It’s happened to just about all of us – we’ve gone to a travel website and then been bombarded with an avalanche of ads related to the destinations we looked up. It’s the same with products we’ve bought or services we’ve consulted. Our online browsing history is very valuable for companies that want to offer personalised advertising: it allows algorithms to be generated about what we like or dislike.
It can also be used for non-commercial purposes, even helping to create states of mind. This is what happened in 2016 in the US election that gave Donald Trump victory. Two years earlier, Cambridge Analytica had collected data from 270,000 Facebook users. This information included data on the friendships of these users, so that the consultancy amassed material on 50 million accounts. This information was later used in the Republican Party’s election strategy, disseminating manipulated data and content to bolster Trump’s vote. The scandal over the privacy of this data that followed was a major blow for Facebook, and in 2019 Mark Zuckerberg had to reach an agreement with the US Federal Trade Commission to pay a compensatory fine of five billion dollars. After apologising in his own country, Zuckerberg did the same in the European Parliament, as 2.1 million of the leaked accounts belonged to European citizens.
The data we post on the internet is not only of interest to large multinationals who want to target us with personalised ads or to sell it to third parties. There are also cybercriminals who want our data to engage in illegal activities. One example is the case of impersonating a small craft business that was taken up by Spain’s Internet Security Office. The owner used social media to promote her products and had managed to gather a thousand followers. To reward their loyalty she decided to organise a raffle. The cybercriminals opened a fake but almost identical account with all the information of the craft business and began contacting followers, making them believe that they had won the draw. To claim the prize, however, they were referred to a different website where they were offered the chance to watch free movies... but only after registering their bank details. Fortunately, the business owner received a call from a follower and immediately reported what was happening on social media, blocked her real profile and documented everything she had learned so that she could report it to the authorities.
Cyber impersonation can be big business: at the end of last year, the courier company MRW suffered an SMS phishing attack: fake messages directed customers to a web page that was very similar to the real one, but where a fake shipping locator asked them to pay a fee to receive their package.