Why is social engineering the biggest threat to your personal assets and security?
Every day we hear of new cyber risks and data breaches. While these issues might seem to be purely a technology problem, a closer look is warranted.
What that look will reveal is that the risks faced by high net worth individuals, their families and their businesses demonstrate a broad threat landscape. What’s more, that landscape incorporates not just cyber entities but people and processes as well.
Investing heavily in technology won’t protect your family or business if the problems you experience are caused by inadequate due diligence with advisors or poor awareness of the behaviors that put any family or business at risk.
This is where social engineering comes in: It’s a term for the psychological manipulation criminals often use to gain access, steal information or infect target systems with malware. In a common social-engineering attack, a hacker will craft a communication, usually an email, mimicking correspondence that would typically come from someone you communicate or do business with.
Other times, the attack is less personalized: blasting a large number of recipients with generic emails that appear to be coming from widely used applications, e-commerce websites and financial services firms.
The most dangerous iteration of social engineering is spear-phishing. This is an extremely targeted form of social engineering that uses publicly available data to craft correspondence that resonates with a particular individual or family. Examples might include the use of information from a target’s bio on a corporate website, details from a LinkedIn profile or other social media platform—all used to craft a tailored message.
Imagine, for instance, that you are the CEO of a publicly traded corporation. Your bio on your company’s website highlights that you are a graduate of a prominent university; your Facebook profile indicates that you are a resident of Fairfield County, and that you are a board member of a large, well-known nonprofit focused on the performing arts.
You then receive an email appearing to be from your alumni association alerting you to an alumni affinity event in Fairfield County to raise funds for the university’s performing arts programs. The email looks legitimate, with the logos, colors and format identical to what they would look like in any other note from your alma mater.
The email contains a link to register for the event, directing you to use your Google credentials. Do you input your credentials?
Hindsight is 20/20, but in the moment, the majority of us would click on that link and input our credentials. And that’s a recipe for disaster, because once an enterprising criminal has that level of access, the possibilities are endless. This person could mine your inbox to find information to continue to phish, redirect inbound correspondence, or figure out your credentials for bank accounts and other applications.
At that point, the criminal could start spear-phishing family members, friends and colleagues.
This is a scary thought for anyone, but for successful individuals and families even more is at stake. While we enjoy the benefits of the digital economy and social media, we have to understand the risks that come along with these tools. It is also important to understand that there is no longer any expectation of privacy in life.
Millennials and younger children, who didn’t grow up in a world without these technologies, aren’t as attuned to its risks.
But the good news is that there are vendors and trusted advisors who can provide assistance and training to augment the technology security your family employs. Increasing awareness around people and process issues can serve to protect your family and your most important assets.
One of those assets? Your personal information.