Naked Security Naked Security

How to protect your boss from phishing attacks

Oversharing on social media can make both individuals and the companies we work for targets for spearphishers and whalers. Here are our tips to help stop that happening
Written by
May 08, 2017
Naked Security employees EY report Social Media spearphishing whaling whaling attack

We already know that more than 75% of us lie on social media.

Too bad it’s impracticable to lie more about our workplaces on professional networking sites like LinkedIn: it might spare our employers a lot of grief.

A recent report (PDF) on cybercrime incidents in India done by EY (formerly Ernst & Young, one of the “Big Four” accounting firms) highlighted how cyber thieves are scouring employees’ social media postings for information to use in phishing attacks.

Cyber-incidents are growing at an “alarming rate,” according to the report. But they must be growing like mushrooms in the dark, given that only 22% of respondents said they were confident about their organizations’ ability to detect incidents within 48 hours.

When it comes to stopping those incidents from happening in the first place, it would be great if companies could erase themselves from social media, which is a fertile place for those spores to land: nearly 90% of 160 top execs interviewed for the report pegged social media as a major source of cyber attacks.

Of course, that won’t happen anytime soon: after all, what kind of branding do individuals or organizations have if they’re not on social media? But employees could sure help out by being a bit more circumspect about what they share and stop feeding bait to spearphishers.

From the report:

Employees post extensive details regarding their work profile on social networking websites. These social media platforms act as a gold mine for cybercriminals to identify and target key individuals for a successful breach.

Consider all the personal details many of us put on social media without thinking that they could be used for identity theft and spearphishing. For example, we post our birthdays and our favorite sports teams.

Meanwhile, social media platforms encourage oversharing. Facebook, for example, allows us to tick off a box to identify who our family members are and our relationship to them. Good way to find out your mother’s maiden name, that one.

Oversharing can set you, yourself, up for identity theft. But if you’re a company bigwig, it can set your deep-pocketed company up for an exponentially bigger world of hurt.

In March, we saw a Lithuanian man charged in the US in connection with attacks on two big tech companies that cost them $100m.

The attacks he was charged with are called whaling attacks or CEO email scams. The FBI calls them Business Email Compromise, because they use phony emails that appear to come from a colleague or from a trusted supplier.

Whatever you call them, they’re a type of phishing attack targeted at the biggest fish, with carefully crafted emails sent to senior executives, managers, financial controllers or others who might hold the purse strings at large, lucrative organizations.

Google and Facebook recently revealed that they had been the victims of the alleged whaling attack, and they are not alone.

Mattel was one: last year, the toymaker wired out $3m to a hacker’s Chinese bank account and got it back thanks to sheer dumb luck and the good timing of a bank holiday.

As The Register reports, other victims include Ubiquiti, which lost $46.7m in June last year; Belgian bank Crelan, which lost $78m in January; Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.

If you want to keep crooks from targeting either you or your employers, it helps to limit the personal data we share on social media that can be used to phish company information out of us, including proprietary business information or login credentials. Here are some tips on how to do that:

Lock yourself down!

Back in January, we passed along some tips on how to check that you’re not giving away information that can be used against you in a cyber attack. They came from Robert Schifreen, himself an ex-hacker and the founder of SecuritySmart. They’re worth repeating, so here they are again:

  • Check your settings regularly to see which apps have access to your social networks. Delete or revoke any that you no longer need.
  • Lots of institutions use personally identifiable information (PII) like your mother’s maiden name, your birthday, your location, or the street you grew up on as security questions if you need to reset a password. We suggest lying through your teeth. Just make sure to keep notes on the nonsense you type in as security question responses in case you need to confirm the information with your bank or whoever else is asking. Keep your fibs unique for each site: that way, you may be able to track down the source of abuse or spam.
  • Many free sites don’t ask for proof of ID, address or credit card when someone joins, so you have no idea who anyone really is – even if they appear to be a friend or family member. If you ever need to prove someone’s ID, for example if they ask to borrow money, ask them a question an impostor wouldn’t be able to answer (but make sure they can’t get the answer from a friend or relative’s social media feed).

Locking down Facebook is a thing unto itself. To maintain privacy, you need to use privacy controls, but research has shown that millions of Facebook users are oblivious to, or just don’t use, privacy controls.

With that in mind, here are a few more Facebook-specific tips:

  • Don’t be one of the privacy-control oblivious! While you’re at it, don’t let your friends or family fall into that category. To see who can find the things you’ve shared, you can use privacy shortcuts and Activity Log to review your personal trail of glory and misdeeds. Go to Facebook’s Activity Log page for a list of your posts and activity, from today back to the dawn of your Facebook life. There, you can find stories and photos you’ve been tagged in, Pages you’ve liked, friends you’ve added, your photos, and photos you’re tagged in that are shared with Public.
  • Besides photos we’re tagged in without our permission, most of the stuff that’s in our Graphs is up because we put it there. To further clean up our Facebook personae, we can always remove a tag from a photo or post we’re tagged in. As Facebook outlines here, you do that by hovering over the story, then clicking and selecting Report/Remove Tag from the drop-down menu. Then, remove the tag or ask the person who posted it to take it down.

To further lock down your profile, take a gander at these three ways to better secure your Facebook account.

Finally, to protect your company from whalers, here are some final tips:

  • Consider getting your top executives to use two-factor authentication (2FA) for their email accounts, to make it harder for crooks to dig into their email traffic remotely, or to send emails right from their account.
  • Your execs will find that it takes very slightly longer to login when they’re on the road, and we all know that time is money…
  • …but, then, unexpected money transfers of seven-digit girth are money, too.

    💡 READ NOW: Tips to avoid phishing and spear-phishing – stay #CyberAware! ►


About the Author

Read Similar Articles

Leave a Reply

Your email address will not be published. Required fields are marked *