Are You a Hacker Helper?
“Here you go, let me get the door for you. Are you looking for access to my company’s network? One moment, let me get those login credentials for you.”
Of course, this sounds ridiculous. But in reality, it is exactly what is happening. Cybercriminals are always on the hunt for easy access to your organization. Many times the easiest way in isn’t traditional hacking. Human hacking, more commonly known as social engineering, involves tricking an unsuspecting employee into giving hackers the access they need. This information often comes in small pieces that can be used together to gain access to your corporate resources.
A recent study from Proofpoint found that in 18 months of researching attack trends, 99% of emails used to distribute malware required human interaction to get started – so hackers focus on humans, not computers. They often use mass methods like phishing multiple people to get the first click, then follow on with a more customized and targeted approach.
Common Forms of Helping Hackers
Email addresses on websites
Email addresses on your website are a balancing act. Making it easy for prospects to reach you can also provide nefarious people with a nugget of information about your users. Organizations often use the same email naming conventions in all account logins. This can be a gold mine for hackers. Consider using a contact form and be very conscious of what email addresses are posted publicly.
In general these should not be open to receiving email outside your company. Yes, firstname.lastname@example.org needs to be open to the outside world, but you don’t want hackers to be able to send an email to email@example.com or firstname.lastname@example.org. And when you do get an email that was sent to a distribution list, think twice before you click a link in the email or open an attachment.
Be Cautious Posting Your Location
While it is great to let your LinkedIn community know you’ll be at a conference in Italy next week, hackers love this information as it creates a great opportunity for social engineering. For example, a hacker may use the time difference and lack of constant email monitoring to plan their big attack such as transferring company funds to their Caribbean bank account. So think this through and perhaps post after the event. That way you can include photos, provide commentary, and lower your risk!
Follow Best Practices for Passwords
Use strong passwords and MFA (multi-factor authentication) for anything important. Yes, passwords are a pain but this is now part of being a good corporate citizen rather than a Hacker Helper!
Train Yourself and Your Employees
This is a constant process – train at least annually, send regular updates and test your staff using fake phishing campaigns. And make sure your senior staff “walks the walk” and sets a good example!