As you might already know, I am new to the cybersecurity industry and just recently joined Hoplite Technology as a Digital Marketer.
Hoplite is a young Hong Kong start-up that believes in protecting users against cyber risk with tools that bring together artificial intelligence and communities' engagement.
Excited about my new professional adventure, I couldn’t wait to update my LinkedIn profile and add our CEO, Mr Antony Ma, as my Manager and supervisor using common LinkedIn functions such as ‘Teammates Feature’ and ‘direct report to’.
Little I knew that this simple action would trigger a chain of events which eventually led me to learn a lot about phishing emails and how user profiles on social media platforms are being harvested by cybercriminals. Here comes my story:
A few days after updating my LinkedIn profile, I received an email from an account I didn’t recognise, titled ‘Personal task’. The email read:
Let me know if you’re free, can you go an errand for me urgently, am available via e-mail. Thanks.’
Here is a screenshot of what I received:
Being the curious person that I am, I immediately accepted - my new boss has already trusted me enough to ask me about something that seemed somewhat related to his personal life!
I sent my email confirmation and expectantly turned towards his desk, waiting for further instructions, only to encounter his puzzled look. That’s when I suddenly realised that... the gift card purchase request was not coming from my manager CEO after all.
From this, my manager Antony and I tried to trace back how the hacker might have managed to find my contact information and email:
- As soon as I updated my job position on LinkedIn, the attacker scanned through my teammates' names and easily identified "Antony M." as my supervisor and CEO at Hoplite Technology.
- Once they knew that someone named “Johnny” worked at a company called Hoplite Technology, they could easily guess my email and start working on it.
- They choose "personal task" as the email subject so that I wouldn’t dare ask my colleagues about it, or at least I would think twice before disclosing it to others.
The attacker might have made the email sound even more convincing by adding detailed information about my boss and my own personal background but did not do it in this specific case.
However, the event still helped me think about two things:1) The hacker made it “personal”
The phisher played the “personal task” trick which is quite easy to fall into. Because of the personal nature of the request, the newly hired employee is not likely to mention the task to anyone in the team and might also try to keep it as low key as possible.2) The hacker knew the victim by name
The attacker personally and specifically targeted me as a person. Once they choose me as a possible victim of the scam, they could easily have researched my background, social media connections and all other information I might have shared on social media to make the attack more likely to succeed.
This time, I was lucky to be right next to my boss when I received the email, which helped me figure out that something was wrong right away. It might have ended with me purchasing the gift cards after all, if only I had been working from home on that day.
What I have personally learned from this experience:1) Be careful when there is any action involvement
To succeed, hackers and phishers need the victim to perform a specific action, such as providing information or purchasing anything. Be extremely alert when an email is asking you to take any kind of further action.2) Your contact’s name might look slightly different
When a phisher impersonates your friend or colleague, they might not be able to know the exact name your contact use on email. In my case, ‘Antony M’ is the name my boss uses on LinkedIn, but he never uses ‘Antony M’ in his emails. Never ignore the slight difference in your contacts’ names as this is one of the keys to spotting phishing emails.Sender verification is important.3) Use different names on different media platforms
While it might be hard to give up social media completely, we can try to make it harder for hackers with some simple tricks. For example, when creating an account on any online platform, Reddit user mc1nc4 recommends adding that online platform’s name as your own middle name. This way you might not only be able to find out which company is selling your personal information to third parties, but you might be able to spot more easily a phishing attack if you were approached as, in my case, Johnny “Amazon” Lau!
Phishing threats are a growing reason of concern for all of us email users. Sharing our stories is one way to increase risk visibility and, as we believe at Hoplite, the more visibility we have on risk, the greater our chances to be protected against cyber-attacks.