Securing Your Digital Footprint:

In our previous installment of this series, we explored the challenges and risks of having a digital footprint. In this blog, we’ll examine the tactics cybercriminals use to exploit this information.

Diversity of Tactics

Bad guys have many options for exploiting your digital footprint, both online and in the physical world. Most cybercriminals will focus on one method of attack and target people based on what information they can gather rather than choosing a target person and exploiting them however possible. 

The infographic represents how each type of information exposed within your digital footprint could be used by any bad actor rather than how a bad actor would target you individually.

Cybercriminals can use your email address to conduct Business Email Compromise (BEC) (targeting individuals through email scams to trick people into sending money or sending sensitive information) or Phishing Attacks (targeting individuals via deceptive emails or messages to steal login credentials or credit card data). 

They could also get your personal information, such as login credentials, credit card information, or social security number, from Data Breaches (exploiting security vulnerabilities to steal large amounts of data from organizations and then typically selling that information to other cybercriminals).

If they can get your credentials, they can try an Account Takeover (gaining access to your accounts, either to steal from financial accounts, make fraudulent purchases on those accounts, or hijack social media accounts or accounts with subscription models, such as streaming services).

If they get your credit card information, they could perform Credit Card Fraud (using stolen credit card information to make unauthorized purchases or withdraw funds). 

If they can obtain personally identifying information (PII) such as your social security number, they can try Identity Theft (using another person’s personally identifying information, usually to commit other crimes such as fraud).

Suppose they’re able to find sensitive information about you with the potential to cause reputational harm, such as accounts or activity on adult websites or other ways to cause you harm. In that case, they might try Extortion (threatening to release sensitive information or cause harm unless the victim pays a ransom or complies with specific demands).

If they’re able to identify people close to you with enough exposed data to mimic them or train deepfake models on them, they may try Impersonation (pretending to be a person you know, either via social engineering or deepfakes, to conduct scams or extortion). 
If they discover you’re open to interacting with strangers online and find out about your interests, they could try Social Media Scams (creating fake profiles or accounts and using social engineering to deceive users and gather personal information or steal money).

Finally and possibly most frightening, they can use information from your digital footprint to conduct Physical Threats (using information found online to more easily or more successfully conduct in-person attacks such as theft, kidnapping, stalking, or causing physical harm.)

Advanced cyber attacks:

As tech becomes more integrated into our lives and people become more tech-savvy, hackers are using increasingly sophisticated methods to commandeer devices, steal data, and scam people.

Often touted as the best way to protect your accounts, even multi-factor authentication (MFA) can sometimes be bypassed by certain type-specific techniques. For text-message-based MFA, these include SIM swapping and social engineering-based Man-in-the-Middle attacks, and prompt bombing for app-based MFA.

Furthermore, with AI proliferating rapidly in society, deepfake-based scams have grown in popularity among cybercriminals. Deepfakes of a person’s writing, voice, or video can be used to train models to impersonate you or a friend, family member, or coworker for social engineering, reputational damage, scamming, or extortion purposes. 

Social engineering threats:

Cybercriminals often use the information they’ve found about you and clever psychological tactics to increase the likelihood of you falling for their attack, whether it be phishing emails, voice phishing, phone scamming, or social media scams. Crafty social engineers will use any scrap of information they can get their hands on.

This includes any publicly disclosed interest, hobby, or repeated activity, all of which can be used as a phishing lure—they could pretend to offer discounts, coupons, or special promotions for related stores and restaurants you frequent, use the pretext of fundraisers or events for causes you support, etc. 

If they find out which football club you support, they might lure you with an offer of free tickets to an upcoming match.
If the people close to you (family, friends, coworkers) can be identified via social media following lists or posts, they can be evaluated to find the best possible candidates for impersonation and then further investigated to impersonate them more accurately. 

If you happen to have a child who overwhelmingly overshares on TikTok, an attacker might be able to easily amass enough video material to train a deepfake model on their voice and speech patterns and then use that deepfake model to try to extort you using your child’s voice.

Overwhelming information flow:

The sheer volume of information online makes it difficult to discern what’s safe to share. You may see a friend post vacation photos every day that they’re gone and think it’s normal to do so without realizing that it could alert physical attackers that you’re not at home. You may see plenty of people online posting about their children and assume doing so is innocuous, without realizing that information about your children could be used to social engineer you for scamming, extortion purposes, or even to attempt to target your children themselves. 

This phenomenon is even more influential for children, especially as they have no context of life before the internet age. Even if their peers have healthy online habits, children are far more likely to idolize influencers, easily becoming desensitized to the idea of oversharing online. They’re also far more likely to lack the critical thinking skills to discern how the information they share online could be used against them, leading them to be far more easily influenced by overwhelming information flow.   

In our final blog for this series, we’ll discuss practical steps to secure your digital footprint.