Today, people around the world share more information on the Internet than they likely realize. Between all individually shared social media posts, most people might be surprised to learn just how much information is out there. From within the confines of a single moment, the small bit of information a person shares online usually seems innocuous. We assume it’s completely safe to share with what we think is a select group of trusted individuals. Sure, we give personal information, such as email, phone numbers, our dates of birth, and our full names to register for accounts, but aside from a data breach, that information is kept private.
If each post shared on social media isn’t sensitive and the host site keeps your personal information private, how then are hackers gaining access to so much personal information? The answer involves aggregation. Often enough, it doesn’t even require hackers to access the private info given in confidence to social media platforms. The information we freely share gives the bad guys all they need. There is frequently no need to hack private data.
No data-breach required
Follow this scenario for a moment. You have been known to share politically-fueled posts that express your position and disdain for the activities you oppose. Once in a while, you will give in and respond to a seemingly innocent survey asking about where you grew up, where you met your significant other, and other details of your life. Then, last week you reconnected with an old high school friend and carried on about the “old days”, college, jobs, and where you each wound up. Today, your Facebook profile is flooded with “happy birthday” messages, your mom comments “I can’t believe you’re 27 already!”. Before going to bed, you create an event at a local attraction and invite all your friends.
Here’s how all that “innocent” information comes back to bite you. Using a fake profile that you accepted a friend request from, or by taking advantage of a bug in the system, a hacker gains access to your “private” timeline. This gives them access to all the information you only allow your friends and followers to see. The hacker begins building a profile on you, using only the information from your timeline (presented in the scenario above). Because of your posts, the hacker knows where you grew up, where you met your significant other, where you went to school, and in what community you live now. The hacker knows your political and religious preferences as well as what you do for a living. They also know the name of your mom and your exact date of birth. The hacker then sells this information along with similar details collected on other people.
Turning information into money
By using only information derived from social media, the social engineers who bought your information turn to search engines. They search for your name in combination with the other known details. They will likely find your home address, other social media accounts, your email address, your phone number, your blog, and just enough personal detail to successfully target you. Then the scams start.
You receive telephone calls and emails designed to deceive you into forking over money. Maybe even giving the caller or sender access to your computer which would also result in you forking over money after they lock it down with ransomware. Some scams are more targeted than others, but most involve information collected about you through other-than-honorable sources. At a minimum, your contact information.
The value of stolen information
Information collected from social media is an enormous resource for the people behind phishing emails and telephone scams. These scams are incredibly profitable. The FBI reported that in 2017, fraud activities that year netted more than $1.4 billion. Email scams, fraudulent websites, and ransomware accounted for more than $800 million. The second single-most costly form of fraud, “romantic” fraud, costs Americans more than $200 million by itself. If you’re unfamiliar with this term, romantic fraud is when social engineers develop relationships with people online just to take their money.
While the FBI reports that credit card fraud is declining, other forms of fraud are very much alive and thriving. Trend micro, a security company, reported that phishing scams involving business email accounted for $800 million in 2015. A single phishing scam even resulted a $6 million loss from a Wall Street firm in 2016 and another netted more than $18 million in losses from a cryptocurrency vault in 2017. Social engineering using information collected through social media information-gathering activities and data breaches has become more profitable than credit card fraud ever was.
What can you do about it?
The best, and most extreme measure to prevent this sort of compromise of information is simply to not use social media in the first place. In fact, don’t use the Internet at all. Unfortunately, if you’ve had an online presence for evenly a mildly significant time, it’s too late for that. Chances are high that if you have a social media presence, your information has already been taken. The same goes for online shopping. Probably several times over.
If you wish use the Internet for anything other than simply consuming information, the truth is there is very little you can do to prevent your information from falling into the hands of the wrong people. You can’t control the quality of programming that goes into making the various sites. You can’t control how well those companies protect what you give them. Sure, you can do your part to be safe and responsible online. Once you give up information online, you really can’t control what happens when it’s in the hands of someone else.
What you can do is protect yourself against fraud. Educate yourself on the latest fraud schemes going around. Learn how to recognize phishing email and telephone calls. Become suspicious of anyone initiating contact with you who wants anything from you. This includes simply asking questions. If you don’t recognize the sender’s email or the caller’s phone number, immediately suspect their motives and trustworthiness. Scams come in many different forms and social engineers are becoming more creative every day.