Today, nearly everyone’s computer has anti-virus software and most people have a basic understanding of email phishing threats. But that same diligence and protection is lacking on social media channels, the foundation of most people’s identity online.
This lack of security has made social media the target of cybercriminals and subsequently subject to massive data breaches, exposing valuable personal information.
Since these digital channels are outside network firewalls, we can’t rely on traditional security methods or IT teams – it is incumbent upon each of us to take ownership of protecting our digital identity. To help get started, we have some basic tips for ensuring you’re not making your digital self vulnerable to leaks or criminals.
Don’t get too personal
Social media is used to share information with friends and family, but the more information you share about yourself (e.g., home address, travel plans, birthdays), the more a bad actor can learn about and more effectively target you, either directly through hacking, or indirectly through social engineering. For example, birthdays and pet names, perhaps shared on Instagram, are the types of information that can be used by criminals to guess answers to security questions used in two-factor authentication or password resets.
Indirectly, bad actors can leverage your information to build a personalized attack, which tends to be more effective than a generic one. For example, last year North Korean hackers posed as a hiring company on LinkedIn, targeting mid-level employees at a Latin American bank, with promises of promotion and higher pay. These hackers tricked one such bank IT employee into conducting a job interview, during which time the employee was asked to download, install and run a file allegedly related to the recruitment process. The file contained malware that helped the North Koreans infiltrate the network connecting all of the country’s ATMs.
Say no to the unknown
People are inherently more trusting on social media – reported threats have only been in recent years. Do not accept friend or connection requests from someone you don’t know, even if you have people in common. A fake account might send you a friend request to build up their profile and dupe someone else into thinking they are a legitimate account. Or, they could send you a request to target you in a different attack, such as clicking on a phishing link. The safest option is to not accept connection requests from people you do not know.
Investigate and evaluate
In addition to not accepting requests from accounts you don’t know, take the time to go through your current followers across all accounts. Double check current connections and friends and recent requests – you may have unknowingly accepted a request from someone who looked familiar but is unknown upon further inspection. An individual’s profile may look legitimate (i.e., you have multiple connections in common and the person claims to work for a company you know). Hackers use this tactic to masquerade as someone you should trust. The more mutual connections you have, the more difficult it is to detect whether the account is fake. Dig deeper before you click accept or even respond to a message to ensure it’s not fake.
Slide out of DMs
Unlike your email inbox, which more than likely has a fairly sophisticated spam filter, the direct message function on most social media apps is not protected and is, therefore, a great avenue for phishing attacks. It’s almost second nature to open a message on Twitter, Instagram or LinkedIn and click on a link. This is particularly dangerous because plenty of people don’t even know those are phishing attack vectors.
Hackers have gotten creative with the messages they send to entice people to click. For example, in June criminals were able to steal users’ credentials by sending a direct message via Instagram that promised “verified account” status by simply clicking a link. If you don’t know the person sending you the message, do not click or open it. Even if you know the person (or account), but the link they send looks suspicious, do not click on the link. When it comes to security, it’s better to err on the side of caution.
People often use the same email address and password for all of their social media accounts. But if your email account is breached or compromised from a data breach (think Equifax), hackers can use those credentials to compromise or take over all accounts tied to that email address. Ideally, set up a different email account that is just for social media. At a minimum, make sure to use a unique password for every single account, and if your email is compromised, be sure to change any passwords associated with that address (password managers make this easy).
As the President, CTO and Co-Founder of SafeGuard Cyber, Mr. Freire is responsible for the development and continuous innovation of SafeGuard Cyber’s enterprise platform. He has rich experience in social media applications, internet commerce and IT serving the pharmaceutical, financial services, high-tech and government verticals. Mr. Freire has a BS in Civil Engineering, an MS in Management Information Systems and an MBA from the University of Virginia Darden School of Business, where he currently serves as a visiting executive lecturer.