Protect Yourself and Your Organization Against The Weaponization of Social Media
ZeroFox recently hosted a webinar with CEO James Foster and author Peter Singer on his new book Like War: The Weaponization of Social Media that outlines a radical new paradigm for understanding and defending against the unprecedented threats of our connected world.
Modern businesses need to prepare and protect themselves against digital threats in our new social spaces that have hit everything from elections to corporate brands. Check out the webinar to learn about this new battlespace and how organizations can better protect their executives, brand and people. We’ve rounded up a few key takeaways from the webinar here. Think of it like the sparknotes version.
Protect Yourself on Social Media
Social media offers new opportunities to engage and connect beyond your immediate network of friends and colleagues, but with this connectedness comes risk. It’s important to set protections in place before engaging on social media. The first step towards protecting yourself is to enable two-factor authentication for all accounts, especially those accessed by multiple people (that means you, marketing teams!). Use strong, unique passwords. Looking for creative password ideas? A password manager can help with this. The main goal of a password manager is to store all passwords in a single location and ensure they’re strong enough to not be easily guessed by a hacker. Next, go through your friend lists, clean up your followers, friends, and contact list and remove any accounts you don’t recognize or could be fraudulent. Finally, check to ensure you haven't been affected by a breach. If you do find that your email address has been involved in a breach, make sure to update the password associated with that account as soon as possible. Following these simple steps will help protect you against the misinformation, account hacking, scams, and fraud present on social media.
A great example of the need for both two-factor authentication and strong passwords is a work email linked to private accounts with weak recovery. With only an email address, the ZeroFox team was able to access an individual’s full Apple ID and account.
By clicking forgot password, you are asked to verify your birthday. With a simple google search, an individual’s birthday can be pretty easily found.
Once the birthday was identified, next came the security question: what is my dog’s name?
Through a simple social media search, the team was able to identify an Instagram post of the individual’s dog, with a caption that included the dog’s name.
And just like that, the team was able to change the Apple ID password and gain full access to the account.
The use of work emails to authenticate private accounts is considered bad practice as it creates issues with user offboarding and can lead to attackers more easily targeting the individual. In this case Apple also allows passwords to be reset by answering security questions. The security questions chosen were weak and would allow an attacker to gain access to the user’s account.
Protect Your Executives and Employees on Social Media
Here at ZeroFox we are often asked, “what are your social media security best practices?” The ZeroFox team wrote a blog on 7 Social Media Security Best Practices with detailed suggestions but to highlight a few: start by training staff at all levels on social media security.. Marketing teams need to take ownership of their accounts and monitor for impersonators. Recently we have found more impersonating accounts than ever before. With this being said, if you aren’t sure what an impersonating account is we created a quiz, “Find the Fake” that will educate you and your staff on what to look for.
It’s important to address the threats facing the people of your organization head on, especially when it comes to executives. CEOs and other high-profile members of your staff are largely responsible for defining culture and brand so it’s important that their social media presence reflects the image you want to convey to the market. If no action is taken to protect staff and executives against impersonations and other social media-based attacks, this can lead to a reputation damage, reduction in brand loyalty, and loss of customer and employee trust. Organizations should make an effort to protect executives from fraudulent profiles in order to protect not only the individual, but the entire business.
Protect Your Business & Brand on Social Media
The first step to protecting your organization on social media is to know what you are up against. Stay up to date on the latest social media scams and tactics by following the local news accounts. Take action at the first sign of potentially malicious or offensive content that could damage your brand. Work with the network or a protection solution to request offensive content and accounts be hidden, blocked or removed. Marketing and InfoSec teams need to work together to create robust security settings for brand accounts. While Marketing traditionally owns these accounts, with new security risks at play on social media, it’s important to create an open dialogue between these teams. Not staying on top of the latest social media scams can lead to revenue loss, brand reputation damage, and information leakage.
Some key tactics and terms to remember:
- Social engineering: Social engineering – the art of hacking of human beings – is an age-old threat. But the meteoric rise of online social media usage has led to a new security challenge: social media engineering.
- Phishing, malware and spoofed domains:Phishing and spoofed domains are a tried-and-true tactic used by cybercriminals. Bad actors target your customers on social media with phishing links to sites impersonating your brand in the hopes of receiving account credentials, financial information and PII.
- Impersonating accounts:Bad actors create social media profiles that look exactly like your organization, an internal department or executive in order to abuse the visual trust social media users (in this case, your customers) often exhibit.
- Social spearphishing: is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information.
Protecting yourself, your employees and your entire business from these and other risks explained above is critical for engaging securely in the age of social media.
Learn More
Social media and digital channels have changed the way we engage with businesses, brands, and each other. Beware and create a plan of action to address the risks on social media. Don’t wait until an attack occurs to protect yourself, your employees, and your business, put protections in place today. Listen to the recording here.