Social media platforms are valuable for personal and business use - but fraudsters use them too. How can you best counter the risks?
Mia Ash was a 30-year-old, London-based photographer. Her social media platforms were populated with many friends and photos, and a detailed education and work history.
Through LinkedIn, Mia approached a male employee at a Middle East business with a query about photography. The pair began a wide-ranging discussion through LinkedIn and then Facebook.
When Mia later sent the man an email with an attachment for a survey, he opened it on his office network. The attachment tried to install malware.
Fortunately, the company's security systems blocked the installation. `Mia' was found to be an elaborate fiction. Her creators had targeted employees of companies in specific sectors, aiming to infect their networks with spyware.1
Streaming service Vevo wasn't so lucky. When one of its employees was targeted via a LinkedIn contact, hackers obtained a mass of sensitive internal data and released it to the public.2
Besides their social uses, platforms such as LinkedIn offer huge benefits in networking and recruitment. But their reach and accessibility make them useful to fraudsters too.
Using fake profiles, criminals can gather a wealth of information about individuals' contacts and interests. Career profiles often include detail that can build a picture of a business. In the case of IT professionals, they might even outline the platforms and programs used.
One of the ways fraudsters use this data is to target likely victims using `spear phishing', a more personalised version of the phishing scams that contain links designed to gather data such as bank details.
But even unsophisticated contacts can get results. Research in Germany found that around four in ten people clicked on a link in a Facebook message claiming to carry photos from a New Year party.3
The results were surprising, since most of the participants had said they were aware of the risks of unknown links. Their awareness was compromised by simple curiosity - and the fact that photos are commonly shared on social media.
“This is an old game, the confidence trick, played on new technology platforms,” says Professor Tim Watson, Director of the WMG Cyber Security Centre at the University of Warwick.
“A fraudster might be able to tell when someone is on holiday through their Instagram pictures - then call up a colleague and spin a story using personal knowledge gleaned from a Facebook profile.
“All of us are naïve, but there is now a dawning realisation about the way data can be harvested.”
The issue poses difficult policy questions for your business. Imposing strict rules on social media use and on what your employees should say online is probably unrealistic, and risks alienating staff.
You should, however, make staff aware of what is acceptable use of social media at work. The use of strong passwords, and ideally two-factor authentication, should also be universal to ensure basic business protection.
“It's a cultural issue rather than an IT one,” Prof Watson adds. “Explaining the risks to the business, getting people on side and showing them how they can help - without telling them what to do - is probably the most effective approach.”
1 Wired, July 2017 https://www.wired.com/story/iran-hackers-social-engineering-mia-ash/
3 Friedrich-Alexander University https://www.fau.eu/2016/08/25/news/research/one-in-two-users-click-on-links-from-unknown-senders/
From the threats to ways to mitigate the risks for your business, find out what you need to know about cybercrime.