This message comes from Ballad Health’s IT team. Here’s a mock scenario in which someone is victimized by a cybercrime due to information provided on social media.
George, a social engineer, or “hacker,” follows thousands of people on LinkedIn who work in healthcare, watching for opportunities to gain access to patient, organizational or financial information that can be turned into cash or used to cause harm to an organization, its team members or its patients.
Carrie, an ABC Healthcare team member, posts on her LinkedIn account that her organization recently sent out an enterprise-wide team member satisfaction survey. Carrie expresses how grateful she is to work for a company that cares about its culture so much that it proactively seeks team member feedback.
The Hack
George sees that Carrie’s LinkedIn profile includes her cell phone number in the “About” section, and he targets Carrie with a smishing campaign, which is the text version of phishing. He remembers her post about the recent team member satisfaction survey and pretends to be the contracted company administering the survey. George states that her survey response was not captured due to a technical glitch, but he provides a link in the text and claims that it will give her the ability to retake the survey.
Carrie really wants her voice to be heard, so she clicks on the link, which George had embedded with malicious software, allowing him to access all the information she stores in her phone. He finds that Carrie stores all her passwords, for both personal and work accounts, in her phone in the “Notes” app, rather than in a secure password management app like Last Pass.
George quickly uses her work credentials to log into her work account. He is delighted to find that Carrie works in Finance and has access to accounts with millions of dollars. George gets busy hacking the accounts and transferring the money into his offshore accounts. George was also very pleased to find that Carrie had failed to turn on multi-factor authentication on all her personal banking and investment accounts. He now has complete access to those accounts as well.
Don’t Take the Bait
How to avoid this outcome: Carrie should not have clicked on a link from someone she didn’t know. She should have confirmed the sender’s identity before taking any action. Carrie also didn’t take the proper steps to protect her important information with tools such as a password management system and multi-factor authentication.
