Sneaky Ways Hackers Can Get Your Information to Send Phishing Emails

Phishing emails have gone well past those general "Nigerian Prince" messages addressed "To whom it may concern." Today, they’re much more personal and will include information that you think a scammer shouldn’t know.

Emails will not only spoof a well-known brand they’ll include your name and the name of the company you work for in the salutation to appear more legitimate. And this personalization tactic often works. With 84% of small and mid-sized businesses being targeted by phishing attacks, these scam emails have become a major problem for any company’s cybersecurity strategy. People aren’t often aware of all the sneaky ways that hackers can get their personal information, so they’re more apt to think a personalized phishing email is legit than a scam. The example below, which has the name and company changed to protect privacy, is one that nearly fooled the recipient because it had their company name included. Hovering over the link to reveal the URL was what saved them from being scammed. How do scammers get your personal information and your email address in the first place? Even the most careful person can have their personal details found and used by scammers who bombard them with phishing attacks. Knowing how they get your details can help you be more aware of where you’re leaving a digital footprint.

Are You Making It Easier for Phishing Scammers to Attack?

Protecting against a data breach is a top concern of most Rhode Island businesses because security incidents can have a direct impact on their bottom line. 1 in 3 consumers will stop using a business if they have a security breach. Here are ways that hackers get your company and employees’ information to send phishing emails.

Your Website

There’s nothing wrong with being proud of your team and listing them on your About Us page, but how much information are you giving phishing scammers to use against you? If you include employee names, titles, and email addresses, a hacker can easily scrape these and deploy that information in a targeted phishing campaign. They may even spoof the email address of a higher positioned employee when sending phishing to other employees, so they’ll be more likely to respond.

LinkedIn, Facebook & Other Social Media

Business and individual pages on social media are particularly information rich when it comes to grabbing data for a phishing attack. Hackers can find past job positions, interests, hobbies, and lists of friends and colleagues, all which can be used for phishing. It’s a good idea to check privacy settings and make individual profiles private to your connections to keep from giving a cybercriminal too much information.

Database Breaches

Malware like password dumpers are designed to seek out databases and steal their information. In addition to stealing login credentials, they also gather email addresses. In just one breach, 773 million user records were stolen. These large lists of records are then sold, over and over again, on the Dark Web for attackers to target with phishing emails. Since most people can’t easily change their work email address if it’s been exposed in a breach, one of the ways to cut down on the fallout is to use an email spam filter to block as many phishing emails as possible.

Your Web Applications

Web application attacks was the top attack vector in 2019 for reported data breaches. Breaking into one of your cloud accounts can help hackers in two ways. First, they can grab user email addresses, which are typically contained in your account information. The second way is if the hacked web application includes email (like G Suite or Microsoft 365), then the hacker could send phishing emails to your employees or customers from one of your own email accounts.

Email Scrapers

Email scrapers are often used by hackers to gather as many email addresses as they can to send phishing. These are automated bots that look for the @ and standard email address format across the internet. Email scrapers can be targeted to look for any emails they can find posted on websites and forums or listed in cloud hosted PDF, PPTs, etc. They can also be targeted to find emails for a specific company, like a multinational that might have thousands of employees.

From Cloud Hosted Files

If you search a term like "company directory filetype:lxs" on Google, you’ll see multiple results with Excel files of directories that are hosted online and not secured. This is another hacker trick that can put tons of email addresses, titles, and other personal information at their fingertips to deploy in automated phishing attacks. Ensure that your cloud hosted files are secure, especially those that include a directory of personnel, customers, project team members, etc. There are ways to host these files without having them indexed by Google.

Keep Phishing Out of User Inboxes with Email Safeguards

Onsite Techs of Rhode Island can help your company put safeguards in place that catch phishing and spam before they make their way to user inboxes. Contact us today to set up a security consultation at 401-415-6290 or reach out online.