While email has long been the favorite delivery vector for social engineering scams, criminals are just as likely to incorporate social media when targeting unsuspecting employees. Even if the scams themselves are perpetrated via email, social channels have become an integral part of the process for a reason that’s often overlooked by cybersecurity professionals.
That reason is research. Just as businesses use social media to gain valuable insights into their target audiences, bad actors use it to identify and learn more about potential targets. In fact, cybercrime is increasingly mimicking the practices of legitimate organizations to find, profile, and connect with high-value targets.
Putting on the Mask
Social engineering is all about the masquerade. Hackers pose as legitimate companies or individuals which, in the case of targeted attacks, the victim knows personally. These are the most dangerous attacks, since they’re personalized and target specific victims, rather than being carried out en-masse in the hope that one in a thousand recipients takes the bait.
Take LinkedIn, for example. Companies routinely use the platform to find potential employees, prospects, partners, investors, and other valuable connections. Attackers know this, which is why they’re doing exactly the same thing while under the guise of an honest operator. To that end, criminals often approach their victims in just the same way as companies connect with their customers. Impersonation is the name of the game, but it doesn’t stop there.
Building a Profile
Within the context of cybersecurity, oversharing is less about sharing inappropriate details on social media and more about creating a detailed public profile of oneself. In fact, this extends beyond the digital world in cases where burglars use social to determine the whereabouts of occupants of potential targets. They’re using that information to form a detailed profile of the would-be victim before they launch the attack.
Cybercriminals are patient. They routinely trawl through social networks to identify high-potential targets before learning more about them through their public profiles. To that end, the more people post about themselves on social media, the easier they make things for criminals. Much like businesses create detailed audience personas, phishers develop extensive profiles of their targets.
Hackers will then use this information to establish trust with potential victims. After all, it’s far easier to dupe someone with an attack that demonstrates personal knowledge of the target. By contrast, the sort of phishing scams that end up in spam email folders rarely make any effort to personalize the attack. Often, they don’t even address the person by name. When someone reaches out to a would-be victim, while making it clear that they’re familiar with specifics like job roles and routines, there’s a far higher chance of success. Armed with a raft of detailed information gathered from social media profiles, scammers are much better positioned to masquerade as trusted individuals, such as employers or colleagues.
Ammunition for Hackers
Although social engineering attacks are often discussed in conversations about cybersecurity, they don’t necessarily need to have anything to do with technology. Attackers rely entirely on exploiting human ignorance by duping victims into taking a desired action. Hackers, on the other hand, are primarily oriented toward the technology aspect, but the results are much the same.
One of the biggest areas of concern is that social media users routinely post historical information about themselves, such as birth dates, anniversaries, and the names of children and pets. Such information is rarely considered private, but having it out there in the public domain can present some serious vulnerabilities. Even those who prefer to keep a low profile on social media aren’t necessarily immune – hackers often launch surveys to capture such information instead.
What Can You Do to Protect Your Business?
Digital data is the world’s most valuable commodity. The entire business model of social media revolves around collecting data to sell on to advertisers. From the perspective of cybercrime, this presents a vast attack service in which said data may be leveraged for nefarious ends. While well-meaning businesses and individuals use it as an opportunity for engagement, the criminal uses social media to plan and launch attacks with far-reaching consequences. While it’s hardly desirable from a business perspective to avoid social media altogether, there are some ways to use it safely:
Ensure you have full visibility into all brand channels, and VIP accounts where necessary
Enforce the principle of least privilege by ensuring that only employees who really need access to your branded social media accounts have access to them.
Train your employees to keep them informed about the latest cybersecurity trends, threats, and to be mindful about what they post on their own social media accounts.
Implement an overarching data-governance policy that makes clear what employees can and cannot post on social channels (including their own).
Above all, businesses need to educate their employees on the responsible use of social media, not only for the brand’s sake, but for theirs as well. People must be mindful about what they post on their social profiles and learn to be every bit as skeptical about interactions as they would be about a dubious email. Empowered by that knowledge, experience, and technology to manage digital risk, brands can finally start using social media without fear.
Download our latest whitepaper to learn more about protecting your brand’s social media accounts from malicious actors, today.