When crafting an attack, hackers may use personal data found publicly online, and also personal data accessed through other channels (both legal and illegal). They can use this information against us to personalize an attack that looks believable. This is why phishing training should include personalization, so employees are prepared and trained on how to spot an attack, even when it includes personal details about themselves.In this article, we highlight a few examples of personal data that is being tracked online by corporations in our daily life in order to show what type of data could also end up in the wrong hands (hackers) to be used in a highly personalized phishing attack.
One reason may be because it was too time-consuming to personalize phishing attacks for each of your employees. If your security awareness program is organized manually with the use of templates, for example, personalization may be something you forego in order to reduce the amount of time your team spends developing a campaign. However, personalization in training can make a big impact on learning.In a previous article, we discuss ways to automate each step of your security awareness program to save your security team´s resources. By increasing the level of automation in your security awareness program, you will be able to deliver personalized training for employees without needing additional staff and resources.Employees also may not like the idea that their personal details would be used in phishing training and there could be some pushback. This may be the reason why your company has not implemented personalization in training in the past. However, personalization in phishing training needs to become normalized.
Attackers are going to personalize attacks when they target a specific group of people, and training is the best environment to learn about how hackers may target you and what to look out for.Some good ways to include personalization in training include referencing a co-worker´s name, an employee´s boss, or including information regarding the employee´s main job responsibilities (fake invoices to the Accounts Payable department). Personalization tactics in phishing training do not need to be as detailed as these examples highlighted in this post in order to be effective in educating employees about the risks, but it is good to know what data is out there and know that it could be used against you in a real attack.
Corporate surveillance and corporate consumer data collection are all around us and companies use that data primarily to personalize advertising and deliver more relevant content for their customers and users.
There are some protections in place for users to have better control of what companies can do with their data, such as GDPR in Europe. However, the rules behind corporate data collection, use, and sale vary significantly across the world, which is why your personal data could end up in the wrong hands.
It´s probably no surprise that the big giants like Amazon, Google, and Facebook collect a significant amount of personal data from its users. Does knowing this information, stop you from using them? Likely no. If any of these corporations or its partners have a data breach, then that data collected could be used against you in a personalized attack.Tech reporter from Gizmodo, Kashmir Hill tried to cut the big 5 tech giants (Amazon, Microsoft, Google, Facebook, and Apple) out of her life for 6 weeks in January of 2019 and explains the massive disruption to her usual routine and how connected we all are to these large data collecting firms in our daily lives. Digital tracking and profiling, in combination with personalization, are not only used to monitor, but also to influence peoples’ behavior. This chart below shows data visualized by Cracked Labs and highlights some of the data points that can be tracked from our use of Facebook, our phone records, and our typing patterns. This type of information could be accessed by hackers and used in a phishing attack to try to influence our behavior by utilizing personal details about our lives.
Recognizing emotions from the rhythm of keyboard typing patterns. Source: Cracked Labs 2017
Predicting personal attributes from Facebook likes. Source: Cracked Labs 2017
Predicting character traits from phone call records and app usage. Source: Cracked Labs 2017