Other than knowing that phishing is a bad thing, having a basic understanding could greatly improve your cybersecurity resilience. You could then avoid common forms of attack because finding a victim via phishing is the hackers first step.
First, it is important to understand the role and importance of social media. By using LinkedIn, hackers can map out the management structure of a target company. They can identify, by name, key people in key roles, such as their CEO or CFO. They may be able to identify key people in their teams, again by name and job title. For each of them they can note what previous jobs they have had and what qualifications they hold. They can look to see who has given them endorsements.
Then they get to work crafting an email. In one case, hackers e-mailed the accounts payable coordinator at Upsher-Smith Laboratories, an American drug company, and pretended to be the CEO. They instructed the employee to follow directions from the ‘CEO’ and a fictitious lawyer. The employee made nine bank transfers over three weeks totalling more than $50 million. This kind of scam has been perpetrated so many times it is known as “CEO spoofing”.
Another favoured target is anyone in IT. They can help a colleague get back into their computer if they’ve been locked out having input their password incorrectly too many times. The hackers may have found a post on LinkedIn from someone excited about just starting at a company. They may know what department that person works in and the name of the manager, useful if challenged.
All they do then is send a text – they can’t access email remember – saying they’re in a jam and ask for help. They might add that their manager, who they can name, is waiting for them to do something. The IT techie, appreciating the urgency, can quickly check there is an employee with that name, and see they have recently started. So they oblige by setting a new temporary password and telling the hacker what it is. The other part of the equation is that most companies use an employee’s email address as their login. So the hacker now has a password to go with the guessed-at login. It’s embarrassingly easy.