Over the past decade, social media platforms like Facebook, Instagram, LinkedIn and Twitter have gone from startups to a fundamental extension of who we are and how we communicate with family, colleagues and friends. For many of us, social media has become the “dial tone” of our lives. Now in 2017, the question isn’t whether these platforms are here to stay, but how to avoid the inherent risks of using these platforms while still taking advantage of what they have to offer. As the size, scope and scale of cyber attacks continue to grow at an alarming rate, staying safe online in an always connected, always-on social world is more difficult and complex than ever.
In this first annual Hueya Report, we examine the state of online security from the perspective of what we call the Human Factor. Most cybersecurity research focuses on the technology side of cybersecurity, including perimeter defenses, intrusion prevention and detection, on the wire behavior, penetration testing and vulnerability scanning. While important, most criminals have found that bypassing these controls is relatively easy, and in many cases hacking the human is the easiest option. When individuals have a role in personal and professional contexts, they have access to both settings, and hackers often use the individual as a portal to access the data inside an enterprise. There are many risk points and the human element is the most vulnerable endpoint.
Figure 1: The thin line of protection from cyber abuse is highly vulnerable to cyber criminals taking advantage of the human factor – oversharing on social media in the case of families, or employees in the business realm.
At Hueya, Inc., we’ve spent the year researching complex questions surrounding the human factor in cybersecurity. How aware are we about each of our potential roles in allowing cyber attacks to happen? What are our experiences with cyber abuse, online harassment or identify theft? What steps are people taking to become more secure? What are the trends in social engineering? What are the risks in today’s world to individuals, families and businesses? What can be done to stay safe?
To address these questions, we conducted original research and combed through published research and news reports. If there’s one overarching takeaway it’s this: We are putting ourselves, our families and our employers at risk. Since we are so communicative, social and trusting, we overshare too much information, which makes it far too easy for cyber criminals, social engineers, cyber bullies and the like to achieve their goals – to separate you from your money, assets and reputation. Our mission with this report and for our company is to shed light on cyber abuse, highlight problematic trends and help turn the growing tide of cyber abuse impacting all of us.
A big problem that’s getting worse
Let’s start with this fact: everyone who is online is at risk of some kind of cyber abuse or becoming the victim of cybercrime. Over the past 12-18 months, cyber- security researchers have noted that attacks are happening more frequently and have a greater impact. This is summarized well in the Cisco 2017 Midyear Cybersecurity Report, where the authors write, “With this latest report, however, we find we must raise our warning flag even higher. Our security experts are becoming increasingly concerned about the accelerating pace of change—and yes, sophistication—in the global cyber threat landscape.”
Currently, there is no single clearinghouse for cyber abuse on a broad level covering all the various types of criminal activity that can impact individuals and businesses alike. Cyber abuse and cyber crime can range from out-and-out theft – the type involving clearing out your bank accounts – to more under-the-radar attacks like online harassment or cyber abuse and bullying. Much of the abuse goes unreported when the incidents are minor or too embarrassing to report to authorities, meaning the numbers of people cited and the frequency of attack are undoubtedly low.
Our recent research on cyber abuse awareness reveals, as shown in Figure 2, that nearly 50 percent of respondents believed they definitely or most likely were victims of cyber abuse. Even more telling, nearly 80 percent of respondents indicated that family or friends have experienced cyber abuse of one form or another (see Figure 3.)
Figure 2: Hueya’s own research indicates that nearly half of all respondents have likely been victims of cyber abuse at some point in their lives.
Figure 3: Nearly 80 percent of respondents indicated they know cyber abuse victims.
Imposter scams surpass ID theft
One of the more pervasive attacks over the years has been identity theft where the hackers use stolen information to obtain credit cards in their victim’s name or to file fraudulent tax returns, often netting handsome returns. The good news here is that awareness efforts to combat ID theft are having an impact, with the IRS reporting 376,000 ID theft victims in 2016, down from 766,000 victims in 2014.
Similarly, the Federal Trade Commission (FTC) reported that ID theft is no longer its number one complaint category, with 399,225 complaints recorded in 2016, representing about a 3% decline in ID theft complaints registered with the FTC compared to 2015. But this hardly means we’re turning the corner against cyber crime. Instead, the criminals are simply adopting new approaches with imposter scams (also called imposter fraud) leading the way. Now, for the first time, imposter scams headed the FTC’s list with 406,578 complaints filed last year.
The takeaway from this isn’t that we’re actually making headway against cyber abuse; rather, it implies that criminals are adopting increasingly complex ways of going about their business. Imposter scams can come in many varieties, but generally involve a scammer pretending to be someone they are not such as a computer technician or a vendor. Such scams are much more effective when they involve some form of social engineering (more on this later), often leveraging a bit of personal information found on social media platforms to support the scam. And it’s not hard. For instance, by simply looking at public posts attackers can easily see accounts that have mentioned a certain musician or sports team and then tailor messages pointing to tickets going on sale for an event – all intended to drive victims to fraudulent phishing websites.
Bad for business – Hacking humans for profit
Businesses have long been willing to take well-defined steps to protect their physical assets from external threats, whether it’s armored trucks, security guards, surveillance cameras or biometrics (fingerprint and facial recognition devices). Similarly, businesses are now investing heavily in cybersecurity. Technology advisory firm Gartner reports that worldwide spending on information security will reach $90 billion in 2017, an increase of 7.6 percent over 2016, and top $113 billion annually by 2020.
Despite the ongoing investments, cybercrime is expected to continue growing with scant resistance. Today’s cyber criminals have substantial resources at their disposal, and their attacks are becoming more targeted, more frequent and more sophisticated. It’s fair to say that cyber-driven security breaches are now one of the top issues affecting all users and organizations today. Estimates place the cost of cybercrime to the global economy at $450 billion in 2017. To put that into perspective, $450 billion is equivalent to the GDP (gross domestic product) of Sweden, one of the top 25 economies in the world. With the rate of growth accelerating, experts predict the cost of cybercrime will surpass $1 trillion by 2021.
At a more granular level, the average cost of a breach is about $7 million for U.S. companies and $3.62 million for companies outside the US according to the 2017 Ponemon Institute Cost of a Data Breach Study. The study also reports that the cost incurred for each lost or stolen record containing sensitive and confidential information was about $216 in the U.S. and $141 globally. Notably, the study found that 47 percent of the incidents involved a malicious or criminal attack, 28 percent were due to negligent employees or contractors and 25 percent resulted from system glitches.
Figure 4: Human error contributes to nearly one-third of data breaches, according Ponemon Institute’s latest research on the impact of data breaches to businesses globally. Additional studies show that the human factor is what makes most of these criminal attacks possible.
Looking into what constitutes a malicious or criminal attack reveals a much greater role for the “Human Factor” than simple human error. In fact, industry and government reports indicate that the vast majority of cyber attacks are successfully executed with information stolen from employees who unwittingly give away their system IDs and access credentials to hackers – either directly or indirectly via information shared socially. According to the Identity Theft Resource Center (ITRC), the human factor plays a role in 73.4 percent of all data breaches, including 55 percent from hacking, skimming or phishing breaches, 9.2 percent from email or internet exposure and 8.7 percent from employee error.
Social media powers online harassment
As introduced earlier in this report, cyber abuse can take many forms – and it’s not all faceless criminals seeking to clean out your assets. Powered in part by the rise of social media platforms, online harassment, even from known acquaintances, is an emerging and highly concerning problem. The extent of the problem just recently came into focus in the Online Harassment 2017 report, published July 11, 2017, by the Pew Research Center. In a survey of 4,248 U.S. adults, Pew found that roughly four-in-ten Americans have personally experienced some form of online harassment.
As shown in Figure 5, the Pew report defines online harassment as offensive name-calling online (27 percent of Americans say this has happened to them), intentional efforts to embarrass someone (22 percent), physical threats (10 percent), stalking (7 percent), harassment over a sustained period of time (7 percent) or sexual harassment (6 percent). This 41 percent total includes 18 percent of U.S. adults who say they have experienced particularly severe forms of harassment such as stalking, physical threats, sexual harassment or harassment over a sustained period of time.
Further, Pew researchers discovered that many people who suffered online harassment also directly suffered significant real-world consequences that ranged from mental or emotional stress to damaged reputations and even personal safety concerns. The report indicated that the consequences extended to friends, acquaintances and family of the person targeted by online harassment.
Figure 5: Roughly four-in-ten Americans have personally experienced online harassment
A particular concern uncovered by the Pew research is the alarming rate that young people are exposed to harassment online, particularly more severe forms of harassment including physical threats, sexual harassment and stalking. Far too often, digital (online) harassment can have real-world (physical) consequences when stalking goes from digital surveillance to physical confrontations. All told, about two-thirds of young adults have been subject to some type of online harassment, with 41 percent having experienced severe forms of harassment.
Social media stands out as the most common venue for online harassment and cyber abuse. Pew researchers found that the majority of harassment took place on a single platform as shown in Figure 6. The report also found that while many people want the various social media firms to do more, they also worry about how to balance free speech and safety issues online.
Figure 6: Social media is the most common venue for online harassment experiences
As the Pew research indicates, nearly everyone is at risk for some form of online harassment. Cyber bullies generally are looking for vulnerable victims. Therefore, it makes sense to give yourself and your family a strong security posture that includes limiting how much people outside your inner circle can discover about you coupled with ongoing monitoring to flag potential harassment early in the cycle of cyber abuse. One powerful tool in the fight against online harassment is Hueya’s Situational Awareness engine that enables you to watch for digital behavior that might put you at risk.
The Human Factor and social engineering
While there are many factors at play behind the growth of cyber attacks, among the most critical is the seemingly lax attitude most people demonstrate in their approach to personal online security and the vast amounts of personal, descriptive and inferential data people are willing to publicly share where it can be accessed by anyone, anywhere in the world. In cybersecurity terms, this is known as open source intelligence or OSINT. Open source intelligence is the identifying and descriptive information we share publicly (personally and professionally) that can be easily harvested online to conduct a cyber attack. OSINT includes a category of information called Personally Identifiable Information (PII). PII, as defined by NIST (National Institute of Standards and Technology), is any data that can be used to distinguish (think SSN), trace (social timeline) or link (cross reference) an individual. This data is “protected” under the Organization for Economic Cooperation and Development (OECD) Fair Information Practices guideline and requires that companies protect this data with reasonable means. However, what we have found is that online users are inadvertently sharing PII on and across their social channels and networks placing this information in the public domain and outside of the purview of such guidelines. This oversharing of PII puts the user, their families, employers and their missions at risk by serving up the key elements to a successful attack. PII is what the criminals are after and when combined with the descriptive sharing we do on a daily basis creates a foundational crack in our digital and physical security.
In an effort to improve security banks and other websites where you need to establish accounts have begun adding an additional layer of security involving answering questions that only you should know, such as the name of your pet or where you went to high school. The problem with relying on this type of knowledge-base authentication (KBA) is that much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines or easily tracked down on social media.In fact, security researchers contend that criminals broadly have the data needed to reliably answer KBA questions on most individuals.
The open flow of personal information on social media directly impacts the security of business and governments. Even if an organization has good security processes and training, and even if people diligently follow security procedures at work, they are typically unaware that actions in their private lives can put their employer at risk. The chance comment on Facebook, using the same password on personal and work accounts or an entertaining but secretly malicious app downloaded to a personal device that is also used at work can catapult criminals right past an organization’s network security.
In a survey of 1,580 respondents, only 20 percent said they have never engaged in risky behaviors, according to UK-based technology market research firm Vanson Bourne. The risky behaviors that 80 percent of employees admitted to included viewing adult content on work devices, opening emails from unknown senders, downloading apps from outside official app stores, installing new applications without IT approval, using social media for personal reasons, or using their personal mobile devices for work.
Social engineering attacks can take a wide variety of forms. Some simply involve reverse engineering weak passwords based on the names of pets or family members and important dates gleaned from a social media account.
In other attacks, scammers collect information from both individual and company profiles to launch spear phishing (phishing attacks directed at individuals) and whaling (phishing attacks directed at executives or companies) attacks. By getting to know their targets, often by creating fake profiles on LinkedIn or Facebook, posing as vendors or co-workers, criminals significantly increase their chances of carrying out a successful scam. Moreover, research published by the cybersecurity firm ZeroFOX showed that about 45 percent of spear phishing messages sent through social media sites were opened by their intended victims using both automated and manual spear phishing efforts. This is significantly higher than the success rate of email-based spear phishing campaigns.
An individual often has a personal and a professional life that is documented online. The attacks that combine personal and professional OSINT are highly effective. Together, this information unlocks the doors to our personal and private lives and the assets of our employer.
Figure 7: By having a foot in both camps, humans enable hackers to quickly circumvent technical controls, quietly and efficiently
Pen Tester Sophie Daniel recently detailed how she used social engineering to easily scam her way into a high-security manufacturing facility in a post on Motherboard. This was a windowless facility surrounded by armed guards and electronic security measures. Daniels simply tracked down a likely victim through LinkedIn and used a fake profile to pass herself off as an interior designer. She ended up gaining unaccompanied access to multiple buildings. Her story illustrates how social engineering can get you anywhere. Stories such as this are critical to educating and empowering people to be vigilant, particularly when coupled with online tools such as Hueya that offer insight into the level of risk posed by the information you and employees are sharing online.
Social engineering terms to know about
As we’ve seen, the use of social engineering in cybercrime often involves tricking people into breaking normal security procedures. The success of these exploits often relies on people’s willingness to be helpful. Here’s a run down of the popular types of social engineering attacks:
Baiting: Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive in a place where it is sure to be found. The finder then picks up the device and loads it onto his or her computer, unintentionally installing the malware.
Phishing: Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
Spear phishing: Spear phishing is like phishing, but tailored for a specific individual or organization.
Pretexting: Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
Scareware: Scareware involves tricking the victim into thinking his computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker’s malware.
How to stay safe
As detailed in this report, through behaviors such as oversharing and social media we are putting ourselves at risk for cyber abuse. Because we are communicative and social, we overshare information. In business, we trust others. Both on an individual level and at work, the “human factor” is largely to blame for cyber criminals preying on sensitive information being shared, as well as the vulnerable (such as older adults and youth and young adults) and careless. As a result, cybercrime is at an all time high and shows no signs of slowing down. In fact, trends point to the opposite.
The good news, however, is that each of us holds the key to a safer digital world by practicing smarter online sharing. By no means are we advocating an end to social media which has far more upside than risk as long as we take a few simple and intentional steps to share information more safely. This is relevant not only on a personal and family level but for employees as well. Even employees who have no direct access to customer records can be an unwitting conduit to cybercrime.
Here are 10 ways to share information more safely:
- Post images with care – Picture and videos can reveal locations, relationships, personal information, dates and times. Be mindful when posting pictures as they inadvertently reveal personal information you may not want to see exposed.
- Delete personal info – Overexposure of personal information is the leading cause of identity theft, social engineering fraud and cyberbullying.
- Avoid tagging locations – Tagged locations reveal where you are and what you’re doing, putting your personal safety at risk. Remove location tags from posts and pictures, and delete information like hometown, workplace and current city.
- Don’t post publicly – When your profiles and posts are public they are available to the entire world, and of course not everyone has your best interests in mind. A good course of action is to ensure your posts and profiles are available only to friends and family. Also, it’s good to make profiles private.
- Monitor post comments – Comments in social posts can often leak personal information, or open the door to online harassment. Monitor comments and posts you are tagged in to ensure they are private and appropriate.
- Post with care – The wrong type of posting and sharing of information can leave you vulnerable. How often you post, when you post and where you post can impact your online safety. Be aware.
- Don’t overshare – Overshared personal information can be used to steal your identity or as the basis for fraud and social engineering attacks. Avoid posting about birthdays, where you work, where you live, your hobbies, clubs and places your frequent.
- Use complex passwords – Passwords based on the names of relatives, pets, your cars or hobbies can easily be reverse engineered, especially if you’re oversharing information. Falsify your answers to secret questions. Make a habit of changing all your passwords frequently, ideally every 90 days for online accounts and every 30 days for email accounts.
- Beware of impostors – If someone is using your identity, it’s because they want to defraud your friends and family. Monitor social media sites and apps for potential impostors using your data.
- Beware of fake friends – Fake friends exist for a reason: to try and defraud you by asking for money or personal information they can use later. Ensure accounts are real before accepting friend and follow requests.
Secure your world
It’s not enough to simply read through the best practices for social sharing – you need to put them into practice for yourself and for those around you. Unfortunately, cyber abuse awareness is at best an infrequent topic in most families. As shown our research, we found that just 6 percent of families have regular conversations about cyber abuse, with an additional 20 percent indicating that it’s a topic that comes up from time-to-time. The conclusion from this and other research indicates that individuals and families are failing to even minimally protect themselves from cyber abuse attacks. Having conversations about the risks and methods employed in online harassment and cyber bullying is a great place to start.
Figure 8: The greater majority of those surveyed did not discuss cyber abuse at home
Adult family members are often maxed out juggling the demands on their personal and professional commitments, so perhaps it’s understandable that cyber security isn’t a top priority. Surely businesses are doing a better job at building cyber awareness among employees, right? Sadly, businesses fair somewhat worse than families in terms of educating employees about cyber security with a paltry 7 percent of our respondents indicating they receive training on a regular basis and 14 percent discussing it from time to time. The critical conversations about cyber security awareness coupled with rigorous training programs about how to identify social engineering scams and how to avoid risky behaviors in the workplace simply are not happening with enough regularity to slow down the accelerating pace of cyber crime. The average cost of a single data breach is about $4 million, and any given incident could easily exceed that amount by 10X or 100X. In light of such figures, it’s easy to make the case that investments in cybersecurity training and monitoring programs is money well spent.
Figure 9: The greater majority of businesses are not offering cyber security awareness and training programs
In conclusion, this first Hueya Report highlights the integrative and potentially harmful role of individuals in cybersecurity breaches. The human factor plays the dominant role in allowing cybercrime and cyber abuse to happen across personal and professional spaces– and the pace of cyber crime is accelerating. Despite research-based evidence, the human factor is not receiving the attention it deserves in the home or the workplace, which allows cyber criminals and cyber abusers a nimble space for targeted data attacks. By being both an individual and an employee, users often straddle the traditional technical controls, which enables highly effective attacks that go unnoticed and undetected until irreparable damage has occurred. Awareness, knowledge and adherence to safe sharing practices have been shown to mitigate the incidence rate and spread of cyber crime. While such steps will never be able to end cyber abuse completely, these measures can dramatically improve online safety for both individuals and organizations alike, potentially saving billions of dollars and making our online world a safer place for all.
 Cisco 2017 Midyear Cybersecurity Report, July, 2017, https://www.cisco.com/c/m/en_au/products/security/offers/cybersecurity-reports.html
 Stephen Ohlemacher, USA Today, March 9, 2017, https://www.usatoday.com/story/money/personalfinance/2017/03/09/irs-strikes-back-agents-make-big-dent-identity-theft/98949472/
 Federal Trade Commission, Press Release, March 3, 2017, https://www.ftc.gov/news-events/press-releases/2017/03/ftc-releases-annual-summary-consumer-complaints
 Luke Graham, CNBC, Feb. 7, 2017, https://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html
 Ponemon Institute, 2017 Cost of Data Breach Study, June, 2017, http://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2017_Global_CODB_Report_Final.pdf
 Blue Bite, Medium, April 3, 2017, https://medium.com/@BlueBite/data-breaches-leading-causes-how-to-avoid-them-797e3d51b1b1
 Maeve Duggan, Pew Research Center, July 11, 2017, http://www.pewinternet.org/2017/07/11/online-harassment-2017/
 Brian Krebs, Krebs on Security, May 18, 2017, https://krebsonsecurity.com/2017/05/fraudsters-exploited-lax-security-at-equifaxs-talx-payroll-division/
 Maria Korolov, CSO, May 27, 2016, https://www.csoonline.com/article/2926737/security-awareness/employees-know-better-but-still-behave-badly.html
 David Bisson, The State of Security, Feb. 10, 2016, https://www.tripwire.com/state-of-security/security-awareness/a-guide-on-5-common-linkedin-scams/
 Sophie Daniel, Motherboard, Oct. 20, 2017, https://motherboard.vice.com/en_us/article/qv34zb/how-i-socially-engineer-myself-into-high-security-facilities