4 out of 5 people share too much information on social media, making them vulnerable to cyberattacks
New research from Tessian shows the extent to which people post online and how hackers use this information for sophisticated social engineering attacks
A new report from Tessian, the security company for human layers, shows that 84 percent of people post information on their social media accounts every week, with two-fifths (42 percent) posting information daily and unknowingly sharing information that helps hackers start successful social engineering or account takeover attacks.
The report, titled “How to Hack a Human,” includes results from a survey of 4,000 professionals in the UK and US, as well as interviews with hackers from the HackerOne community. It shows that half of people share their children’s names and pictures, nearly three-quarters (72 percent) mention birthday parties, and an overwhelming 81 percent of workers update their job status on social media.
Most worryingly, 55 percent of respondents admit they have public profiles on Facebook, and only a third (32 percent) say their Instagram accounts are private, which makes it very easy for bad actors to access the confidential information published on these accounts.
Hackers surveyed in the report explain how cybercriminals use social media posts to identify their targets and create targeted and compelling social engineering attacks. For example, they can identify new joiners through LinkedIn and target them on phishing scams, faking a senior executive within the company who the new joiner likely never met. By knowing who is also on a person’s network, cybercriminals can easily impersonate someone their target trusts in order to manipulate them into transferring money or exchanging information and account credentials.
Harry Denley, hacker and security and anti-phishing agent at MyCrypto, said, “Most people are very verbose about what they share online. You can find practically anything. Even if you can’t find it publicly, it’s easy enough to create a social engineer details account or get behind some sort of wall. For example, you could become a “friend” in their circle. “
In addition, the How to Hack a Human report shows how out-of-office email (OOO) is also used to create social engineering attacks. The majority of employees (53 percent) indicate in their OOO email how long they will be on the road, while 51 percent provide personal contact information and 42 percent indicate where they are going. Katie Paxton-Fear, cybersecurity professor at Manchester Metropolitan University and a member of the HackerOne community, said, “OOO messages can, if detailed enough, give attackers all the information they need to impersonate the person who is out of the office The attacker has to do real work. “
Organizations fear that social engineering attacks will only increase. Tessian’s platform data shows that in the last six months of 2020, attacks of the social engineering type increased by 15 percent compared to the previous six months, while attacks on cable fraud also increased by 15 percent. In addition, 88 percent of respondents said they received a suspicious email in 2020.
The report makes it clear that increasing awareness of the threat and educating people about email security hygiene is an important first step in preventing these attacks from succeeding. For example, Tessian found that only 54 percent of people look at the sender’s email address at work, and less than half verify the legitimacy of links and attachments before replying or taking action.
Tessian’s CEO and Co-Founder Tim Sadler Also, urges users to keep backing up data as normal as sharing. He said, “The increase in public information makes a hacker’s job a lot easier. While all of this information may seem harmless on its own – a birthday post, a job update, a like – hackers are hacking it together to get a full picture of their goals and make scams as believable as possible. Remember, hackers only have time. We need to make backing up data feel as normal as giving up data. We also need to help people understand how their information can be used against them in phishing attacks if we are to prevent hackers from hacking people. “
Read Tessian’s full account of hacking a human here.