If a cybercriminal wants to fleece you, they might start by firing up their favourite web browser and then trying one - or all - of the following sites:
LINKEDIN: This site outlines your job history; where you were educated, what school you went to, your academic achievements, associations you are involved in and the people who endorse your skills.
FACEBOOK: This might advertise your favourite movies; the clubs you belong to, your friends, your family vacations, your favourite foods, places you've lived and much more to boot.
TWITTER: This might be a great place to start if a cybercriminal wanted to find out what you're doing right now, your geolocation, your opinions and your emotional state.
CORPORATE WEBSITES: Perhaps this will show your work email or phone number. Perhaps your company has a short biography on who you are, how long you've been with the company and what you do.
Now that the threat actor is starting get the loaddown, perhaps they will type your name into a search engine - that will usually generate a few more hits about who you are and what you've done. If they wanted to go the extra mile, they might even fire up a site like Webmii.com or pay a subscription fee to a site like Piple.com and dig much, much deeper.
A PICTURE PAINTS A THOUSAND WORDS
Pictures can be especially helpful to a cybercriminal. When, they look at an image they think: 'what does this show and what can I infer?'
The answers to which, will make any form of malicious activity far more successful. For example, can you see the operating system in use? The browser? The email client? Then ask yourself:
What type of person might sit here?
Can I see the names of potential friends or family?
What account information is there?
Are they affiliated to any particular group?
Pictures can also be uploaded to Google to perform a reverse search - which usually generates new and interesting links for a person to explore. Finally, like all documents, pictures contain metadata. Metadata, for example, gives us the:
Date and time the image was made.
The author's name and title.
The location the picture was taken from.
The latter is especially useful for someone who wants to profile your daily routines and movement.
If you don't believe that these principles works then you should definitely check this YouTube video out:
HOW DOES THE HACKER USE THIS INFORMATION?
SPEAR PHISHING: This is a bespoke email carefully crafted to deceive you. These are well written, welformatted and well informed. They will include 'insider' information because they are the product of considerable research on the mark. A spear phishing email may trick you into downloading harmful software or get you to divulge sensitive information.
An effective phishing email will use 'spoofing'. For example, in the picture above, the user has a Toshiba laptop. An email from Toshiba might look like this: firstname.lastname@example.org
Step 1: The hacker creates a similar domain called toshiaTech. To cut to the chase, businesses buy domains (for as little as a tenner) so they can set up a website and company email using that name.
Step 2: The hacker now sends an email to the victim from robertsmith@toshiaTech.com. There is a good chance that the recipient won't notice the problem with the domain name and will assume that the email comes from their actual supplier.
Step 3: The hacker says that the laptop is now out of warranty and has out-dated software. To fix, the problem they should download an executable file to keep their firmware up-to-date and safe from the latest threats.
Step 4: The victim downloads the software, which is actually a Trojan, and gives the hacker complete control over the laptop.
Vishing uses the phone instead of email. The aim is the same however, to get the mark to reveal sensitive data, or to perform an action (such as bank transfer) when they normally wouldn't do so. Most people who vish use the following techniques:
The authority principle: they will claim an important job title to convince you to hand over data.
The intimidation principle: they will act belligerently, telling you that there will be unpleasant financial or legal consequences. This prevents the target from thinking straight.
The familiarity principle: conversely, they may be very personable or seek common ground to create a bond between you and them.
The trust principle: involves citing professional credentials or known organisation information to sound credible.
The social proof principle: they may claim that you both know a trusted 3rd party which implicitly suggests that they are also trustworthy - we all know each other!
The urgency principle: finally, the social engineer might claim that a situation is urgent or that he or she has very little time to verify their identity.
The video here shows how good some people are at vishing without doing any form of research on the target. Imagine how good she would be had she researched you.
This is the same as phishing, but is achieved by using text messages rather than email.
This is a simple a con done face-to-face with the victim.
SOLUTIONS - MONITOR YOUR DIGITAL FOOTPRINT:
Dealing With Websites: When was the last time you ran a search engine on your name? If a web page contains your data and you're not happy about it, we would urge you to make contact with the site owners. Usually, this can be achieved by scrolling to the bottom of the web page and clicking the 'contact us' hyperlink. Under, GDPR you have a right to request the removal of your personal data.
Dealing With Old Accounts: These are a veritable gold mine of information so it's best to delete, deactivate or remove any online account you no longer use. This includes email, shopping and social media sites. This can often be achieved using the account settings or by looking for a 'How To' video on YouTube.
Dealing With Social Media: This involves exploring the privacy settings of your social media accounts. It also requires you to think carefully about what your friends and relatives post about you. Most social media giants publish all sorts of useful documents, FAQ pages and even videos helping you to tighten your privacy settings.
Use Fake Data: Sometimes, it isn't necessary to give your actual data when creating an account. In which case, using a throwaway email or bogus date of birth, for example, is quite helpful.
Dealing With The Open Register: Whilst there are multiple benefits of being on the open register (see here) balance these advantages with the risks associated of having your personal data (such as your age and address) publicly available and at the mercy of data mining website.
Be Wary Of Giving Out Personal Data
Whether the request is over the phone, by SMS or in the shape of an email. This might be as simple as asking:
Do I know you?
How sensitive is the information you need?
Why do you need this information?
Is this request expected?
Does the request conform to protocol?
How can I confirm the authenticity of this request through the use of other means?
Am I being caught up in a story being told (think back to that Vishing YouTube clip above)?
Always check the 'from' field of any email and hover the mouse over any link to see it's true destination. If the email is sensitive, you can also ask:
Is the tone and grammar recognisable?
Does the formatting look correct?