Scams are costing organisations millions of dollars a year – the figure Australia-wide for the cost of scams was $2.74 billion dollars for 2023 - $135 million of this was attributed to Phishing.  When a spray approach phishing email – the traditional vector of a data or network breach – arrives in an employee’s inbox, the best-case scenario is that it’s reported swiftly and then deleted from any other inboxes that it may have hit. Scammers, however have other ideas and spear phishing is on the rise. This is some ways, thanks to the proliferation of GenAI scaling up the crafting of emails that are so targeted, the intended victim may take pause before reporting or deleting.

But what makes you a target for such precisely aimed attacks? The answer lies in your digital footprint.

How does an employee get spear phished?

Spear phishing leverages personal information to bypass your defences. But where does this information come from? Your digital footprint.

Social media sharing: A generational divide

Your online behaviour, influenced by your generational identity, plays a significant role. Digital natives, or younger internet users, often share their lives more openly online compared to older generations who learned internet use later in life. This difference in sharing habits can provide scammers with a trove of personal information.

Cultural nuance: The impact of sharing

Different cultures have varied norms around sharing, whether it's family news or expressions of gratitude. These cultural footprints can offer attackers unique angles for personalised scams.

Workplace history diversity

Your professional background, which can include past complaints, old workplace profiles on websites or association memberships, and certifications, can all be pieces of the puzzle for a spear phisher looking to gain your trust.

Schools and Alumni networks

Old school photos, club memberships, and alumni relations can also be exploited for spear phishing attacks, providing a pretext for contact that feels familiar and trustworthy.

Social engineering, phishing awareness, and bias

Awareness of how all this juicy information can be used is the first step in defence.

Everything is useful: That photo of your pet with its name in the caption? It's not just cute—it's information that could be used in a phishing attempt (ever used your pet’s name in a password?)

The "Small Phish" fallacy: Believing you're too insignificant to be targeted is a common mistake. Everyone is a potential target.

Complex social situations: Scammers can use your past to fabricate a scenario or relationship that seems believable, leveraging shared experiences or mutual contacts to lower your guard.

Steps to take to reduce your digital footprint

Minimising your risk involves active management of your digital presence and possible retroactive deletion of certain things.

Google Yourself: Use search engines to uncover what information about you is publicly accessible. Have a look at ‘search operators’ and ‘Google Dorks’.

Check Have I Been Pwned?: This service can tell you if your information has been part of a data breach, indicating potential exposure.

Think twice before sharing: The background of a photo, airline tickets or PII (Personally Identifying Information), or the details in a Facebook post—all can reveal more than you intend. Always consider what personal information might be gleaned from your shares.

A safer digital environment

Understanding what our digital footprints reveal about us online is a crucial step in maintaining our privacy, and by taking proactive steps to better curate our online presence, we can better protect ourselves.