Every day, millions of people are duped into sharing personal information online that they shouldn’t. Maybe they’re unclear about how data is collected and used in our digital society, maybe they’re distracted or maybe they’re so used to getting emails from their bank that they fill out one of those we-need-to-update-your-information requests without a second thought.
Even the most discerning online users get caught off guard by social engineering schemes that seem totally legitimate. Just a few weeks ago, that banking spoof happened to one of my own security-conscious family members.
Raising awareness about these common attack tricks, educating citizens on ways to protect their personal information and encouraging more transparency from businesses that collect customer data are the goals of Data Privacy Day 2022. This international initiative is observed on January 28 in the United States, Canada, Israel and 47 European countries (where it’s known as Data Protection Day).
How You Can Protect Your Most Valuable Data
Every time you, as a consumer, set up a new online account or application, you’re asked for personal details that are often beyond what the service provider needs, such as such as geographic location, and access to contacts list, photo albums and more. Each bit of information provides valuable insights about you — for both the service provider and would-be attackers — and should be shared with discretion and care. The National Cybersecurity Alliance has a great list of tips for managing your privacy settings on popular online accounts and personal devices.
Of course, there are plenty of instances when consumers do not have a say in the matter: online fraud is rampant, and just last year there were over 450,000 reported instances of credit card fraud. The good news is it’s become easier to cancel a credit card or alert your bank that your account may have been compromised.
What’s more difficult to get past is an attack on your personal identity — on the things that make you you: your name, the day you were born, your address, your social security number. An attack on your identity could mean someone taking out a credit card or a loan in your name and running up debt, for example. This could negatively impact your credit score, then down the road, your ability to buy a car, activate a cell phone, take out a mortgage and more.
One of the reasons attackers have become so successful at tricking individuals into disclosing personal information is the specificity of their attempts. They work hard to get to know you and your everyday habits before making their move, like where you bank and which cable company or energy supplier you use.
My family member’s bank email spoof was a textbook example of this. Another happened to a friend who received a “number spoof” call from someone pretending to be from his child’s gymnastics school – quite a personal and specific context. The attacker used the gym’s legitimate number on caller ID to attempt to gain familiarity and trust to attempt to obtain banking information unethically.
Unfortunately, the pandemic only exacerbated the problem. With so many people working remotely, spending more time online and in many cases, switching between devices and personal and public WiFi services, bad actors found fertile ground for social engineering attacks.
Even though they’ve evolved their tactics in the face of opportunity, they’re still using con artist tricks that have worked for ages. They’re just trying to make us do what we wouldn’t normally do by using details or bits of information to lull us into panicking or letting our guard down. The old techniques haven’t gone away — they’ve just had a boost from technology.
Identity is the New Currency and Should be Treated as Such
Some things just go better together, like peanut butter and jelly, or data privacy and data security. There are some simple — yet highly effective — ways to secure your personal data in daily life. And in a lot of ways, they mirror basic practices embodied in the Zero Trust security model many enterprises follow today. In honor of Data Privacy Day, consider taking these proactive steps on January 28:
- Change all your passwords, make sure they are strong (25+ characters) and use a unique password for everything. Repeating the same password for multiple devices or services just gives attacks more room to move.
- Activate multi-factor authentication (MFA) whenever you can — especially on accounts containing sensitive information about your personal identity.
- If you’ve got an iPhone, you can use the password wallet. Also consider using a password manager to help secure your personal passwords for various accounts. That way, you never have to save credentials in your browser, since attackers have many clever ways to capture them there.
Even if someone is trying to use your personally identifiable information (PII), setting up these password roadblocks will help mitigate some of the damage that can be done.
Of course, individuals aren’t the only ones who need to change their attitudes and behaviors around data privacy. Organizations also need to be more diligent about protecting customer data — especially PII — by regularly assessing data practices, adhering to industry and government regulations and enhancing transparency around what type of data is collected and for what purpose.
Protecting what makes you you requires vigilance and a collective effort to emphasize and protect the true value and privacy of personal data. Only then can we mitigate attackers’ power and defang their tricks — whether old or new.