This is a guest article written by Chris Thomson. The author’s views are entirely his own and may not reflect the views of IT Governance.
Cyber attacks are nothing new. The moment computers started becoming essential to our personal and professional lives, hackers were looking for ways to manipulate them and us for their own ends.
Social media has become just another way for scammers to target people and businesses, and according to the 2015 Information Security Breaches Survey, 13% of large organisations had a security or data breach relating to social networks in 2015.
The majority of cyber attacks through social media aren’t done with your traditional hacking methods of manipulating code, etc., but are more personal, targeting the user rather than the computer. This is known as social engineering.
Types of social engineering
Social engineering exploits people’s trust and good nature, and scammers employ a range of tactics to do this.
- Phishing – This is probably the most common form of social engineering, instilling a sense of urgency or fear in someone in order to hand over personal data. Those ‘Nigerian Prince’ scams are a well-documented form of phishing.
- Baiting – Like phishing, but offers the promise of an item or goods in exchange for someone signing up to a service or providing certain information.
- Pretexting – Again, this is like phishing, but plays on people’s trust, creating a believable story in order to gain personal data. If you have ever received an email from someone pretending to be from your bank saying they need your password, that’s an example of pretexting.
- Quid pro quo – A literal offer of money or other form of bribery in exchange for personal data, such as passwords.
All of these are methods you might encounter via social media. For instance, this example of someone pretending to be a recruiter on LinkedIn is a classic form of pretexting and baiting.
Another example of pretexting has cropped up thanks to Twitter and the increasing number of corporate accounts using the platform for customer interaction. As reported on CNBC, hackers are taking to Twitter in order to impersonate real corporate accounts. They will jump in on customer complaints posing as the genuine company representative and ask for a user’s account details. Very easy to fall prey to if you don’t know what to look out for.
Guarding against cyber attacks on social media
Here are some tips on how you, your colleagues and employees can guard against social engineering and cyber attacks on social networks.
Be aware of the threat
Awareness is half the battle with cyber security. Everyone in the business should be made aware of the different types of cyber attack and what they should do if they’ve been targeted. They should also know what to do if they think they’ve been successfully duped, as action will need to be taken as soon as possible. This may well involve some form of training on the matter.
And it’s not just big companies: 38% of small companies were victim of a security breach in 2015.
Have a social media policy
Make sure that all employees are aware of how they should and shouldn’t be using social media at work. This may mean restricting the use of personal social media accounts during work hours or having an approval process before anything is posted on a business social media account – whatever works best for your company.
Get hot on passwords
It’s usernames and passwords that many scammers are after, so make sure your business is diligent with all such information.
Passwords should be difficult to guess or work out, so avoid commonly used words or simple strings of numbers. In 2013, Facebook and Twitter hackers obtained millions of users’ passwords and discovered many were less than secure, with the most common password a simple ‘123456’.
Also be vigilant about password sharing. According to password management software company LastPass, 28% of people share social media passwords, and 74% do so verbally. The dangers of this are pretty self-explanatory. Beware of techniques such as shoulder surfing (literally people looking over your shoulder as you type passwords) and inference (guessing passwords based on things people know about you).
Check security and privacy settings
You’d be surprised how much someone can learn from you based on your social media profiles, and this is where inference can occur. Scammers might be able to learn simple bits of information about you, whether that’s your date of birth, pet’s name or the name of your partner. All of this could be used to guess passwords or dupe a service provider into disclosing your details.
Always check your security and privacy settings on your social accounts and always know what other people can see about you.
Move with the times
New social networks are cropping up all the time, so it’s important you keep on top of the various ways scammers might take advantage of you and your company. For example, Tony Anscombe, of antivirus experts AVG, explained in this article that wearables are likely to become more popular over the coming years, which represents yet another avenue for hackers and scammers to target people.
Vigilance is the key to protecting against social media cyber attacks. You can’t stop people trying to attack your company but you can reduce the chances of their attack being successful.