I was doing some work for a customer recently where I had to export a list of their 300 employees with names, titles, office locations, extension numbers and email addresses. While I typically treat all data like this as if it were my own social security number, I thought about how many organizations don’t. I have seen many companies publicize this type of information on their website and other public spaces. While it may seem like exposing this type of data is innocent enough, it actually puts your organization and users at risk of social engineering attacks.
For example, there is a popular scam where attackers will use the name of a CEO or another executive on a random email address to send a message to someone in the organizations accounting department requesting that funds be transferred to an account in the attacker’s name. All the attacker needs is an employee list with email addresses and job titles to start going after that organization’s confidential data or resources.
Putting email addresses on your website not only increases your risk of attack, it also makes it easier for spammers to scan your site, grab those email addresses and start assaulting your inbox with advertisements for certain ‘enhancing’ medications. It is always best practice to use a form that visitors fill out and then their information is emailed to you. You can further secure yourself by making sure that email is sent to a shared mailbox so an auto-reply doesn’t give out more information about yourself than you would want an unknown individual to know. In addition, a shared mailbox will allow multiple staff members to manage those submissions.
An attacker will use any information they can get their hands on to go after you and your organization. It is best practice to have a default mindset of ‘no one needs to know’, forcing you and your staff to make a case for public use of information instead of making a case to secure your data.
If you would like us to come in and review your environment, website and other public facing materials to see where you may be at risk, talk to us.