It’s easy to think of social-media as a fun, informal space – somewhere we can relax and be ourselves. Even when used for business promotion, social-media remains a place to engage with people, share information and ideas, and post newsworthy pictures. It’s partly because of the innocuous, cooperative nature of social media (and partly because we tend to trust our connections on the platforms as our friends) that social media platforms have become something of a hunting ground for cybercriminals.
Think about it: it’s not often that we hesitate to click on an interesting-looking post or direct message sent from one of our connections; why would we? Oftentimes, we’ll even entertain posts made by friends-of-friends – but how do we now these people don’t have ulterior motives? How do we know they are who they say they are?
Something else to consider: cybercriminals know that people at work tend to check their social media accounts from time to time throughout the day (many using company-owned PCs and mobile devices). Most organisations don’t mind the practice, so long as it happens at break-times. However, connecting with the wrong person, or clicking on a malicious file or link whilst at work could cause problems for the entire office network. It’s not at all unheard of for cybercriminals to target specific companies through its employees – many of whom list their place of work in their bio or ‘about me’ section on social media. Furthermore, it often only takes one employee to connect to an unknown user for others to follow suit; after all, this person appears to know someone that you know.
Since awareness-training is a key element when it comes to mitigating the risk of a data breach, below we outline some of the top risks social media users should remain aware of.
Common Social Media Security Threats:
Phishing Scams
Phishing is a form of fraud meant to trick victims into divulging valuable, personal data. It works by cybercriminals impersonating someone they are not, such as a friend or an organisation, and convincing victims to share information. A common phishing tactic on social media is fake customer-service accounts asking users to “verify” their identity, or claiming users’ accounts are under attack and must be reset in some way. Of course, this always involves users sharing their login information with the criminal.
Another tactic to look out for on social media – as on any website – is the use of fake URLs/posts that redirect users to malicious websites. These sites may mirror very closely the login page of their social media platform, or otherwise prompt for information in return for seeing the post they originally clicked-on.
In both these cases, people that re-use social media passwords for things like email accounts, work PCs, and online banking could find themselves in serious trouble if they fall for the con.
Malware
Malware, AKA: malicious software, is a program or file that is in some way harmful. It includes the likes of spyware, Trojan horses, and other computer viruses. Most online threats come in the form of malware and, unfortunately, the easily accessible nature of social media means it’s something of a gateway for it.
Malicious links may take users to legitimate (but infected) websites, or else to entirely fake-yet-legitimate-looking websites that prompt-for or surreptitiously begin malware downloads. Indeed, Mark Bermingham, Director of global B2B marketing at Kaspersky Lab, recently told PCWorld.com to expect an increase in waterhole attacks stemming from social media use. The goal of a waterhole attack is to infect the unsuspecting users’ computer with malware and, in this way, access the users’ workplace computer network.
Users should also be wary of clicking on unsolicited links and file attachments sent in direct messages, and those left in comments sections of (usually) popular posts.
Cloning / Impersonation
Different from hacking or hijacking, cloning is a technique used by cybercriminals to copy a person’s social media profile page. This is particularly easy to instigate if a person’s page information is set to public. Photos, date of birth, place of work, etc. can all be copied across to the faux-profile, which is then used to send new friend requests to those on the victim’s friends list. In all probability, at least a couple of these friends will accept the request, thinking it comes from the person they know.
Once the scammer has enough ‘friends’ to establish an air of legitimacy, they are likely to send scam messages or malware in the name of their victim in the hopes their friends or colleagues will trustingly click on it. They might also use the victim’s friendship with people to harvest personal information, putting them at risk of identity theft.
Third-Party Apps
We’re likely all guilty of using our social media profile to log into third-party apps; it’s just so much more convenient than dreaming up a new password for each application or account we wish to use. We don’t, however, consider the price of convenience all that often, which usually comes in the form of data. It’s down to the user to check what information the app is asking to access, and what they say they will do with it (i.e. are they asking for permission to sell/share it). If you find the possibility of giving strangers access to your personal data unsettling, it’s probably best not to link your account to third-party applications.
Mobile Devices
Using social media on mobile devices may not seem like a risky habit, after all, we all do it! But the danger here lies with the loss or theft of your device – be it a personal or work-owned one. Obviously, your device (especially if not password/fingerprint protected) is a virtual treasure-trove of information and auto-logged in accounts (including payment apps and password managers). Not to mention any confidential work/personal information recorded on the device. In the wrong hands, your mobile device could be used to victimise yourself and target your contact list.
Due to the risk of malware mentioned above, it’s also inadvisable to use work mobile devices to access personal social media accounts. Clicking on the wrong link could provide a backdoor into all sorts of company systems and databases. User beware.
If you would like to join our community and read more articles like this then please click here.
Cyber Essentials is a government-backed, industry-supported scheme. It helps businesses win more public sector contracts, by ensuring that they comply with mandatory requirements for cyber security. To learn more click here.
Cyber Awareness Week cyber security Phishing Scams social media