When crafting an attack, hackers may use personal data found publicly online, and also personal data accessed through other channels (both legal and illegal). They can use this information against us to personalize an attack that looks believable. This is why phishing training should include personalization, so employees are prepared and trained on how to spot an attack, even when it includes personal details about themselves.
In this article, we highlight a few examples of personal data that is being tracked online by corporations in our daily life in order to show what type of data could also end up in the wrong hands (hackers) to be used in a highly personalized phishing attack.
Why haven´t you included personalization in phishing training before?
One reason may be because it was too time-consuming to personalize phishing attacks for each of your employees. If your security awareness program is organized manually with the use of templates, for example, personalization may be something you forego in order to reduce the amount of time your team spends developing a campaign. However, personalization in training can make a big impact on learning.
In a previous article, we discuss ways to automate each step of your security awareness program to save your security team´s resources. By increasing the level of automation in your security awareness program, you will be able to deliver personalized training for employees without needing additional staff and resources.
Employees also may not like the idea that their personal details would be used in phishing training and there could be some pushback. This may be the reason why your company has not implemented personalization in training in the past. However, personalization in phishing training needs to become normalized.
Attackers are going to personalize attacks
Attackers are going to personalize attacks when they target a specific group of people, and training is the best environment to learn about how hackers may target you and what to look out for.
Some good ways to include personalization in training include referencing a co-worker´s name, an employee´s boss, or including information regarding the employee´s main job responsibilities (fake invoices to the Accounts Payable department). Personalization tactics in phishing training do not need to be as detailed as these examples highlighted in this post in order to be effective in educating employees about the risks, but it is good to know what data is out there and know that it could be used against you in a real attack.
Personalization in the digital world has become normalized in many areas, why not in your phishing training?
Corporate surveillance and corporate consumer data collection are all around us and companies use that data primarily to personalize advertising and deliver more relevant content for their customers and users.
Where there is a gold mine of information, there´s always a hacker in the shadows lurking for a way in
There are some protections in place for users to have better control of what companies can do with their data, such as GDPR in Europe. However, the rules behind corporate data collection, use, and sale vary significantly across the world, which is why your personal data could end up in the wrong hands.
Do you know what personal information is tracked online?
It´s probably no surprise that the big giants like Amazon, Google, and Facebook collect a significant amount of personal data from its users. Does knowing this information, stop you from using them? Likely no. If any of these corporations or its partners have a data breach, then that data collected could be used against you in a personalized attack.
Tech reporter from Gizmodo, Kashmir Hill tried to cut the big 5 tech giants (Amazon, Microsoft, Google, Facebook, and Apple) out of her life for 6 weeks in January of 2019 and explains the massive disruption to her usual routine and how connected we all are to these large data collecting firms in our daily lives.
Digital tracking and profiling, in combination with personalization, are not only used to monitor, but also to influence peoples’ behavior. This chart below shows data visualized by Cracked Labs and highlights some of the data points that can be tracked from our use of Facebook, our phone records, and our typing patterns. This type of information could be accessed by hackers and used in a phishing attack to try to influence our behavior by utilizing personal details about our lives.
There are a lot of other companies besides those 5 that we give data to on a regular basis by using their products and services. For example, wearable fitness watches have the ability to track our location, and our mobile phones also have a GPS signal on at all times. Your Costco card or other frequent shopper card tracks your grocery or clothing purchases, and what time you are often away from home or work to visit stores. Social media and streaming sites like Netflix track your interests.
These are just a few examples of ways corporations track different parts of our lives. It may seem harmless, but if a hacker gains access to corporate data, knowing an individual´s interests and behavior could be useful in developing a well-crafted personalized attack.
What can you do about the safety of your personal data?
It´s not always easy to stop sharing this type of data referenced in the article that can link back to personal details about our lives, but the NSA believes that the first step is awareness that this type of information is out there. In a recent report, NSA also shares a few tips on how to limit some details such as location data sharing from your mobile devices.
Think critically about what information you post publicly online and whenever you have the chance to limit data sharing online, do it. Every attack you receive is not going to be sophisticated. The important thing is being aware of what personal information may be out there online. One of the best ways to practice how to spot and react to personalized attacks is by seeing examples of personalization in phishing training.
In our next post, we will discuss some more examples of social engineering in phishing attacks. We will also explain why many employees are often overconfident about their ability to spot an attack and some of the misconceptions around phishing.