Social engineering is an increasingly important methodology used by fraud actors of all types to gather information and target government agencies, SMBs and enterprises – in addition to consumers. In this post, I’d like to share my strong point of view on a topic that is relevant to most of us as business professionals: sharing (over-sharing, I should say) personal information on LinkedIn, with a focus on out-of-town business trips.
So here is a typical and increasingly common scenario. You are on a business trip or planning a business trip out of town to San Francisco, London or Seoul. You make it known to the world on LinkedIn or you post great pictures of your out-of-town seminar, workshop, roadshow or a great selfie by the Sydney Opera House, or similar. Sounds familiar ?
Sounds pretty harmless, right?
Well, it is NOT. Information that appears to be benign in isolation could, if correlated with other information, have a significant impact.
As shared in previous posts here at Secplicity, malicious actors are online and watching all of us. For some of them, it is their full time “job.” They identify suitable targets, research these targets’ social and professional networks, and then generate messages (e.g. phishing, or spear phishing) that are plausible within their set of circumstances. This is why when you communicate your business trips and destinations, you are giving away precious information. Fraud actors’ eyes (and increasingly their algorithms too) love it.
Who is at risk and how
Cyber Reconnaissance (target selection & spying – online but also physically at the site)and spear phishing attacks do require a significant amount of skilled labor and time.
However, with Artificial Intelligence capabilities at their disposal, fraud actors can now spy and target at scale. Concretely, this means:-
- there are more fraud actors thanks to automation and algorithms – wannabe cyber criminals now have the capability to defraud and steal
- mass spear phishing becomes a possibility – it would have been unthinkable until recently
- the attacker does not have to speak the same language as their target, therefore the malicious actor can be anywhere on the planet, in particular in those places where the rule of the law barely exists
It’s not only the CEOs and top executives who are the main targets any longer, it’s you and me and all of us. Why? Because we are great entry points into our employers’ network, confidential or regulated data and financial assets.
And it is not only the eyes of cyber criminals watching you – the algorithms are watching you,too.
What are the risks and why are your business destinations of such interest to fraud actors ?
- Plain and simple good old style burglary – you’re not home! You are therefore putting your home, your family or both at risk
- Business Email Compromise (BEC) for wire transfers into fraud actors’ bank accounts. More on this below
- Building a detailed profile of you: making it easier to guess your passwords, and making cyber attacks credible – see typical scenario below
Typical scenario #1
You are on a business trip at a conference in Russia, and you are making it known on social media/LinkedIn. The attacker pretends to be you. An email goes into your Finance Director with a high sense of urgency, followed up by a phone call: “I am stuck in Russia and I need you to wire 20k immediately to this bank account.”The fraud actor is using a psychological lever, a spoofed version of your email address, a high sense of urgency, and a request for action. Voila!
Their scam emailsappear to be legitimate. The situation is very credible – you are indeed on a business trip in Russia.
What is the Finance Director/Accountant likely to do? This happens all the time. SMB and SME’s get defrauded 15k here, 50k there, sometimes 100k or more.
Typical scenario #2
When you over-share on LinkedIn, a typical request to your employer’s treasury manager/ accounts payable is to make an immediate wire transfer to a so-called supplier. The request is made by email, possibly followed up with a phone call with a high urgency level. In the shipping industry, we know of attacks that go like this:“if you don’t wire 50k, then your ship will be stuck in the port of Amsterdam because the suppliers will not be able to unload its cargo” – when your firm manages lots of ships travelling the world, this sort of hit is credible.
Finding that balance between sharing (and over-sharing) and becoming completely paranoid about everything. Common sense and a healthy level of skepticism should always prevail.
Otherwise you put yourself, your home, possibly your family, and your employer’s data and financial assets at risk.
My suggested good practices
- Don’t advertise your whereabouts to the world live or ahead of your business trip on LinkedIn. Delay posting as much as possible.
- If you are going to be travelling out of town and want to set up meetings: PM the folks you’d like to meet, you don’t need to announce your trip in the open. How about using the good old phone again to reconnect with contacts?
- Divide and Conquer: ask your in-country co-workers or business partners to post the great conference/seminar/roadshow pictures –you simply like, comment and share.
- Are you a selfie addict? Post the pictures of you in front of the Paris Louvre whilst on your business trip at your own risk. Cyber criminals are watching you and your selfies. Your selfies say a lot about what you like – useful information for the purpose of password hacking, identity theft and spear phishing attacks.
Finally, we all need to contribute to raise awareness and educate our colleagues, business partners, friends, family members. Let us spread the good word. This is what this blog post ultimately is all about.
Do You have other good practices of your own ? I’d love to hear them and any other thoughts or comments.