This post has been modified to reflect new information since its original publication.
Social engineering is one of the fastest-growing types of cybercrime, since it leverages human error to get past even the most robust security systems.
It’s also highly adaptable: from Edward Snowden’s NSA leaks to executive wire fraud, from corporate espionage to ransomware attacks, social engineering has been a part of many of the biggest data breaches in recent years.
So what is the key ingredient to a successful social engineering attack? Personal information. In order for the ploy to be successful, the attacker needs to tell a plausible story that feels authentic and wins your trust. To do that, the attacker collects personal information that validates his or her story.
Below, we’ll go over some of the primary ways that social engineers find the personal information used in their attacks. Then, we’ll provide tips on how to protect yourself.
Corporate websites and PR
Executives are among the most common targets of personalized social engineering attacks because the payoff to successfully hacking a corporate executive is so high. When researching an attack on an executive or professional, there is usually a wealth of usable information on the business’s websites.
Useful details from the company site might include major deals and clients, company milestones, and the names of key personnel. In addition, reviewing press releases and news coverage can give the attacker a good sense of what business objectives the company is seeking in the present. For publicly traded companies, the numerous disclosures and publications required by law can add further nuance to this picture. With all of these sources, the goal is to find professional connections and business scenarios that can be combined into a plausible story.
There are dozens of people-search sites that collect detailed profiles on virtually everyone, then provide them for free or at a nominal cost to anyone who asks. These profiles are valuable to social engineers, because they offer contextual details about family members, political affiliations, and interests. These details can be combined with business information from the company website to make a social engineering attack seem innocuous.
In some cases, social engineers can also use this information to figure out the answers to common security questions, such as “mother’s maiden name” or “which of these addresses have you never lived at.” This makes their attacks much easier, since hackers only need to tease out a few other pieces of seemingly trivial information from you in order to gain access to virtually any of your online accounts via the password reset feature.
In other cases, personal information about family members can help attackers convince you that they are trustworthy people with familial connections. Or they may search for information that your family members may have shared about you, such as a blog post by a child that discusses the specifics of your family life.
Social engineers will scour the major social media sites for bits of personal information. Unsecured, public profiles are the most useful, but even if you keep your privacy settings on high, there’s no guarantee that a family member or close acquaintance might not have shared information about you on their profiles.
Sites like Facebook and Twitter are most useful for gleaning information on hobbies and interests. They can also be used to determine when you or someone you work with is traveling, which makes it possible to impersonate the person who is absent.
Professionally focused sites like LinkedIn provide other valuable sources of information, from the names of colleagues and business affiliations to the schools where you studied as well as your areas of focus and years of graduation.
Finally, social engineers take a look at other organizations that you have affiliations with. Say, for example, that you donate to a charity or are on the board of a nonprofit organization. These personal details send strong signals about your interests and the types of appeals that might be most effective on you.
For example, if you donate and volunteer for a skin cancer research organization, a social engineer might use this information in his or her attack, posing as a canvasser from the organization or setting up an event to benefit skin cancer research.
Steps for preventing social engineering
Given how many possible approaches there are to social engineering, there is no foolproof solution that will protect against all threats. However, there are several steps you can take to make yourself significantly less appealing to attackers. After all, if it seems like too much work to target you, the hacker will move on to someone else instead.
Start with the following:
- Keep social media profiles locked down. Review privacy settings regularly, avoid sharing information about your location, and ask friends or family who share potentially sensitive information about you to delete their posts.
- Opt out of people-search sites. Most of these services have an opt-out mechanism. Follow the instructions for each so that your personal information gets removed. You’ll also need to check back periodically to make sure you haven’t been re-added due to a name variation or technical bug. As an alternative, use a service like ExecutivePrivacy to manage this process for you.
- Follow security best practices. Don’t reuse passwords, do enable two-factor authentication, use a good virus scanner, and avoid opening email attachments unless you’re certain of the source.
- Be wary of cold-calls. If you get a call, email, or text asking for information about an account of yours, do not give it out. Instead, contact the institution in question to check if the request was legitimate or not.
If you’ve got additional questions about social engineering and digital privacy, feel free to reach out and schedule a consultation with one of our privacy experts.