The Garam Group Blog

Stay current on new technology and business practices

What is your Zoom background revealing about you? Is it a social engineering cybersecurity risk?

Zoom background cybersecurity social engineering

With the Coronavirus Pandemic, we’ve all been using online video chats more than ever to connect with work, school, for government meetings and social gatherings. Has Zoom and other video conferencing apps put our security at risk?

Are you inadvertently sharing personal information through items that appear on screen behind you on video calls? Many privacy experts say video calls are perfect hunting grounds for scam artists who look for clues about personal information like family photos, favorite sports teams, and even home addresses that might appear on delivery boxes.

Many of these videos make their way onto social media for various reasons. Government meetings are often broadcast on Facebook or other social media platforms.  Some are interviews that might be posted to YouTube or other fun interactions shared on social media.

These clues found in the background of your video conferencing can be used for what is known as Social Engineering.

What is Social engineering?

Social engineering is the art of cybercriminals manipulating people so they give up confidential information. By using information they know about someone they can often get that person to “trust” them through a phone call or phishing email scam.

The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information or access your computer to install malicious software that will give them access to all of your documents and your company or home network. They do this by using information they know about you to gain your trust.

Famous hacker Kevin Mitnick helped popularize the term ‘social engineering’ in the ‘90s, although the idea and many of the techniques have been around as long as there have been scam artists.

To access a computer network, a typical hacker might look for a software vulnerability. A social engineer, instead, might pose as a technical support person to trick an employee into divulging their login credentials. These types of cybercriminals are hoping to appeal to the employee’s desire to help a colleague or friend and act first and think later.

Criminals use social engineering tactics because it is usually easier to exploit your inclination to trust than it is to discover ways to hack your software.  For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).

What does a social engineering attack look like?

Cybercriminals and very clever and these social engineering attacks can take many popular forms.  Here is some information about three of the most common ones to look out for.

Email from a friend

If a cybercriminal manages to hack or socially engineer one person’s email password, they will gain access to that person’s contact list.  Being that many people use the same password in multiple places they probably have access to that person’s social networking contacts as well.

One the criminal has the email account under their control they can send emails to all the person’s contacts or leave messages on their friend’s social media pages. These messages often contain a link or download that will infect your computer with malware.  This allows them access to your computer where they can gain access to even more people.

Phishing Email from a trusted company source

These emails imitate a trusted source and devise a logical scenario for handing over your login credentials or other sensitive personal data. Large companies like financial institutions, shipping companies (like UPS and FedEx), and common subscription services like Office 365, Netflix, or Amazon are often many of the impersonated companies.

These emails often present a problem that requires you to “verify” your information by clicking on a link and providing information in their form.  The landing page and URLs are designed to look legitimate including logos and headers. Once you enter your information, including a username and password, the criminals now have your information to exploit.

Some of these emails appear to come from a boss or coworker asking for an update on an important project or payment information to quickly process a business transaction. Once again, the more the cybercriminal knows about you, the more authentic they can make the request appear.

Baiting Scenarios

This type of social engineering depends upon a victim taking the bait they offer hoping they can entice you into taking action. These schemes are often found on peer-to-peer sites offing a download of something like a hot new movie, music, or an amazing deal on a classified or auction site.

Another example is where a cybercriminal leaves a USB stick, loaded with malware, in a place where the target will see it.  The drive is often labeled “confidential” or “bonuses” enticing someone to take the bait and plug it into their computer to see what’s on it. Once that is done the malware automatically installs itself onto the computer bypassing your firewall and normal security measures.

How to Protect yourself

There are several ways you can protect yourself from these types of social engineering attacks.

Be careful of the background you use on videos and video conferencing

As we mentioned at the beginning of this post the key to social engineering is finding personal information a cybercriminal can use against you to get you to trust them.  The more personal information they know about you the easier that is.  Make sure you have no personally identifiable information behind you on your next video chat.  One easy way to do this is to use a virtual background.  This feature is available for both Zoom and Microsoft Teams (but not currently for Google Meet). Here are links to how to use them:

Consider the Source:

A USB stick you find lying around isn’t necessarily trustworthy. A text or email from your bank isn’t necessarily from your bank. Spoofing a trusted source is relatively easy. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number. Hovering over links in the email will show the actual URL at the bottom, but a good fake can still trick you.

Check with friends or colleagues if you were not expecting a link or attachment

Hackers, spammers, and social engineers often take control of people’s email or social media accounts. Once they control an email account, they prey on the trust of the person’s contacts. Even when the sender appears to be someone you know if you aren’t expecting an email with a link or attachment check with your friend or colleague before opening links or downloading.

We can help!

Phishing schemes and social engineering are making up most of the cyber-attacks these days. It’s important to make sure everyone in your company has cybersecurity training and is aware of these ever-changing tactics to gain access to their personal information and login credentials.

The Garam Group has an excellent platform called Breach Secure Now that can provide on-demand video-based training, simulated phishing tests, and more to your whole organization at a very affordable price.  Contact us today at 315-473-9600 for more information.

17279

Want to stay current on new technology and business practices?

Get our new blog posts emailed to you monthly!

Share this post:

Share on linkedin
Share on twitter
Share on facebook