A new report from Tessian, the human layer security company, has revealed that 84% of people post personal information to their social media accounts every week, with two-fifths (42%) posting every day, giving hackers the data they need to launch an attack.
The report, titled How to Hack a Human, includes findings from a survey of 4,000 professionals in the UK and US and interviews with hackers from the HackerOne community. It reveals that half of people share names and pictures of their children, nearly three-quarters (72%) mention birthday celebrations, and 81% of workers update their job status on social media.
55% of respondents admit they have public profiles on Facebook and just one third (32%) say their Instagram accounts are private, making it very easy for bad actors to access the sensitive information posted on these accounts.
Hackers interviewed in the report explain how cybercriminals use social media posts to help identify their targets and craft highly targeted and convincing social engineering attacks. For example, with knowledge of who is within a person’s network, cybercriminals can easily impersonate someone their target trusts in order to manipulate them into wiring money or sharing information and account credentials.
Harry Denley, a hacker and Security and Anti-Phishing at MyCrypto, said: “Most people are very verbose about what they share online. You can find virtually anything. Even if you can’t find it publicly, it’s easy enough to create an account to social engineer details or get behind some sort of wall. For example, you could become a ‘friend’ in their circle.”
The How to Hack a Human report also reveals how Out of Office (OOO) emails are also being used to craft social engineering attacks. The majority of employees (53%) say they share how long they’ll be away in their OOO email, while 51% provide personal contact information and 42 per cent announce where they are going.
Katie Paxton-Fear, cybersecurity lecturer at Manchester Metropolitan University and a member of the HackerOne community, said: “OOO messages — if detailed enough — can provide attackers with all the information they need to impersonate the person that’s out of the office, without the attacker having to do any real work.”
Tessian’s platform data reveals that social engineering-type attacks increased by 15% during the last six months of 2020, compared to the six months prior, while wire fraud attacks also increased by 15%. What’s more, 88% of respondents said they had received a suspicious email in 2020.
The report makes it clear that greater awareness of the threat and educating people on email security hygiene is an important first step to prevent these attacks from being successful. For example, Tessian found that just 54% of people pay attention to the sender’s email address while at work and less than half check the legitimacy of links and attachments before responding or taking action.
Tessian’s CEO and co-founder Tim Sadler said: “The rise of publicly available information makes a hacker’s job so much easier. While all these pieces of information may seem harmless in isolation — a birthday post, a job update, a like — hackers will stitch them together to create a complete picture of their targets and make scams as believable as possible. Remember, hackers have nothing but time on their hands. We need to make securing data feel as normal as giving up data. We also need to help people understand how their information can be used against them, in phishing attacks, if we’re going to stop hackers hacking humans.”
You can read Tessian’s full How to Hack a Human report here.