Site icon Sophos News

How to protect your boss from phishing attacks

We already know that more than 75% of us lie on social media.

Too bad it’s impracticable to lie more about our workplaces on professional networking sites like LinkedIn: it might spare our employers a lot of grief.

A recent report (PDF) on cybercrime incidents in India done by EY (formerly Ernst & Young, one of the “Big Four” accounting firms) highlighted how cyber thieves are scouring employees’ social media postings for information to use in phishing attacks.

Cyber-incidents are growing at an “alarming rate,” according to the report. But they must be growing like mushrooms in the dark, given that only 22% of respondents said they were confident about their organizations’ ability to detect incidents within 48 hours.

When it comes to stopping those incidents from happening in the first place, it would be great if companies could erase themselves from social media, which is a fertile place for those spores to land: nearly 90% of 160 top execs interviewed for the report pegged social media as a major source of cyber attacks.

Of course, that won’t happen anytime soon: after all, what kind of branding do individuals or organizations have if they’re not on social media? But employees could sure help out by being a bit more circumspect about what they share and stop feeding bait to spearphishers.

From the report:

Employees post extensive details regarding their work profile on social networking websites. These social media platforms act as a gold mine for cybercriminals to identify and target key individuals for a successful breach.

Consider all the personal details many of us put on social media without thinking that they could be used for identity theft and spearphishing. For example, we post our birthdays and our favorite sports teams.

Meanwhile, social media platforms encourage oversharing. Facebook, for example, allows us to tick off a box to identify who our family members are and our relationship to them. Good way to find out your mother’s maiden name, that one.

Oversharing can set you, yourself, up for identity theft. But if you’re a company bigwig, it can set your deep-pocketed company up for an exponentially bigger world of hurt.

In March, we saw a Lithuanian man charged in the US in connection with attacks on two big tech companies that cost them $100m.

The attacks he was charged with are called whaling attacks or CEO email scams. The FBI calls them Business Email Compromise, because they use phony emails that appear to come from a colleague or from a trusted supplier.

Whatever you call them, they’re a type of phishing attack targeted at the biggest fish, with carefully crafted emails sent to senior executives, managers, financial controllers or others who might hold the purse strings at large, lucrative organizations.

Google and Facebook recently revealed that they had been the victims of the alleged whaling attack, and they are not alone.

Mattel was one: last year, the toymaker wired out $3m to a hacker’s Chinese bank account and got it back thanks to sheer dumb luck and the good timing of a bank holiday.

As The Register reports, other victims include Ubiquiti, which lost $46.7m in June last year; Belgian bank Crelan, which lost $78m in January; Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.

If you want to keep crooks from targeting either you or your employers, it helps to limit the personal data we share on social media that can be used to phish company information out of us, including proprietary business information or login credentials. Here are some tips on how to do that:

Lock yourself down!

Back in January, we passed along some tips on how to check that you’re not giving away information that can be used against you in a cyber attack. They came from Robert Schifreen, himself an ex-hacker and the founder of SecuritySmart. They’re worth repeating, so here they are again:

Locking down Facebook is a thing unto itself. To maintain privacy, you need to use privacy controls, but research has shown that millions of Facebook users are oblivious to, or just don’t use, privacy controls.

With that in mind, here are a few more Facebook-specific tips:

To further lock down your profile, take a gander at these three ways to better secure your Facebook account.

Finally, to protect your company from whalers, here are some final tips:

Exit mobile version