Threat actors can use personal information found in images posted on social media to send targeted scams, putting personal and corporate data at risk.
As we all know, remote work is the new normal and if many expert predictions come true, it’s likely to stay that way long after the pandemic is over. Unfortunately, this also means that we’ve become more comfortable oversharing our personal work environments with others, especially on Facebook and Instagram which makes it real easy for cyber criminals to stalk you.
Before you post that pic on FB with the hashtag #workfromhome or #homeoffice, as yourself: what might a criminal or fraudster do with this information?
What? Not me!
The pandemic has been stressful for everyone, without exception. Juggling working from home, kids, new work pressures and distractions is the exact kind of environment cyberattackers looks for because people have their guard down. So how can they get you? Here are a few examples.
Let’s say you’re emailed an ‘e-gift card’ on your birthday by a long-lost friend looking to reconnect. Wow, a long lost friend, on your birthday? What are the odds?! Well don’t click on that email. It’s likely to deliver a malware payload to your computer that could steal access credentials or deliver a ransomware payload. The fraudster simply found out your birthday from a post you made months earlier and delivered a targeted spear phishing attack.
What about posting a picture of your workspace? Seems harmless enough. But, if you look at the pictures others have posted, there’s often a pet sitting next to their computer, evidence of a child doing remote schooling and worse yet, their computer desktop open, showing work related emails and programs installed on their system. This is a treasure trove that can be used to guess passwords and exploit vulnerabilities in software applications which could expose corporate data and the networks to which you may be connected.
Security analysts surveyed images of home-working environments and found work email inboxes, internal emails, names of individuals in emails, private web pages, potentially sensitive internal business correspondence, software installed on computers and internal identification numbers of devices. An attacker can use this info to craft an email appearing to be a known supplier or business contact to dupe targets into downloading malware which could have a ripple effect on the corporate network.
Another attack vector is impersonation. A threat actor could spoof the identity of someone from the company’s IT department and ask them to initiate what seems like a typical update, but which instead is nefarious activity.
How to protect your work-from-home space
The good news is that it’s pretty easy to avoid oversharing. Be cognizant of what’s in the background of your photos or video-conference calls and consider using a virtual background or blurring the background when using a webcam.
And while working from home may feel safe and you may be tempted to share your awesome setup on social media with a fun and clever hashtag, don’t do it! The clues you leave online can be used against you.
Stay safe out there