Scam emails aren’t what they used to be. Gone are the days of fraudulent emails filled with typos and Nigerian princes promising riches if only we hand over our credit cards. Today’s phishing emails can be quite convincing, often addressed to us by name or with specific personal details. Modern hackers can find everything they need to know about a potential target through Google or social media and use this information to architect the perfect scam. How do I know this? I’m a hacker, albeit an ethical one who makes a living breaking into well-known companies (with permission) to identify potential security vulnerabilities, like a cyber Sherlock Holmes.
Cybercriminals exploit the personal details we share online to try and trick or impersonate us—piecing together every photo we post, location we check into, person we tag, or pet photo we upload to build an understanding of their targets. The social engineering scams they create are designed to entice people to download malware, send money, share personal information, or disclose log-in details.
This is not meant to scare you. Actually, it’s very possible to enjoy social media without putting yourself at risk. I’m going to show you how the hackers do it and how you can recognize when you’re oversharing, to help you outsmart the bad guys.
The reality of social media oversharing
Oversharing online is extremely common. I recently contributed to a report from security company Tessian, which helps prevent people from falling for social engineering scams on email. The report found that 84% of people post on social media every week, with two-fifths (42%) posting every day. More than half (55%) of the people Tessian surveyed have public Facebook profiles, while 67% have public Instagram accounts. That means anyone can see what is posted, including hackers. (A quick look at your privacy settings can help manage this.)
The oversharing we all do online is a gold mine for cybercriminals who go digital dumpster diving, especially when we post about our jobs. Last year, many of us were posting photos of our work-from-home setups, including computer screens containing email addresses, video call numbers, and names of coworkers or clients. This makes it much easier for a hacker to identify coworkers that they can impersonate over email. Job updates, too, make it easier to identify new employees who may be less able to tell when an email from an executive is fake and who want to make a good first impression.
Many social posts also contain personal information that may seem harmless—the names of children and pets, a favorite sports team, a birthday. But these details can help a hacker guess your password or answer common security questions. Hackers also know that people tend to reuse passwords across accounts. Once they crack one password, they’ll try it on multiple popular websites, from your bank account to your email, to see if it works.
Anatomy of an email scam
Let’s break down exactly how this oversharing can be used against you. Despite what you see in pop culture depictions, most cybercriminals don’t actually hack into companies. They hack the people who work there. Hacking humans only requires a convincing email, while hacking software is like treading through a room with laser security. In fact, Tessian’s researchers saw a 15% increase in these kinds of social engineering attacks over email during the last six months of 2020. And all it takes is a quick online search.
If I’m trying to hack a company, the first place I go is LinkedIn. It’s easy to find the full names and job titles of employees with an affordable LinkedIn Premium account. I look for nontechnical staff such as sales or administrative workers who may be more susceptible and have access to a lot of company data. (A tip for companies: Train employees to be suspicious and make sure access permissions are regularly checked.)
I might see on an employee’s LinkedIn or Twitter account that they’ve just started a new job, which tells me they may not know their executives’ personalities and are eager to please. I can use Google or social media to learn these execs’ names and spoof their email addresses, then send a fake email to this new employee. All it takes is an urgent email saying, “Hey, I’m in a long meeting and forgot my nephew’s birthday. I need you to go buy me an Amazon gift card. I’ll reimburse you.” You’d be surprised how quickly someone will follow urgent directions from a superior at the office, especially in our new world of remote work, when visual cues are missing and you can’t quickly verify a request with a colleague.
Simple ways to stay safe online
Try Googling your name or creating a second social media account to view your own profiles as a stranger would. Are you comfortable with everything you see? If not, set your social accounts to private and double-check that you really know all of your followers.
Avoid passwords that have anything to do with what you share online. According to Tessian’s survey, 85% of people reuse passwords. Don’t be one of them. Sure, it gets hard to remember them all, but password managers can do the heavy lifting for you (I personally use one myself).
Be skeptical of both personal and work emails. If something feels off, click the sender’s display name to make sure the email address matches, especially on a mobile phone. Ask for a second opinion from your company’s IT team, or confirm a request verbally with a colleague. Don’t stress about whether you’re bothering people. Security is important. Lastly, stop and think before opening attachments, clicking links, or sharing information.
Scam emails may not be as obvious as they used to be, but they do usually contain enough subtle hints to alert your instincts—especially if you’ve learned what to look for. So trust your gut. Keeping your information safe online is not about being stressed or scared. It’s about knowing what you’re sharing, being aware of how it could be used against you, and knowing how to make your posts private.
Katie Paxton-Fear is a PhD student, occasional bug bounty hunter, and educational YouTuber.