While social media platforms offer many benefits, they also open doors to new attack vectors for criminal hackers to access personal and corporate data.

Organizations today are challenged to find a balance between encouraging employees to utilize social media for business while staying mindful of the potential security issues. Malicious actors know that not all employees are vigilant about cybersecurity, so they target those who may not be as careful with what they share. Malicious hackers are also crafty enough to understand human nature, so they can extrapolate substantial sensitive information about someone, such as credential habits, from social media posts that seem innocuous. 

There are various ways employee “social media butterflies” can be careless and inadvertently put your company at risk. But there are also ways to head these threats off at the pass. Ensure your employees understand the security risks of social media, provide awareness training and implement best practice policies for smarter socializing.

A Good Target

New social platforms often seem to spring up overnight and gain adoption quickly. As a result, individual social media footprints are only increasing. This gives social hackers more opportunities to use common tactics like whaling and clickjacking to access sensitive data. These social engineering evil geniuses utilize social media sites such as Facebook, Twitter, Instagram, LinkedIn, etc., to track and attempt to take down entire organizations. It all starts with one trusting person.

Below are some of the top “tricks of the trade” when it comes to types of social media attacks:

• Phishing – Though this particular tactic isn’t new, it’s expanded from email into social media platforms and usually occurs when a user receives a fake message from a malicious hacker or social engineer posing as a colleague or brand representative. The message may contain a bogus request or an enticing offer with a nefarious link leading you to an unsecure page containing vulnerabilities.

• Botnet attacks – A “botmaster” will often string together several bots to carry out many behaviors that result in something far more damaging than the work a single bot could carry out.

• Clickjacking – This conceals hyperlinks beneath legitimate content that leads the user to unknowingly perform damageable actions such as downloading malware or sending their credentials to the nefarious site. Numerous clickjacking scams have employed “Like” and “Share” buttons on social networking sites.

• Elicitation – In the past, we called this “chatting.” Still, today it’s a strategic use of written conversation to extract information from people without giving them the feeling they are being interrogated. This could happen via any social media platform with a private messaging feature.

• Profile hacking scams – Facebook, LinkedIn and many other social media platforms rely on profiles. Cybercriminals use real photos and believable characteristics of real people to create a composite profile to entice specific users to connect with them while planning to steal from the targeted individual or someone in the individual’s network. This scam usually tricks people into giving them money with a wire transfer or even another social application such as a GoFundMe campaign or is the launch point for elicitation or clickjacking schemes. 

• Logging in with third-party authentication - Many applications on cell phones have the option to log-in with Facebook, Google, or other third-party authentication. This sets up large keychains of data that are easily mined for information, giving hackers clues to possible passwords to more sensitive sites, such as a user’s work email. Data mining also allows malicious actors to exploit data on a larger scale from social media companies and use it to benefit a few. For example, in the past, these exploits have been exercised to profile the kinds of individuals most likely to respond to fake news campaigns during election years. However, malicious actors aren’t always responsible for these data-changing hands. Sometimes companies willfully sell your data to third parties to improve their marketing campaigns or other profitable interest. 

Socializing Safely

Once employees are aware of the type of attack methods out there, the below best practices can go a long way when it comes to safer social media engagement:

Check your check-ins – How many of us have “checked-in” at a local restaurant while celebrating a family member’s birthday or attending an event? 

• While most people engage in this way for discount incentives, others do it to let friends and family know their whereabouts. But most fail to realize this information is intelligence for those looking to better understand your schedule, habits and potential opportunities for strategic cyberattacks. History shows us that criminals have leveraged social media location statuses to orchestrate physical security attacks or robberies on homes, hotel rooms, and even offices, knowing when the individual is currently away.

• Don’t go public – Check out the privacy settings for the various social media services you utilize, and make sure you only share information with people you know.  Also, check your privacy settings on each social media platform connected to another social media platform. How are they sharing your data with one another? Additionally, you can disable Global Position System (GPS) coding in items you might not normally think of, such as your cell phone camera.

• Don’t trust blindly – Before opening attachments sent via social media channels, verify with the user first (via email, text, call, etc.) to make sure the person you think sent it to you really did. Do not blindly click or share the news that might sound sensational. Search the internet for another trusted source first or type the URL into your browser to view versus clicking on the hyperlink.

• Create a strong(er) password - If your password is your first-born’s name or the street you lived on when you were younger, it’s like giving candy to a baby when it comes to the mind of a criminal hacking into your account. Focus on a phrase that has a mix of letters, numbers and special characters. For example, if you like The Wizard of Oz, create a password like this: W1z@4d0f0z!. To go even further, create different username/email and password combinations for personal, business and social use and for different sites —  that way, if there is a security breach, a malicious hacker can’t easily access all of your accounts since your logins will be different.

• Hire a (white hat) hacker - Businesses should consider contracting with ethical hackers or “white hat” hackers to employ social engineering techniques to identify vulnerabilities so they can address them before malicious actors can exploit them.

• Employee education - Organizations can help educate employees on security best practices via security awareness training. People are helpful by nature and will continue to be the weakest link within an organization, so it is imperative that security awareness training that covers a wide range of topics is conducted regularly and stays top of mind. 

Creating a Secure Culture

While social media is a great way to stay in touch with family and friends and for businesses to reach new customers and efficiently zone in on their target audience, attackers are getting smarter by the day with social media threats and attack vectors continuing to evolve. There are many recent compliance mandates and laws that have been put in place to create guidelines for how data is shared and used in social media, as well as all sites that contain sensitive information. But, it traditionally takes companies time to implement these controls, and they certainly do not protect you from everything.

Businesses and individuals should make sure they share things with the right people by following the above-mentioned best practices and reporting any suspicious incidents to their security or IT team. Additionally, effective security awareness training for employees and clients could be the most important investment a company can make this year. Just as organizations need to protect their networks from attack, it is essential that they effectively educate their employees to fend off costly attacks that play on their good nature.