If somebody made a pie chart of every article I’ve ever written about fraud prevention, a very large slice of that pie would be “how to avoid giving away your own personal information to people who shouldn’t have it.”
But victims revealing their data directly isn’t the only way this information falls into the wrong hands. “Of course!” you might say. “There are those big data breaches.”
And that’s true. But there is yet another route that doesn’t get talked about as often: other people being tricked into revealing your data on an individual basis.
Let’s say you’ve got a non-private Instagram account under your actual name, where you post photos of the things you do and the places you go. You go on vacation and post a “check-in” at the hotel at which you are staying.
Eventually, somebody you don’t know sees this post and decides you look like you might have some extra money sitting around. So they call the hotel after you’ve gone home and start asking for details about your stay, pretending to be you. Maybe they’ll say, “I was there on business, so I need to know what card I used, and what email address the information was sent to because I can’t find it,” or maybe they’ll concoct some other way to find out where you bank and harvest some contact information.
Now, maybe the person answering the phone knows about social engineering and cares about keeping people’s information safe. But then again: have you ever checked into a hotel and had to deal with a front desk person whose name might as well have been Yeah Whatever? What if that eyeroll-come-to-life answers the phone? They might not be too bothered about whether or not the person they’re talking to is really you, and just answer the questions to get the caller to go away faster.
Armed with your name (from your Instagram account) and some information about where you bank (and perhaps the last four digits of a card number) and how to contact you, the scammer can then call or email you, pretending to be your financial institution. The premise of this contact? Easy. “There were some charges made in [wherever you just vacationed], and we wanted to make sure it was you,” and from there he or she can attempt to gain access to your account.
Granted, this kind of multi-level, personalized social engineering isn’t extremely common, but it illustrates an important lesson: that you’re not the only potential target for people trying to obtain your personal information. It is vital to watch for the signs of unauthorized access, to be aware of social engineering tactics, and to be extremely wary of any contact that appears to come from your financial institution, even if they seem to already have some of your personal data.