Chances are, if you work in an office or work at any mid-to-large sized company, you’ve probably been asked to provide feedback via a survey or asked to participate in some employee research. You get an email that asks what you think about X, Y, or even Z. You fill it in with your opinions, making sure to correctly answer with some of your credentials: name, email address, job title, etc. You close the email and go about your day, thinking that you did absolutely nothing wrong… when in actual fact you’ve just given a ****-ton of personal information, private opinions, and ideas over to a malicious actor who can then use that information against you and your company.
Sounds pretty scary, doesn’t it? Innocuous-looking surveys and research requests are becoming an increasingly popular way for bad actors to break through security protocols. They’re doing so by pretending to conduct a survey through emails (or shared links) to get people to engage in conversation and let their guard down. Often, these inquiries offer some sort of compensation for participation in research — such as a future discount, cash, or gift card — and users are often asked to fill in their name, company, credit card details, passwords, or social security number to obtain these items. As anyone who works in cybersecurity knows, someone requesting any personal or sensitive information from you is most likely indicator of a malicious intent. Explaining the collecting of data as research purposes is a clever way to hide the real purpose of an attacker.
To be frank: it’s an ingenious hack on the very basic human desire to want to be heard: everyone loves to have a voice, and giving your input on a topic that concerns you sure sounds like a good opportunity. This type of security attack falls under the social conditioning category.
Let’s look at a real example of a harmful research inquiry below:
There’s a lot here to unpack, even if the email itself is quite short. Here, let’s take a look together:
- The most important thing to remember here is to look at these attacks from a big picture point of view.
- This spear phish appears to have been sent by a legitimate university student, but the sender uses a free email service, not the email address of the alleged university. This doesn’t mean that all free email service users are scammers but in the corporate and business world, if the email comes from a free email service such as gmail or hotmail (i.e a service meant for individuals and not businesses) and you don’t know that person, there’s a strong chance that you’re looking at a phishing email. Remain wary.
- The attacker claims to be a student and to work for the company to which this email was sent. In addition, the introductory text seems credible: the student is writing a thesis and needs some insights to finish it. The link in the email seems to take you to Google Forms, which may seem like a credible way for a student to gather research information. All good so far, right? What makes the email suspicious is that the student says the study only takes two minutes. Hang on a second… this is a very short questionnaire considering that the student is writing a thesis!
- Your takeaway here is to remain skeptical. Social engineers often try to make you feel like you're in a hurry - OR, in this case, give you a task that will take no time at all - because that “rushed” feeling is when most people make their most rash decisions. A timeline creates a sense of presence and urgency, increasing the possibility of you falling into a trap.
The outcome of these types of attacks can vary greatly. In the worst case scenario, the information collected can be resold to others, perhaps even competing companies, or used for identity theft. If you give out information matching your security questions, the scammer can use them to compromise your accounts. Scammers can use your credentials to access your email account and send out more scam surveys to others as well. Another way scammers can take advantage of these surveys is that they can impersonate your company with the given information. This can even lead to negative press if your company is blamed for committing a fraud. And, yes, this is all possible just from clicking on a suspicious link in an otherwise OK-looking email.
What we can learn is that while the email appears to be from a harmless sender, they may have a malicious intent. You should always remember that legitimate faculties will never obtain your personal or private information via email or survey form.
Staying off the hook:
- Check who you are dealing with. Does the email come from where it claims?
- Do not give out your personal information, even if the sender appears safe. Remain skeptical.
- Knowledge is power. Any piece of information you provide may be used in a malicious way.
- Surveys are usually conducted anonymously, so be aware to not to provide sensitive information.