By The PhishLabs Team | June 26, 2018
Each day the average person spends around 135 minutes on social media.
We know what you’re thinking. That’s a heck of a lot of time spent liking things, laughing at memes, and watching baby animal videos.
But it’s not all fun and games. In today’s world we are more connected than ever, and social media platforms encourage us to share what was once private information in a very public way. From geotagging your location to announcing your upcoming vacation, many of the updates we share every day include information threat actors can use to their advantage.
As a simple example, think about the typical “forgotten password” procedure offered by most online services. You’re given simple, supposedly personal questions to answer in order to prove your identity.
But what if the answers to those questions can easily be found on your social media profiles? Your mother’s maiden name, for instance, or the name of your pet. Or how about which street you grew up on, the year you graduated, or which preschool you attended?
For years consumers have been warned about divulging too much information on social media, because it’s so easy for criminals to use this information for the purposes of theft, identity crime, or extortion.
But it’s not just consumers who should be worried. Enterprises can be targeted using precisely the same techniques, with potentially catastrophic consequences. By collecting freely available information from corporate and employee social media accounts, threat actors are able to develop targeted, highly convincing spear phishing campaigns.
While there are still numerous ways for a threat actor to collect information for spear phishing and BEC attacks, below are a few areas that you should be specifically aware about prior to posting on social media:
What Threat Actors Look For on Social Media
It’s easy to imagine that security for individuals and organizations are separate issues. In reality, though, that’s just not the case.
If a cybercriminal can trick an individual within your organization into taking an undesirable action, e.g., opening a malicious attachment, suddenly their personal security becomes a lot less personal. Information skimmed from an employee’s social media profile can easily be used to target them with sophisticated social engineering attacks while they’re at work.
For this reason (along with plenty of others) security awareness training for employees has become even more important over the past decade.
To get you started, here are some of the most dangerous things people share through social media without a second thought:
Sharing personal information is encouraged by social media platforms, primarily because it makes it easier to serve you with relevant advertisements and sponsored content. Doesn’t seem so much fun, now, does it? Unfortunately, in addition to the constant stream of ads you’re no doubt already enjoying, sharing personal details like your address, date of birth, or even where you went to school will make you an easy target for criminals.
Action: When it comes to personal information, unless it’s a required field, leave it blank.
It has become common practice for many people to share every tiny detail about their lives on social media: Where they work, what they do, when they’re on holiday, and even where their children go to school.
Anything that can help a threat actor pinpoint where you’ll be, what you do, or information about people you care about should at a minimum be posted with strong privacy settings. However, it only takes one quick screen cap or a compromised account to impact you. Your upcoming flight information for vacation, for example, shows your departure and return date, which is sufficient data to let anyone know how much time you will be away.
Action: Selecting sensible privacy settings is a must, but ideally just don’t post anything you wouldn’t be comfortable telling a stranger.
Photos of your home, office, or vacation
If a criminal knows where you live and work, it’s that much easier for them to target you with convincing social engineering attacks. Even worse, photos of your home or office can reveal valuables, security flaws, and yet more fuel for targeted attacks. Equally, posting photos of your vacation while you’re away does little more than advertise your empty, unguarded home.
Action: It might seem paranoid, but posting photos that make it obvious where your home or office are located is a sensible precaution.
Habits or routine
Do you always go to the gym at the same times? Are your kids or family away for long periods? If you overshare the details of your daily or weekly routine on social media you are creating a pattern that criminals can use to target you.
Action: This one is difficult, because for many people sharing their every move is part of a normal daily routine. At the very least, try not to make it too obvious when you’re away from your home or office. If you want to upload a photo of your vacation try to do it after you come back from your trip.
Tips for Heightened Privacy and Security
While it’s important to exercise caution when sharing information and updates through corporate social media profiles, it’s employee activity that’s most likely to cause you security headaches. Training employees in social media security may seem a little “big brother,” but in reality the process will benefit individuals just as much as it will the organization.
Here are four of the most important lessons to impart on your employees:
Restrict Privacy Settings: Unless strong privacy settings are manually selected, almost anybody can view a social media user’s profile, updates, and personal details. Ideally, your employees should select the most stringent privacy settings available, so only trusted connections can view their content.
Change your privacy settings from public to private to limit the audience and control who can see your posts, status updates, or check-ins.
Limit Your Network: Check that there are no suspicious people on your Facebook, Twitter, LinkedIn, or Instagram accounts. Add only people you know and trust to your network.
Avoid Geo-Tagging Posts: As we’ve already explained, geotagging of social posts makes it easy for criminals to locate individuals both at home and at work. Equally, it can help them identify when buildings are left empty. Worst of all, geotagging often happens automatically unless it’s manually switched off. Teaching your employees to the potential ramifications of geotagging will help them make more informed decisions about the way they use social media.
Teach Your Team About Smart Social Media Use: Given the nature of social media, your brand simply can’t control everything that is posted. Talk to your team about the potential ramifications of oversharing and how they can protect themselves against them.
Unfortunately, while these tips can certainly help you mitigate the threat posed by social media, it’s inevitable that some information about your organization and its employees will be available to criminals through social media. This is why, no matter what else you do, security training for employees is an essential component of any cybersecurity strategy.
To find out how you can turn your employees into security MVPs, watch our free on-demand webinar: