Online social networks may seem all in fun and harmless, but they are anything but that. Anyone participating in a social network online assumes some risk of becoming a victim of a con artist or other criminal. But this does not mean you should opt out of getting involved. It’s part of our society, and in some cases an important part of doing business. Just be aware of the risks and take action to avoid being a victim of identity theft or another cybercrime.
Therefore, always know who you are giving access to your personal information and if you don’t want them to share something, ask them not to or just don’t post it. Also, keep in mind that what you post can reflect on your business relationships as well. Even if you don’t connect with business contacts via social media, it can still get around and affect your business.
Pay attention to who wants to follow, friend, or share with you. Often cybercriminals will try to connect with people to learn about them, bring them into confidence, and then scam them. This may come in the form of attachments or links passed on once you are “friends” with that person. It may come in personal requests, such as asking you to send money via wire transfer or even gift cards to help with an emergency.
All of this may not only put you in physical danger, but it may also be used to create phishing messages and to send emails to people you know, including your co-workers. These email messages could contain malware. Once a link or attachment is clicked, it could unleash something nasty on the network. No one wants to be responsible for that.
A good example where criminals will often go to learn important information about you is LinkedIn. This social networking site is a great way to form business relationships, but is also often used by criminals to learn more about an organization’s personnel. For example, LinkedIn can provide a would-be criminal with the employee names, job positions, job responsibilities, and even how long an employee has worked at the organization. This information can then be used by criminals to target “high risk” employees or even be used as part of a larger social engineering campaign.
Because all this information is now available to the public, you need to be even more diligent in detecting potentially malicious activity. From suspicious emails to phone calls, just because a person contacting you knows some personal information about you, does not mean they can be trusted. Don’t be tricked into giving out even more information or opening links and attachments contained in emails. Always do an independent verification before disclosing any personal or sensitive details about yourself or your organization.
Think about how you use social media and how much information you want to share with the world. Because even if you think it’s just your “village” seeing the information, the reality is that it isn’t. It’s everyone, everywhere.
Generally speaking, there are two ways in which hackers and cybercriminals use social engineering to exploit social networks.
1. Attempting to get someone to install software on a computer or phone that will give them access to that device.
2. Gain someone’s trust in order to exploit personal connections and manipulate people through the social network.
Always use the strongest security settings possible on social media sites. For example, consider if you need to share your location. If it really isn’t necessary (and it usually isn’t), deactivate that option. Also be sure to limit who has access to your information. Don’t make it public to the world, but instead make it viewable only to those who are directly linked to you, keeping in mind that even that information is vulnerable once one of them sends it on. Some sites will allow you to customize lists based on what you are posting. This may be appropriate for some content.
Don’t post personally identifiable information (PII) on social networking sites. This includes your birthdate, phone number, and address. If you want to exchange that information, do it via private messaging or email. Never ever post your social security number or any banking or other financial details, not even through the site’s private messaging or email service.
If you use your smart phone to post photos to your social networking sites, turn off location services for your camera. Leaving this activated will give away your location. While you may think it isn’t a big deal to share your location, it can be. When you’re on vacation and sharing selfies with recognizable landmarks in the background, it would be a great time for someone to break into your house and steal all kinds of information.
With the increase in popularity of private messaging services that are attached to the social media sites, such as Facebook Messenger, watch for private messages that arrive that include only a link, or have a vague description of what the link may contain. One that was seen recently was sent with text that addressed the recipient by name, “Bob, is this you?” Contained in the link was malware.
- If a deal sounds too good to be true, it is. Cybercriminals use popular events and news stories as bait to get people to open infected email, visit infected websites, donate to fake charities, or purchase items that either don’t exist or that are counterfeit. Recently, someone impersonated Iron Man star, Robert Downey Jr. and scammed people out of their money by “personally” asking them to donate to his favorite charity. Other stars were used in such scams as well, such as Brad Paisley, Hugh Jackman, and Elton John. All had to send pleas out to fans not to fall for it.
- Change your social networking passwords often. Studies have shown that even with all the password reuse issues and stolen credentials, 53% of social media users had not changed their passwords in over a year and 20% had never changed them. It’s recommended to do it quarterly and when doing so, don’t reuse one that you use on another site; especially one that you use for you financial accounts.
The bottom line is just to use caution when participating in social networks. They can be fun and useful and are likely here to stay. However, just use good judgment and common sense when partaking so you are not or don’t cause your company to be the next victim of fraud or identity theft.
