Digital Hygiene 🧼

Prevent Social Engineering & Phishing By Deleting Your Data

This article will focus on removing your personal information to prevent phishing and social engineering attacks.

While we would prefer to dive into the heart of the article and tell you exactly how to delete your data, it is vital to understand a few details, especially in dealing with the latest attacks. Thus, it is necessary to dig into the details a bit.

Understanding what constitutes these forms of cybercrime is an excellent start to learning how to prevent social engineering and phishing. So let’s begin there.

What is a social engineering attack?

The term “social engineering” casts a broad umbrella and encompasses a variety of attack methods.

Wikipedia defines social engineering as “the psychological manipulation of people into performing actions or divulging confidential information.” This information could include your social security number, credit card details, bank account number, passwords, or other personal information.

It is estimated that social engineering is used in 95-98% (depending on the source) of all targeted attacks on individuals and organizations.

There are two elements of a social engineering/phishing attack: obtaining the information of a third party and compromising the knowledge of a third party.

We focus primarily on obtaining the information or phishing. The reason is quite simple: if the attacker or those services that—directly or indirectly—assist the criminal (e.g., data brokers) can’t locate or gain access to your data, then it can’t be compromised.

What is phishing?

“Since the first reported phishing attack in 1990, it has evolved into a more sophisticated attack vector. At present, phishing is considered one of the most frequent examples of fraud activities on the internet. Phishing activities can lead to severe losses for the victims, including sensitive information, identity theft, companies, and government secrets.”Alkhalil et al., 2021

Phishing scams are a type of cyber attack that uses social engineering techniques to trick victims into providing sensitive information. It typically involves sending an email or text message with a malicious link or attachment that appears to be from a legitimate source.

Phishing scams are a primary cybersecurity problem for individuals and organizations alike. Security magazine cites a report estimating that over 255 million phishing attacks occurred in the first six months of 2022—a 61% increase compared to the same period in 2021.

According to most reputable sources, email is the most common method of communication between the attacker and the victim. In many cases, the criminal will register a bogus domain; and craft and format a phishing email to appear as if it is from a legitimate company. The message is then often sent out en masse.

There are more specialized, targeted types of phishing as well. The two proving particularly difficult for individuals and organizations are spear phishing and angler phishing.

Spear phishing

Spear phishing is an email attack targeting a specific person within an organization. Typical targets are mid to senior-level managers at banks and other financial institutions.

As the message targets well-educated workers well-versed in various shams, the attacker devotes more time to research to present an air of authenticity. It’s not unusual for the message to contain personal details (e.g., one’s name, job title, department, office number, etc.), the names of co-workers, company events, or other “insider information.”

Fortunately for the criminal, personal details and other “insider information” are readily available via LinkedIn, company websites, and other public data sources.

Even in targeted spear phishing emails, one can find evidence of fraudulence. Here, it is in the form of grammatical errors.

Personalization in spear phishing

Spear phishing attacks do not always target high-level executives. Attackers will often send a personalized email appearing as if it was sent from a legitimate online account. Take a look at the American Airlines phishing email below:

American Airlines phishing emails
Prevent social engineering and phishing by carefully examining the message contents for grammatical, spelling, punctuation, formatting, and factual errors.

In the above screenshot, one can see an apparent mistake if one looks carefully. If you look really carefully, you can see a formatting error. Give it a try!

Did you catch it? “Itinerary” is spelled wrong. Notice also that there’s a minor formatting error to the right of the “American Airlines” name and logo. Only “Travel Information” is an underlined hyperlink.

When you receive any text, email, or digital message, look for poor grammar, spelling errors, unprofessional graphics, or other signs of a scam email.

Unfortunately, spear phishing attacks are challenging to detect because of the high level of personalization. A few years back, a wide-cited Intel Security study claimed that 97% of participants could not identify the fraudulent phishing email when asked.

Angler phishing

Angler phishing is a relatively newer social engineering attack targeting social media users. In this type of phishing attempt, attackers often portray themselves as customer service agents responding to user-posted complaints on a social media platform, often Facebook or Twitter.

The username will usually incorporate the name of some reputable company (usually a financial institution or services company) to appear more legitimate.

Often contained within the message is a link that will direct the user to a malicious site called a “phishing site.” Once on this phishing site, the user will be asked to enter personal information. Alternatively, the malicious link may contain malicious code that can compromise your computer security.

Fraudulent Social Media Accounts Phish For Banking Credentials | Proofpoint
A malicious link contains harmful code that compromises computer security

SMS phishing (“smishing”)

As the name implies, smishing is a form of phishing that uses mobile or smartphone text messages. These messages are constructed in a manner related to smartphone apps or account management (see the below example).

Yet another example of a malicious link

Voice phishing (“vishing”)

Vishing is a phishing attack that occurs via phone. Due to the advancement in VoIP automation and caller ID spoofing, scammers can now simultaneously make millions of phone calls. Moreover, the spoofing software makes the communication appear to be from a legitimate company.

Similar to other phishing methods, vishing attacks contain an undercurrent of urgency and fear invocation. Example vishing scams: overdue IRS payments, credit card processing problems, and utility payment defaults.

Prevent phishing by deleting your data

Removing personal information that’s found its way online is essential in preventing social engineering and phishing attacks. Deleting this information makes it more difficult for criminals to access, manipulate, and use it for malicious purposes.

Additionally, data removal reduces the likelihood of someone impersonating you or gaining access to sensitive accounts.

Many—particularly younger—people require a basic education on the “whys and hows” of safeguarding their data.

First, it is essential to be aware of those everyday transactions that, while seemingly harmless, put more and more of our data out there.

Here’s a short list of these transactions:

– Downloading a subquality app (iPhone or Android)

– Signing up for a customer loyalty/rewards program

– Registering a product

– Applying for/using a credit card

– Web browsing without anti-tracking

– Registering a product with the manufacturer 

– Using a dating, social networking, or transportation app. (Examples: Facebook, Tinder, Grindr, Uber, Instagram)

– Many, many more

Why do companies place data inputs in these places? Well…

Social engineering and consumer psychology (get ready to get angry)

Marketing teams know at which point in buying cycles you are less likely to exhibit patience (read: suppress impulses). It’s a well-studied phenomenon within consumer psychology.

Why do we tell you this? Well, to get you to stop giving your data away! Does it not irritate you at least a bit knowing that people actually use “neuromarketing” to snare your data?

“What is neuromarketing?” you ask. Wikipedia: “A commercial marketing communication field that applies neuropsychology to market research, studying consumers’ sensorimotor [body], cognitive [thinking], and affective [emotional] responses to marketing stimuli.”

In short, the way that our brain works is being used to:

  1. Sell you more stuff 
  2. Give the information to their “partners” so they can sell you more stuff (and vice-versa), or
  3. Just sell your data.

I mean, really…anyways.

The result of this lack of diligence in how we share our data is evident in a typical Google search of a person’s name. Go ahead and enter someone’s name into Google. Doesn’t have to be yours. Dig around. What did you find?

Email Address? Home address? Employer name? Phone number? Social security eligibility or last four? Bank name? Relative names? Relative addresses? Emails?

Is the problem becoming apparent?

If not, don’t worry. You aren’t the only one. Let us explain the unfortunate effects of this seemingly-innocent aggregation of seemingly-unimportant information: data brokers.

Data Brokers

We have to start with data brokers. Data brokers have built a $250 billion industry exploiting your personal information.

Data brokers scrape the internet for your information, package it, and sell it to the highest bidder. You become a profile, enrich some already-rich companies, and lose more of your privacy in the process.

Even when data brokers aren’t busy turning you into some data point, this information is free for anyone — including hackers — to take advantage of. The result is skyrocketing identity theft cases, phishing, increasing telemarketing/spam calls, and less security in general.

To safeguard your privacy, deleting your information from data brokers’ databases is essential.

Check what brokers have your private data and get your privacy risk score for free here.

Other security measures to take

While scrubbing your public data is essential to external data privacy and preventing social engineering and phishing attacks, some additional measures are recommended.

While extrapolating on an external data privacy blueprint is beyond the scope of this article, here is a short list of security measures to take:

– Understand and update your email filters

– Delete and block any suspicious email

– When in doubt, delete the message

– Ensure that your network firewall and personal/desktop firewall are active and updated

– Secure the login information of all financial accounts

– Never enter payment details into an email or text message

– Consider paring down the information in your social media profiles (or delete them!)

– Ensure that all applications, systems, and software are updated with the latest security patches (you may wish to consider a software or hardware updater for this purpose).

Take the first step in preventing social engineering and phishing, and get your free privacy evaluation and risk assessment score here.