In the world of ransomware hackers, there’s a new kid on the block. The Lapsus$ ransomware group is making waves for publicly broadcasting its high-profile victims, including giants like Microsoft. 

But the most striking thing about Lapsus$ isn’t its success; it’s just how conventional their means of attack is — and how easily almost any and every business could be a target. 

Lapsus$ uses phishing scams to gain access to corporate systems without even having to crack passwords or infiltrate security networks. All they need to stage these phishing attacks is a bit of personal information about an employee.

If you think your organization is safe from these threats, think again. Your employees are at risk — and they’re at risk through their social media accounts. Hackers like Lapsus$ can use even the most innocent-seeming social media posts to launch phishing attacks that could compromise your company’s entire network. 

Social media usage in the workplace is on the rise, and not just because businesses are ramping up their social media strategies. The pandemic caused more people to spend more time on social media, especially remote workers. And as more of the youngest generations like Gen Z join the workforce, they’re bringing their intense, frequent and wide-ranging social media habits with them. 

The stats here paint a compelling picture: 93% of U.S. workers use social media to talk about job updates. Close to a third use social media to share information about their job, and just over a quarter will make social media posts about clients or coworkers. On top of that, workers are producing a significant number of TikToks, Snapchats and other vlog content while on the job.

Here’s the thing: hackers and cybercriminals love that stream of content because it’s a gold mine for information. Sometimes that information is obviously sensitive, like when an employee uploads a video of their work desk — including Post-It notes with passwords or login credentials on them. 

But oftentimes, all a hacker needs is a more ordinary-seeming piece of intel. Maybe an employee posts the name of someone who works in IT or shares information about an upcoming corporate event involving their manager. Maybe they share on Facebook a story about a business trip or an ongoing dispute with HR about parking spaces. 

This information may seem safe, but it isn’t; hackers can and will use it in more ways than you could imagine. Eighty-three percent of survey respondents in the 2022 State of the Phish report said their organization had experienced a successful phishing attack in the last year. The high prevalence of phishing attacks is due, in large part, to how easy these attacks are to launch; virtually any and every piece of information posted online can be used to stage one.

Is that email your employee just received from HR with a sign-in link to register for a new parking space legitimate, or is it a scam in disguise? Is that text message security alert from your company’s new IT manager, or is it from a cybercriminal? The more specific information that hackers have from social media, the more plausible, more convincing and more successful their phishing attacks will be. 

These threats are very real. Businesses suffered 50% more cyberattacks per week in 2021 than in 2020, and the risks created by social media have partially fueled this rise in cybercrime. Every employee’s social media posts are a potential attack vector; if your company isn’t doing anything to protect the privacy of the information your employees post to Twitter, Facebook and TikTok, hackers won’t hesitate to exploit it to their own advantage.

Companies have to get smart about the risks of social media and take steps to address them. Or they just might regret it after it’s too late.