“People are rightly excited about getting their Covid-19 vaccinations, and many happily post their vaccine record cards to their social media profiles to share the good news with friends and family,” says Duane Nicol, cybersecurity expert at Mimecast. “However, friends and family may not be the only ones watching. Cybercriminals could use the information – such as names and ID numbers – to develop believable social engineering attacks.”
Social engineering attacks can take several weeks or even months as criminals need time to get to know their victims. But, Nicol explains that the more information you share the easier you make it for a criminal.
How would such an attack work in simple terms? “Let’s say Mr Cybercriminal wants to target a bank. He goes to LinkedIn to see who works there, finds a few candidates, and goes onto their Facebook and Twitter accounts to get more information. One of the candidates, let’s call him Bob, recently posted a photo of his vaccine record with his ID number, first vaccination date, manufacturer and date of the second scheduled vaccination,” says Nicol.
From here, Mr Cybercriminal sends an email to Bob’s work address asking him to confirm his second vaccination date. The email appears to be coming from a trusted source such as his medical aid or one of the pharmacies offering vaccinations. The link in the email seems legitimate, the branding is on point and the information about his vaccination record is all accurate, so Bob goes through the steps to set up an account. Bob, who easily forgets passwords, uses the same password he uses to log in to his company network. What he doesn’t realise is that he’s entering his personal information into a fraudulent website. Now Mr Cybercriminal can use Bob’s credentials to access the network of the bank he’s targeting.
Of course, most organisations will have layers of protection, such as security questions. For example, when logging in from a new device they might ask ‘what is your mother’s middle name?’ But criminals are always one step ahead. A seemingly harmless post about how your drag queen name is your mother’s middle name plus the last thing you ate, could be answering a security question for a criminal stalking your social channels.
“Once in, the cybercriminal can do untold damage to the bank’s network, access confidential files, impersonate key stakeholders within the organisation, commit fraud on a massive scale and even infect the network with malware that could take services offline and lead to catastrophic financial losses and severe damage to the bank’s reputation.”
Nicol says the accessibility of personal information on social media arms cybercriminals with vital tools that they can use in the service of fraud and other crimes. “Even simple likes and comments can provide criminals with important information that makes the victim – and ultimately their employer – vulnerable. South Africans need to take heed and maintain safe social media habits to limit the opportunities for cybercriminals.”