New research from Tessian reveals the extent to which people post online and how hackers exploit this information for sophisticated social engineering attacks
February 2, 2021 — SAN FRANCISCO — A new report from human layer security company Tessian reveals just how much, and how often, people share information online and how hackers take advantage of it. The How to Hack a Human report includes survey findings from 4,000 professionals in the UK and US and interviews from hackers within the HackerOne community to explore how cybercriminals craft social engineering attacks.
Social Media Overload
Tessian reveals that 84% of people post on social media every week, with two-fifths (42%) posting every day - openly sharing huge amounts of information about their hobbies, interests, relationships, and locations. Half share the names and pictures of their children, and almost three-quarters (72%) mention birthday celebrations, unknowingly giving away information that helps hackers launch a successful social engineering or account takeover attack. This isn’t helped by the fact that 55% of people surveyed have public profiles on Facebook and just 33% have set their Instagram accounts to ‘private’.
An overwhelming 93% of workers also update their job status on social media, while 36% share information about their job. While these posts seem harmless, hackers will use this information to select their targets and method of attack. They can identify people within a target’s trusted network and impersonate them over email. What’s more, new joiners may not realize they are being scammed, given that they have fewer reference points to verify whether the ‘senior executive’ contacting them is real or fake.
Hacker, Harry Denley, Security and Anti-Phishing at MyCrypto said in the report, “Most people are very verbose about what they share online. You can find virtually anything. Even if you can’t find it publicly, it’s easy enough to create an account to social engineer details or get behind some sort of wall. For example, you could become a ‘friend’ in their circle.”
The concern for organizations is that social engineering attacks are only rising. Tessian’s platform data reveals that social engineering-type attacks increased by 15 per cent during the last six months of 2020, compared to the six months prior, while wire fraud attacks also increased by 15 per cent. What’s more, 88 per cent of respondents said they had received a suspicious email in 2020.
TMI In Your OOO
Almost everyone (93%) enables their out-of-office response when they’re on vacation, but most aren’t thinking about the fact that these emails also contain valuable information for hackers’ malicious attacks. Over half of people (53%) share how long they’ll be away, while 51% provide their personal contact information. In addition, nearly half (48%) share a point of contact and 42% announce where they are going.
According to Katie Paxton-Fear, Cybersecurity Lecturer at The Manchester Metropolitan University and a member of the HackerOne community, “OOO messages — if detailed enough — can provide attackers with all the information they need to impersonate the person that’s out of the office, without the attacker having to do any real work.”
The Need for Cybersecurity Awareness
The report also revealed that a lack of cybersecurity awareness could play a factor in how successful social engineered attacks are on email. Tessian found that, while at work, just 54% of people pay attention to the sender’s email address and less than half check the legitimacy of links and attachments before responding or taking action.
“The rise of publicly available information makes a hacker’s job so much easier,” said Tim Sadler, CEO and co-founder of Tessian. “While all these pieces of information may seem harmless in isolation — a birthday post, a job update, a like — hackers will stitch them together to create a complete picture of their targets and make scams as believable as possible. Remember, hackers have nothing but time on their hands. We need to make securing data feel as normal as giving up data. We also need to help people understand how their information can be used against them, in phishing attacks, if we’re going to stop hackers hacking humans.”
To read Tessian’s full How to Hack a Human report, please visit here: http://bit.ly/3pn9w0y.
About the research
Tessian commissioned OnePoll to survey 4,000 professionals in the U.S. and the UK across various company sizes and industries. Tessian also partnered with HackerOne - the number one hacker-powered pentest and bug bounty platform, to conduct interviews with ethical hackers that specialize in social engineering.
Tessian protects every business’s mission by securing the human layer. Using machine learning technology, Tessian automatically predicts and eliminates advanced threats on email caused by human error - like data exfiltration, accidental data loss, business email compromise and phishing attacks - with minimal disruption to employees' workflow. As a result, employees are empowered to do their best work, without security getting in their way. Founded in 2013, Tessian is backed by renowned investors like Sequoia, Accel and Balderton and has offices in San Francisco and London.
Laura Brooks, PR Director at Tessian
Ali Ius, Mission North for Tessian