Headshot of Chris White

Digital Security Awareness for Non-Technical Professionals

Estimated read time: 6 min

Your Digital Footprint Puts You at Risk: Why Every Professional Needs to Be Digitally Secure

We've all heard of a carbon footprint, but what's a digital footprint? A digital footprint refers to the trail of data that is left behind by individuals when they use the internet. This footprint can be categorized into two primary types:

  1. Active Digital Footprint: This includes data that a user intentionally shares online, such as social media posts, comments, online forms, emails, and other forms of communication.

  2. Passive Digital Footprint: This consists of data collected about a user without their explicit knowledge, such as browsing history, IP addresses, cookies, and other metadata collected by websites and online services.

Why does this matter?

A digital footprint can reveal a lot about a person’s online behavior, preferences, and identity. It can be used for various purposes, from targeted advertising to cyber surveillance to cyber attack. Avast's Q1/2024 Threat Report shows that 90% of cybersecurity threats blocked in the first quarter of this year are social engineering scams targeting professionals like you.

Keeping your systems updated is crucial—and thankfully, most people do. However, this diligence in maintaining device security is precisely why 90% of cybersecurity attacks now exploit human behavior. Managing one’s digital footprint is important for privacy, but it's really important security.

Understanding The Tactics and Techniques Behind Cyber Attacks

Much like NFL coaches, cyber attackers have a playbook filled with attack Tactics, Techniques, and Procedures (TTP's). These TTP's are used to exploit human behavior and manipulate victims into divulging sensitive information or performing actions that compromise security. A tactic is a broader strategy or plan that encompasses multiple techniques, while a technique is a specific method or approach used to achieve a goal. Here are some common cyber attack tactics that you should be aware of:

  1. Phishing: Fraudulent communications seeking sensitive information that appear to come from a reputable source.
  2. Watering Hole Attack: Infecting a legitimate website that a particular group frequently visits with malware.
  3. Scareware: Prompting users to install malware disguised as security software by using fake warnings or pop-up ads to scare the victim into believing their computer is infected.
  4. Identity Theft: Using stolen personal information, like social security numbers, addresses, and birthdates, to engage in fraudulent activities under the victim's name.
  5. Synthetic Identity Theft: Using a combination of real and fake personal information to create a new identity.
  6. Medical Identity Theft: Using stolen personal information is used to obtain medical care, prescription drugs, or medical insurance benefits in the victim's name.
  7. Tax Fraud: Fraudulently collecting refunds by filing false tax returns in the victim's name.
  8. Financial Fraud: Usingphi stolen personal information to access bank accounts, credit cards, or other financial assets.
  9. Impersonation Fraud: Pretending to be someone else to deceive victims into providing sensitive information or performing actions that compromise security.

Attackers employ a wide range of tactics to defraud their victims, but the diversity and creativity of these make it impossible to list every type. Some of the commonly observed techniques include:

  1. Vishing (Voice Phishing): Using phone calls to deceive victims into divulging confidential information.
  2. Smishing (SMS Phishing): Phishing attacks conducted via SMS text messages.
  3. Spear Phishing: A targeted form of phishing aimed at specific individuals or organizations using personal information gained online.
  4. Whaling A form of spear phishing that targets high-profile individuals like executives or celebrities.
  5. SIM Swapping (aka, SIM Hijacking): Attackers trick mobile carriers into transferring a victim's phone number to a new SIM card, allowing them to intercept calls, texts, and two-factor authentication codes.
  6. Credential Stuffing: Attackers use stolen login credentials from one site to gain unauthorized access to other accounts.
  7. Pretexting: Creating a false pretext to obtain sensitive information, such as pretending to be a bank representative or tech support to get account details.
  8. Pharming: Redirecting website traffic to a fake site to steal login credentials or other sensitive information.
  9. Baiting: Offering something enticing, like a free download or gift card
  10. Quid Pro Quo: Offering a service or benefit in exchange for information.
  11. Tailgating (Piggybacking): Gaining unauthorized access to restricted areas by following someone who has legitimate access.
  12. Shoulder Surfing: Physically observing someone’s private information, such as passwords or PINs, by watching them as they enter it on a device.
  13. Honey Trap: Creating a fake profile or persona, often to build a relationship with the victim and extract information or persuade them to perform compromising actions.
  14. Dumpster Diving: Searching through trash to find confidential information like discarded paperwork, financial statements, or other sensitive documents that can be used to launch further attacks.
  15. Impersonation: Pretending to be someone the victim knows or trusts (like a coworker or authority figure) to obtain sensitive information or access.
  16. Reverse Social Engineering: Convincing a victim that they need help and then offering that help, thereby gaining trust and extracting information.
  17. Diversion Theft: Using deceit to redirect a delivery or service to a location where the attacker can intercept it.
  18. Rogue Software: Malicious software disguised as legitimate software to trick users into installing it and granting administrative access.

These are just a few examples of tactics and techniques used "in the wild". In reality, there are hundreds or thousands of variations, each uniquely crafted to exploit human behavior. You may have noticed that I failed to mention procedures in this post. Those details are too granular for this high-level overview.

What Can We Do About It?

The best defense against cyber attack is awareness. Because of this I'm launching a blog series titled "Digital Security Awareness for Non-Technical Professionals." This series is designed to serve as a helpful, but not all inclusive guide to navigating the daunting world of digital security. My goal is to empower you with the knowledge and tools that will help you protect yourself online.

Reading this blog series will help you become more digitally aware and start to practice operational (OPSEC) and informational (INFOSEC) security in your daily life. Doing so will significantly reduce the risk of falling victim to these schemes. Let’s take the first step towards a more secure digital future, together.

Stay tuned for future posts where I'll help you explore various aspects of digital security and provide actionable advice on how to stay safe in this ever-evolving digital landscape.