Social Engineering Attacks: Be Careful What Office Pictures You Share From Work

That popular Instagram post of your desk to prove you are now part of the #adultlife may help prove to your friends and family that you are indeed #adulting but the post your mom is sure to heart may also be the one that brings a severe security threat to your company, your co-workers and possibly your clients.

The image may seem innocuous to you but could easily incite rage for your IT department because an image of your desk could include multiple items that could help attackers identify you and private company information; the make/model of your computer, your phone, your geolocation, your ISP and so much more.

Through social engineering, Instagram and social media posts like that are how Rachel Tobac was able to dupe multiple companies at the Def Con/Black Hat conference in Las Vegas, where she took home second place in the SECTF. “The best way to protect your employees, information, is to realize that every picture posted from work is a potential backdoor to your data,” Tobac said Tuesday at Structure Security 2017.

Tobac said 60 percent of information required to hack a company can be found in the pictures employees post on social media.

Your desk is the perfect example of a thing NOT to post a picture of. “Your work station tells me everything about you,” Tobac said. "From operating system, browser, and antivirus you use to your interests… [the picture] gives me everything I [could] need. Which OS, mail client, make and model of your computer, I can pass that off for a later technical attack.”

It can be something as simple as what delivery service your building uses for mail, the uniforms worn or business that could help a hacker compromise your information.

Tobac isn't a hacker or security professional by trade. Now a researcher, Tobac was a special education teacher recently and said her experience shows how a novice (noob) can upend businesses and spot vulnerabilities. Through social posts, Tobac said what’s next is for a SE to try and contact the person or company.

“Most attacks we see today start with a phishing email or a phishing call; information later used for a technical attack,” Tobac said. "Noobs and experience attackers are on an even playing field,” so it’s important businesses communicate to employees how to operate securely.

Tobac also said many hackers “hackers may just sound a little different than you expect,” so be careful for unsolicited phone calls from people, like her, that sound harmless and are asking seemingly innocent questions … they could be owning you as you speak.

Editor’s Note: Newsweek Media Group and International Business Times partnered with Structure to host Structure Security 2017.