Published: September 16, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
We love social media these days. Facebook, Snapchat, Twitter, LinkedIn, and many others can lead to lots of sharing and fun, but also carry significant risks. This is particularly true now that cybercriminals are collating data and using it against us for targeting phishing attacks.
Online social networks may seem all in fun and harmless, but they are anything but that. Anyone participating in a social network online assumes some risk of becoming a victim of a con artist or other criminal. But this does not mean you should opt out of getting involved. It’s part of our society, and in some cases an important part of doing business. Just be aware of the risks and take action to avoid being a victim of identity theft or another cybercrime.
It’s always important to remember that once you put something on the Internet, it is there… forever. It never disappears, you can’t completely remove it, and there is nothing preventing your connections from sharing. Once that happens, you lose control of it. If someone in their network shares it, it will crawl even further into the Internet and there really is little to nothing you can do about it.
Therefore, always know who you are giving access to your personal information and if you don’t want them to share something, ask them not to or just don’t post it. Also, keep in mind that what you post can reflect on your business relationships as well. Even if you don’t connect with business contacts via social media, it can still get around and affect your business.
Pay attention to who wants to follow, friend, or share with you. Often cybercriminals will try to connect with people to learn about them, bring them into confidence, and then scam them. This may come in the form of attachments or links passed on once you are "friends" with that person. It may come in personal requests, such as asking you to send money via wire transfer or even gift cards to help with an emergency.
Any information found on the Internet may be used against you for nefarious purposes, so always think about what you post. And just because you use the highest privacy settings, doesn’t necessarily keep you safe. Assume that whatever you post is available to anyone on the Internet. Hackers of all types troll social networking sites to put together collections of information on specific targets. The information may be used for something completely unrelated to social media, but can do a lot of damage. For example, if you work with financials in your company and you share it on social media, you could be targeted for wire transfer fraud.
All of this may not only put you in physical danger, but it may also be used to create phishing messages and to send emails to people you know, including your co-workers. These email messages could contain malware. Once a link or attachment is clicked, it could unleash something nasty on the network. No one wants to be responsible for that.
A good example where criminals will often go to learn important information about you is LinkedIn. This social networking site is a great way to form business relationships, but is also often used by criminals to learn more about an organization's personnel. For example, LinkedIn can provide a would-be criminal with the employee names, job positions, job responsibilities, and even how long an employee has worked at the organization. This information can then be used by criminals to target "high risk" employees or even be used as part of a larger social engineering campaign.
Because all this information is now available to the public, you need to be even more diligent in detecting potentially malicious activity. From suspicious emails to phone calls, just because a person contacting you knows some personal information about you, does not mean they can be trusted. Don't be tricked into giving out even more information or opening links and attachments contained in emails. Always do an independent verification before disclosing any personal or sensitive details about yourself or your organization.
Think about how you use social media and how much information you want to share with the world. Because even if you think it’s just your “village” seeing the information, the reality is that it isn’t. It’s everyone, everywhere.
Generally speaking, there are two ways in which hackers and cybercriminals use social engineering to exploit social networks.
1. Attempting to get someone to install software on a computer or phone that will give them access to that device.
2. Gain someone’s trust in order to exploit personal connections and manipulate people through the social network.
People are the weakest link in cybersecurity and the savvy hacker will take advantage whenever possible. Following are a few tips to help you avoid becoming a victim of either of these:
Always use the strongest security settings possible on social media sites. For example, consider if you need to share your location. If it really isn’t necessary (and it usually isn’t), deactivate that option. Also be sure to limit who has access to your information. Don’t make it public to the world, but instead make it viewable only to those who are directly linked to you, keeping in mind that even that information is vulnerable once one of them sends it on. Some sites will allow you to customize lists based on what you are posting. This may be appropriate for some content.
Don’t post personally identifiable information (PII) on social networking sites. This includes your birthdate, phone number, and address. If you want to exchange that information, do it via private messaging or email. Never ever post your social security number or any banking or other financial details, not even through the site’s private messaging or email service.
If you use your smart phone to post photos to your social networking sites, turn off location services for your camera. Leaving this activated will give away your location. While you may think it isn’t a big deal to share your location, it can be. When you’re on vacation and sharing selfies with recognizable landmarks in the background, it would be a great time for someone to break into your house and steal all kinds of information.
Be aware of unsolicited contact from strangers. Often, scammers will try to get to know you and then scam you. This happens often with online dating sites. They may use social engineering such as to convince you they need money to help them get out of a bind, but they also may use you to spread malware. It’s reasonably easy to spoof someone’s email address and often the criminals will do this to try to get your friends, colleagues, and other contacts to click malicious links. People are more likely to click a link if they trust the one posting it. Therefore, use caution even when clicking links on social media from those you do know.
With the increase in popularity of private messaging services that are attached to the social media sites, such as Facebook Messenger, watch for private messages that arrive that include only a link, or have a vague description of what the link may contain. One that was seen recently was sent with text that addressed the recipient by name, “Bob, is this you?” Contained in the link was malware.
If a deal sounds too good to be true, it is. Cybercriminals use popular events and news stories as bait to get people to open infected email, visit infected websites, donate to fake charities, or purchase items that either don’t exist or that are counterfeit. Recently, someone impersonated Iron Man star, Robert Downey Jr. and scammed people out of their money by “personally” asking them to donate to his favorite charity. Other stars were used in such scams as well, such as Brad Paisley, Hugh Jackman, and Elton John. All had to send pleas out to fans not to fall for it.
Change your social networking passwords often. Studies have shown that even with all the password reuse issues and stolen credentials, 53% of social media users had not changed their passwords in over a year and 20% had never changed them. It’s recommended to do it quarterly and when doing so, don’t reuse one that you use on another site; especially one that you use for you financial accounts.
The bottom line is just to use caution when participating in social networks. They can be fun and useful and are likely here to stay. However, just use good judgment and common sense when partaking so you are not or don’t cause your company to be the next victim of fraud or identity theft.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org