Cyber security consultancy PureCyber is warning holiday makers of the dangers of oversharing about their summer breaks on social media and falling prey to the work of cyber criminals.

With the world opening back up, the temptation of sunny climes and city breaks are too alluring for most. Unfortunately, cyber criminals don’t take holidays, and as such, Cardiff-based PureCyber is emphasising the importance of caution even when the out-of-office is on and the suitcase is packed.

Social Engineering is the term used in the cyber industry when hackers utilise information posted on social media platforms to make their phishing emails more convincing. Cyber criminals are adept at using deception to manipulate individuals into divulging confidential or personal information or carrying out tasks that may be used for fraudulent purposes.

PureCyber CEO Damon Rands said:

“It’s all too easy to be caught up in the excitement and start posting about your journey all over social media, whether this is your hotel details, airport, boarding pass or snaps from the side of the pool. Unfortunately, a delayed flight could be the least of your worries.

“All it takes is a threat actor (cyber-criminal) to view your social posts to discover that you are away from your home or office and to use this to their advantage. With this information, they can craft a more targeted attack such as a phishing e-mail or share with criminal networks that your house is potentially empty.”

Phishing emails can be known as ‘spear phishing’, or for bigger targets such as CEOs and directors, ‘whaling’. It’s estimated that these tactics were used in 80% of successful attacks on businesses in 2021/2022. To gain trust from the recipient, attackers utilise the information they find from social posts to make them more convincing.

Damon added:

“It is much easier to pressure someone into actioning a request such as paying an invoice, sending important files or purchasing items that are ‘vitally important’ when you have some personal background details to reference.

“We recently assisted in a case where a CEO posted a photo of their boarding pass on social media which contained everything about their plans including destination and time of the flight. An attacker used this information and sent a perfectly timed email to the finance team, requesting an urgent payment of £25,000 to a supplier, all while the CEO was in the air and uncontactable.

“The attacker was relying on the staff member who had recently joined the company not being able to reach the CEO to check the details, causing panic about the short deadline in which to send the money. The transaction went through, with the new clerk only suspecting something was wrong when the attacker requested a second transfer.

“Many people share with their friends and loved ones that they are having a fantastic time away on a much-needed break from the office or workplace. Our advice, however, is to save the holiday snaps and tales for when you’re back home and present which helps to protect both your place of work and home.

“Alternatively, if you can’t resist a cheeky post, you can set up systems or checks for any e-mails received from you. For example, instructing your peers or employees to not action any e-mails from you either until you’re back, or until they’ve confirmed this with you separately, either by video or phone call. Creating a panic or urgency is one of the main ways that cyber criminals achieve their goals so removing this with a check system or rule such as the above in advance can be the best form of defence.

“Whether you’re on holiday, or on the receiving end of an e-mail from a colleague who is, take your time to put procedures and steps in place to help protect yourself and your business from the threat of cyber criminals, allowing you to relax and enjoy your break.”