It is amazing how much information about a company and its executives and employees can be gleaned from spending a little time on the web.
Marketing teams of companies are focused on capturing the mentions of the company in traditional media outlets in order to promote it through social media. They also are focused on getting the company’s brand in the news to elevate brand recognition. Teams are simultaneously working on the company website, Twitter feed, Facebook page, and LinkedIn, promoting details about the executive team and other employees on these platforms. All of this information is readily available and easy to find.
With a little bit of time, using the company website, social media platforms, and basic Internet searches can provide a hacker planning a social engineering campaign against your company with the necessary information to dupe employees in a phishing or wire fraud scheme.
This is not to say that companies should stop marketing or promoting their brands. The caution here is that when so much information is so readily available to the public, it is also available to bad actors, and they are collecting the information and profiling companies for their next scheme.
We hear from clients who have been victimized that they could not believe they were targeted. They say, “Why would anyone want to target us?” It’s a simple answer—because they can. And it’s so easy.
Not only are companies educating employees so they will be extra vigilant about the risks of the bad guys obtaining specific information about the company that they can then use in a targeted cyber-attack, but they are also engaging outside firms to monitor the company’s information on the web, including the dark web.
We have seen an increase in targeted attacks against companies through the purchase of websites with very similar names or brands, and email URLs that are so similar that there is no other logical reason for the purchase than to use it in a nefarious way to attack the company while trying to remain undetected.
There are tools available that can monitor fake websites and URLs that are established likely in advance of a targeted attack, information about the company’s executives and employees, and personal information of executives and employees that is available for sale on the dark web (I don’t know what this is trying to say).
Whether you choose to use an outside vendor for the monitoring or you do it yourself, monitoring and protecting your company’s online presence is a valuable threat-prevention tool for your risk management program.