You might think you're giving your opinion, when in fact you're giving away your identity.
Chances are, if you work in an office or work at any mid-to-large sized company, you’ve probably been asked to provide feedback via a survey or asked to participate in some employee research. You get an email that asks what you think about X, Y, or even Z. You fill it in with your opinions, making sure to correctly answer with some of your credentials: name, email address, job title, etc. You close the email and go about your day, thinking that you did absolutely nothing wrong… when in actual fact you’ve just given a ****-ton of personal information, private opinions, and ideas over to a malicious actor who can then use that information against you and your company.
Sounds pretty scary, doesn’t it? Innocuous-looking surveys and research requests are becoming an increasingly popular way for bad actors to break through security protocols. They’re doing so by pretending to conduct a survey through emails (or shared links) to get people to engage in conversation and let their guard down. Often, these inquiries offer some sort of compensation for participation in research — such as a future discount, cash, or gift card — and users are often asked to fill in their name, company, credit card details, passwords, or social security number to obtain these items. As anyone who works in cybersecurity knows, someone requesting any personal or sensitive information from you is most likely indicator of a malicious intent. Explaining the collecting of data as research purposes is a clever way to hide the real purpose of an attacker.
To be frank: it’s an ingenious hack on the very basic human desire to want to be heard: everyone loves to have a voice, and giving your input on a topic that concerns you sure sounds like a good opportunity. This type of security attack falls under the social conditioning category.
Let’s look at a real example of a harmful research inquiry below:
There’s a lot here to unpack, even if the email itself is quite short. Here, let’s take a look together:
The outcome of these types of attacks can vary greatly. In the worst case scenario, the information collected can be resold to others, perhaps even competing companies, or used for identity theft. If you give out information matching your security questions, the scammer can use them to compromise your accounts. Scammers can use your credentials to access your email account and send out more scam surveys to others as well. Another way scammers can take advantage of these surveys is that they can impersonate your company with the given information. This can even lead to negative press if your company is blamed for committing a fraud. And, yes, this is all possible just from clicking on a suspicious link in an otherwise OK-looking email.
What we can learn is that while the email appears to be from a harmless sender, they may have a malicious intent. You should always remember that legitimate faculties will never obtain your personal or private information via email or survey form.