last updated 01/07/2020
Hackers often use data collected from public sources (also known as Open Source INTelligence or “OSINT”) to add legitimacy to their phishing, vishing, and other social engineering attacks. Take a couple of minutes and run a Google search on yourself including your name and the city you live in. There are likely some photos of you and your family online that you didn’t know were public.
There are many places online a hacker may collect data about you. Your name may be listed on a church website, as a plaintiff in a court case, or a hacker may connect you through your job or an application your company uses.
Be aware of the information you share online, how it can be combined with other data points, and how that information could provide an air of legitimacy to a would-be scammer. Here are some places hackers can piece together a profile about you, your church, or your organization:
- Your church website may list your pastors and staff members with a short biography of each person. Trust can be gained by referencing a recent birthday, anniversary, death, or church event - all of these might be readily available on your church’s public website. A hacker may reference a former pastor, and by using the Internet Archive ”Wayback Machine”, those details are easy to find. Tip: Name-dropping is a popular tactic, so be mindful of who has been in the public domain on your church website.
- LinkedIn.com is a great source to learn where you work, your job title, daily duties, vendor partners, applications and systems your organization uses. It can also be used as a secondary source to confirm information found elsewhere. Tip: If you aren’t currently searching for a job, it is a good idea to hide your LinkedIn profile.
- Ancestry.com is a wonderful way to learn about your heritage and genealogy. Your full name, birthdate, place of birth, places you’ve lived, and relatives who have died recently can help a hacker deceive you. Even your mother’s maiden name can be easy to find, which is often a security question to gain access to accounts. Tip: Be cautious of what you share online about yourself, loved ones, and especially children. Instead of naming children and their full birthdates, enter “Living male” 2010 as a placeholder. Hackers have been known to assume the identities of minors, and open credit cards in their name.
- County property records show the property acreage, building square footage, taxable value, year built, owner address, month/year sold, and the selling price. A hacker might use this information to pretend to be an inspector and gain physical access to sensitive areas. Tip: Question the validity of the person’s request and the need to access to your property.
- County judicial circuit court records show traffic tickets, criminal charges, and civil actions such as lawsuits, evictions, foreclosures, and divorces. With such details, a phone-based scammer (vishing) might sound legitimate. Tip: Be leery of unknown callers who seem to know about recent events. Never provide your social security number, other sensitive personal or financial information.
- The Sender Policy Framework (“SPF”) is disabled on your email domain. It’s fairly simple for a hacker to create an imposter email using a domain that doesn't have SPF enabled. For example, if you receive an email from “Pastor_Bob@mychurch.org” the email will look genuine, but it may not be from your trusted Pastor Bob if SPF is disabled. Tip: Make sure your organization’s SPF is enabled in your email records, and be cautious of your inbox!