Trained security awareness professionals are aware that whatever someone says about themselves and personal experiences can be used against them in a social engineering scam. It is always good to share that message, at least once a year with co-workers, family members, and friends.
I was reminded of this latest news story discussing a recent Instagram and TikTok trend. Basically, users are sent (or send) a “survey” that asks the receiver to describe themselves. I think we have all seen similar “fun” surveys that ask us things like our birth dates, favorite colors, high school, birthplace, and so on.
Facebook surveys have long been a social engineering scammer’s favorite tool. In fact, if you do an Internet search on the terms ‘Facebook surveys’, you will see hundreds of articles, including from the FCC and Better Business Bureau warning you not to take them. This is especially true if the "survey” tries to install a new app or asks for new permissions.
Word to the wise. Do not take and post surveys on social media. It is just too dangerous.
Work Surveys
Another common social engineering survey method targets your workplace more than you. The scammers will send you a survey, often claiming they will send you cash or a prize for completing, that asks what software your company runs, do you work from home, how you access the Internet, what antivirus you run, ask if you run a VPN, and if so, which one, and so on. The scammer is trying to “learn the landscape” and any mentioned fact about your workplace will be examined to see if they can gain access to the organization.
Lurking in Hobby Forums
Social engineering risk shows up in social media and public forums in places beyond surveys. Long game scammers love learning personal information about potential victims. And the Internet allows them to easily do it. Scammers have been known to lurk in hobby forums. They will pretend to be a fellow enthusiast who is impressed with what you have done or know about your hobby and then engage you in personal conversations.
The intent is to gain your trust which they then exploit at a later date. Oftentimes, the victim will be sent unexpected (trojan horse) documents or told to download some supposedly “cool” app. Because the attacker did not start off with asking the potential victim to download a document or app, and waited awhile first, the victim is more likely to be overly trusting of the new request.
Investment Consulting Opportunity
This has happened to me and many of my co-workers a lot. You will be contacted by a supposed investment consulting company that specializes in sharing investment advice with clients. They will say that they contacted you because of your experience in whatever you are known to be involved in…or a common subject I get pitched about is ‘backup solutions’. Some of these requests are legitimate and offer decent money for your time ($100-$500).
But some requests are simply trying to learn the “secret sauce” of what makes your company competitive so they can share it with your competitors, or they want to trick you into installing trojan horse software. They may even offer you a new full-time, unbelievable job that you would be an idiot to turn down. Unbelievable job offers should usually be considered exactly that…unbelievable and treated accordingly.
Even if the investment consulting company is absolutely legitimate, ask your company’s senior management if you can participate. You do not want to be fired from your full-time job for a few hundred bucks.
News Stories
Many hackers learned what they needed from public news stories. Maybe two companies were merging or one company was buying another’s software for an install that was going to last months. Either way, the hacker is looking to take advantage of big changes where not everyone knows everyone, where an unexpected call or email claiming to be from the other side will be accepted more readily even though it comes from a previously unknown address. Every company’s PR and marketing department should be aware that any information shared publicly may be used against them.
Public Documents
I know of at least one company that was hacked because an internal employee’s name and email address was listed in their federally required 8K document. It involved a business email compromise scam where a fake banking account change was sent to an internal employee. The company was initially bewildered as to how the scammer knew who to contact and what the email address was because they never shared any of that information publicly. Or so they thought. Then they realized they had published that information in a new 8K document that got publicly posted (it is required by law) where anyone could review it and learn the information.
Public Facebook Support Sites
I was once almost scammed after I posted a complaint on a company’s public-facing Facebook site. I had a malfunctioning refrigerator that I wanted replaced and the vendor was unwilling even though it was within the warranty, and I had undergone multiple long repairs within two years. Someone (supposedly) from the company immediately contacted me, apologized, and said they were sending me a new refrigerator. All they needed was my credit card information to hold in case I did not ship the old refrigerator back.
Almost by accident I called the legitimate vendor’s warranty department to ask about some random detail in the return shipment and they revealed they did not know what I was talking about. Turns out someone had seen my post and then created a very similar looking Facebook site and account named after the vendor. I had fallen hook, line, and sinker, thinking I was getting a new refrigerator. I was not.
All of these examples (e.g., surveys, hobbies, job opportunities, news stories, public documents, support sites, etc.) were opportunities where personal information could be leveraged in a damaging social engineering attack.
Defenses
Education is key. Make everyone around you, co-workers, family, friends, etc., aware of these types of scams. Let them understand that revealing any personal information in a public forum or to the wrong person can be used against them. Let me know that they really do not know who the people they meet in online forums are and that scammers prey on people who are too trusting.
Do not take online surveys. And certainly, do not install new apps or give permissions to surveys asking for it. It is just too risky.
Businesses should always ask themselves if the information they are releasing or making public is worth the risk and could it be used against them or an employee if it was in the hands of a devious social engineer. Sometimes new information is not worth the risk.
It might not hurt to do simulated phishing using publicly accessible information about a subject that might be something used by a social engineering scammer. For example, if you access a person’s Instagram, Facebook, or LinkedIn account, and the employee is announcing a new job promotion (this is pretty common) use the announcement in a social engineering ploy. Maybe the external payroll company sends them an email asking them to confirm their new role name, and then asks for more details. Something like that.
Or maybe the person announces their 2-year anniversary on their social media and that’s used to send them a “dinner coupon”. There’s lots of scenarios that a good security awareness trainer can think of. Of course, don’t use anything sensitive that would cause more harm than good. Security awareness training is supposed to help people improve their security posture and not just make them mad at failing a simulated phishing test.
My co-worker, James McQuiggan, has some other suggestions that I love:
One, if you feel compelled to respond to a survey, consider changing your answers slightly. If asked for your favorite color, give your next favorite color. If asked for your dog’s name, give your old dog’s name. Consider changing the year or day of your birthday. If asked for your zodiac sign, give the one next to your real zodiac sign. James says little “white lies” in an online survey are not going to hurt anyone.
James recommends using phishing-resistant multi-factor authentication (MFA) for logins. That way, if an attacker learns your favorite password from a long-ago taken survey, you are protected. Use strong, unique passwords that are different for every site and service if you use passwords. Do not use passwords based on things that a survey might be able to learn (e.g., favorite high school, birth date, favorite color, dog’s name, favorite sport or hobby, etc.).
James also recommends restricting who can see your social media account and postings. Most social services allow you to minimize who sees what. Learn what information can be learned by someone who you have not officially connected with and see how much of your online life you can restrict from public viewing.
In general, everyone should be educated to understand that whatever you reveal in social media or publicly might be used against you by a bad person. A little knowledge goes a long way.