularly using social and professional networking sites such as LinkedIn, Facebook, Twitter and others, it’s never been easier – or quicker – for cyber criminals to generate a comprehensive picture of our lives, allowing them to more strategically target their victims. While the majority of internet users are aware that not all emails they receive will be genuine – spelling errors and random email addresses being obvious give-aways – more sophisticated and successful attacks are also in circulation. A little goes a long way when it comes to the effort put in by scammers. Even those who don’t target their victims individually can craft highly convincing emails and cast the net wide for high returns.
A recent TV Licence scam, for instance, led to thousands of us receiving emails claiming that our licence was expiring. The fake TV licensing website aimed to trick victims into clicking on a link, where they would be prompted to enter payment details, including their bank account number and sort code, card verification details, and personally identifiable data. Action Fraud said the scam was “particularly nasty as it [looked] so convincing”.
Of course, this was an example of a widespread rather than personalised phishing attack, albeit a well-constructed one, but with relatively minimal effort cyber criminals can go even deeper, strategically targeting a high net-worth individual or business, all through the information that’s willingly uploaded by us day-to-day online.
So how wary should we be about the information we post on social media? Aside from the obvious points – dates of birth, addresses and financial details should never be shared – other forms of information also present a risk. Holiday pictures, for instance, pose a threat both in the physical sense, increasing the likelihood of burglaries, for instance, and digitally, by offering another potential route for phishers to target their victims. Imagine being at the airport and posting a picture before jetting off, with your boarding pass just visible; then during your trip, your airline emails you urgently about your return flight home! The immediate call to action always found in scammers’ emails – as they aim to hurry their victims into making a mistake before thinking about it too closely – could be to input personal information ranging from your passport details, date of birth, contact details and so on. Or it could request that you reprocess the original payment, which of course would require re-entering a credit card number and its CVV. Bingo. Even the most security savvy of people can fall for a carefully constructed spear-phishing email; mistakes can and do happen, which is of course what cyber criminals are bargaining on. It’s important to remember that anything posted to a timeline makes an individual more traceable, and therefore more vulnerable.
This is as much a problem for businesses as consumers. During my career, I’ve heard many examples of organisations being targeted with well-crafted spear-phishing emails directed at senior leadership teams, or even via the supply chain. Take the incident of a CEO receiving an email purporting to be from their child’s school requesting an attached form be filled out. It’s surprisingly easy to find personal information such as this online, and supplemented by a few informed calls to the right people, it can prove very fruitful indeed. In short, with minimal effort an attacker can generate profiles of their targets and significantly increase their chances of success. If an email is relevant to you, not unexpected and convincing, would you suspect foul play? With high-value targets, the potential returns are significant and the risk versus reward ratio highly favourable for attackers.
Cyber security awareness is essential. Being mindful about the information we share online and being vigilant to correspondence from expected, as well as unexpected sources, is also key. As for businesses, reminding employees of the risks is a start, but equally important is being aware of the bigger picture when it comes to overall risk, mapping out third-party suppliers and potential weak links.
While cyber ‘bad guys’ as seen in Netflix’s You may seem far-fetched, cyber criminals investing even a fraction of the time on their target before launching an attack will be highly effective adversaries.