As companies flock to social media for their branding needs and employees continue to spend time on the likes of Facebook, Twitter, and other social sites, there’s a growing concern about the risks associated with using these sites—concerns that could threaten the security of your business.
The number of people with active social media accounts is in the hundreds of millions today. In fact, statistics from Pew Research Center show “Roughly two-thirds of U.S. adults (68%) now report that they are Facebook users, and roughly three-quarters of those users access Facebook on a daily basis.”
The popularity of social media has made it a great place to market your business and connect with customers. Unfortunately, social media is also an attractive target for cybercriminals.
According to an article, entitled Why Social Media Sites Are The New Cyber Weapons Of Choice published on DARKReading, “nefarious activity takes place across social channels, while most organizations remain oblivious and exposed. Companies’ poor social media security practices put their brands, customers, executives, and entire organizations at serious risk.”
As a business, your social media security risks are two-fold.
First, you must protect your business’s social media accounts from hackers and cyber-attacks.
Second, you also need to be concerned about how your employees use social media, while at work and even at home. The interconnected nature of social media could open up your business to attack from hacked personal accounts, especially if those accounts have direct access to your business profiles.
So how do you keep your business safe, especially since much of what happens on social media isn’t under your direct control?
One of the big keys is educating yourself and your employees about the dangers. Here we highlight some of the biggest risks found on social media sites, along with tips you can implement right away to improve your social media security.
The friendly and intimate nature of social media sites often causes people to drop their guard. Many feel like they are among friends and share information with complete strangers that they would never divulge in a public setting in the real world.
For example, many users won’t think twice about announcing their vacation destination and the dates they will be out of town on their Facebook page. Some may post pictures of their child’s first day in kindergarten while inadvertently revealing the school the child attends. Others might share remodeling photos that include their home address. Still others share details about their job, their pets, or their relationship status, without thinking twice.
The fact is that revealing personal information on social media sites can be very dangerous. Scammers and hackers often use details like these to create targeted phishing emails that could expose your computer to viruses or get you to reveal login details for your email account, social media profiles, or bank accounts.
Hackers can also use personal details to guess the answers to security questions in order to hack into your account, crack other account passwords, or steal your identity.
Surveys & Questionnaires
Cybercriminals often create fake surveys or questionnaires to get social media users to divulge personal information without realizing it.
Think twice the next time a Facebook survey asks about your favorite teacher or childhood pet. Chances are, a scammer is trying to get you to reveal answers to your account security questions in order to hack your account or sell your account details on the dark web.
Phishing isn’t just for email anymore. Personalized information sharing on social media has made it easier than ever for hackers to identify specific targets and create posts with links tailored to their interests. Known as spear phishing, this practice has proven exceptionally effective.
A May 2017 article published by the NY Times reported that Russian hackers were able to hack into the computer of a Pentagon official via a seemingly innocent message sent to the official’s wife on Twitter.
The message, a link to a vacation package, contained malware that allowed the hacker access to the wife’s computer. The attacker was then able to use the couple’s shared home network to get to the Pentagon official’s computer. The message was sent after an exchange of messages with friends about what they planned to do with their children over the summer.
The article goes on to report the testing results from cybersecurity firm ZeroFOX that showed “66% of spear phishing messages sent through social media sites were opened by their intended victims.”
Phishing attacks like these take advantage of the fact that people are not expecting to be attacked by someone in their own network or circle.
It’s also not easy to check the validity of links before clicking on them since many people use shortened links on social media sites to save space. These shortened links make it easier for hackers to hide suspicious links.
Social media users also need to be aware of fake third-party apps that could request access to their profiles or account information. Such applications make it appear that the application is part of the social media network, but its only function is to steal a user’s information such as email addresses, account logins, phone numbers, etc.
Before you click OK to allow access to a third-party application, make sure it is an app that you know and trust. If you aren’t sure, deny access to any application that asks for permission to access sensitive data. If the application turns out to be legitimate, you can enable access later, using the security settings within the social network.
Fake Accounts/Connection Requests
One of the more elaborate schemes that’s becoming increasingly popular is the creation of fake accounts that send friend or connection requests to users within the network.
Once a fake account is connected to a user, it’s relatively easy to trick the user into clicking a malicious link.
This is just what happened in The Curious Case of Mia Ash, a fake LinkedIn persona that was designed to establish relationships with employees at targeted organizations.
Regarding the Mia Ash case, a Secureworks Counter Threat Unit report revealed:
“On January 13, 2017, the purported London-based photographer ‘Mia Ash’ used LinkedIn to contact an employee at one of the targeted organizations, stating that the inquiry was part of an exercise to reach out to people around the world. Over the next several days, the individuals exchanged messages about their professions, photography, and travels. Sometime before January 21, Mia encouraged the employee to add her as a friend on Facebook and continue their conversation there, noting that it was her preferred communication method. The correspondence continued via email, WhatsApp, and likely Facebook until February 12, when Mia sent a Microsoft Excel document, “Copy of Photography Survey.xlsm,” to the employee’s personal email account. Mia encouraged the victim to open the email at work using their corporate email account so the survey would function properly. The survey contained macros that, once enabled, downloaded PupyRAT.”
PupyRAT is an open-source, cross-platform Trojan designed to infiltrate victims’ computers.
This example clearly demonstrates the importance of using caution before accepting friend or connection requests from people you do not know.
Of course, the most obvious threat for business owners engaging on social media is profile hacking. Any of the threats we’ve already discussed can lead to getting your business’s social media profile hacked. This can cause a PR nightmare for your business and cost you customers, who could lose trust in your brand or products.
One of the most well-known profile hacks happened to HBO in August of 2017, when hacker, OurMine, took over several of their social media profiles including their Game of Thrones Twitter account. OurMine is also known for hacking into the social media accounts of other high profile figures including Facebook CEO Mark Zuckerberg.
Key Points to Remember When Using Social Media Sites
DON’T over-share personal information
Be very cautious about posting or sharing information that could be used to answer security questions including birthdays, family member names, pets, home addresses, etc. Steer clear of online surveys or apps that ask for personal details, which cybercrimansl could use to engineer a spear phishing attack against you.
DON’T click on suspicious links or posts
Treat links on social media the same way you would if you received an email. Be wary of special deals, discounts, or offers, even if they come from friends or family within your social network.
DON’T accept connection requests from people you don’t know
If you don’t know the person who is requesting to connect with you on social media, ignore the connection request. Period.
DO use strong, unique passwords for each platform and change them often
While it can be tempting to use the same password for all of your accounts, this practice leaves you wide open to hackers, who could, potentially, access all of your accounts by obtaining just one set of credentials.
Instead, create unique passwords for each account and change them on a regular basis. That way, if someone does gain access to your information, it will likely be out of date by the time they are able to use it.
DO use two-factor authentication whenever possible
Check the security settings for all of your social media platforms and activate two-factor authentication. This means you will need to verify your account from another source (such as your email or cell phone) before you can gain access to your account in the future. Enabling two-factor authentication makes it more difficult for hackers to log in as you and change vital information.
DO regularly check your privacy settings on each social platform
Be sure to check the privacy settings for all personal accounts on each platform that you use and limit who sees the things you post. This can prevent just anyone from gathering personal details about you that can later be used as a basis for phishing emails or other types of cyber-attacks.
DO check which third-party apps have access to your social media profiles
Check the list of third-party apps that are linked to all of your social media accounts on a regular basis. If there are apps in the list you don’t recognize, delete them from the list or set the disallow setting. You can always reactivate them if you find they are legitimate later on.
DO educate yourself and your employees on social media attacks and threats
Stay up to date on news surrounding cyber-attacks and continue to educate yourself around security. Businesses should also set up regular training sessions to discuss safe social media usage within the company.
DO actively monitor your social media accounts
Dormant social media accounts can become havens for hackers. Be sure you are regularly checking each social media account you’ve established. If you decide that you don’t want to use a particular account, close it out so that it doesn’t become a target for hackers.
DO put someone in charge of your social media
Appoint someone in your organization who will be in charge of updating your social media profiles and monitoring your posts. Also be sure to limit the number of account administrators for each social media account to limit your vulnerability.
Most social media sites have created security centers to help you mitigate and avoid security issues. You can find Facebook’s security center here, and Twitter’s safety center here. LinkedIn has published two posts on how to maintain security and privacy, and how to protect yourself against hackers.
Finally, it’s never a bad idea to develop internal social media policies to help safeguard your office computers and employees. These policies can cover everything from how (or if) the company should use social media during business hours, and how employees can protect their own information while using these websites.
For help with increasing your security or managing the data collected by social media sites, contact the IT experts at EZComputer Solutions.