Personal social media may seem to be far removed from the workplace, but it’s become a major vulnerability for corporate networks. Cyber criminals are using company and staff social media accounts as a source of valuable information and easy access, says Tony Walt, co-founder and director at Port443.
Walt warns, “Even supposedly ‘non-sensitive’ personal and company information can be used for cyber crimes such as identity theft, impersonation and ransomware attacks. It potentially exposes employees’ work passwords and puts both them and their employers at risk.”
Identity theft
Says Walt, “Cyber criminals gather public corporate and personal information during the first stage of the cyber attack ‘kill chain’ – reconnaissance. They identify potential targets and their connections. Information staff share on social media provides a wealth of information that criminals can use against them.
“For instance, birthday wishes on your social media profile can help threat actors work out the first six digits of your South African ID number. Your social media profile also gives criminals clues about the seventh to tenth digits of your ID number (females 0000-4999 and males 5000-9999). The 11th digit of your ID number (0 or 1) can be deduced based on whether you’re a South African citizen or a permanent resident. Armed with your ID number, and public information about your children’s and pets’ names and favourite bands and hobbies, criminals can make educated guesses about your passwords and use this to hijack your email, online accounts and business system logins,” Walt continues.
Insta phishing
“Your public posts can also support targeted phishing attacks. Say, for example, your profile says you’re head of finance at your organisation, and you share pictures of your family holiday. This arms cyber criminals with enough information to sound credible should they carry out a business email compromise (BEC) attack on a colleague,” he notes.
In a BEC attack, criminals impersonate legitimate employees, giving instructions to staff to transfer funds or download an attachment. In the example above, a cyber criminal might message a subordinate saying ‘I’m on holiday in Durban, but I forgot to pay this supplier before I left. Please transfer their payment to the following account’. The US FBI reports that BEC attacks have led to over $43 billion in losses since 2016.
Ransomware
If that isn’t bad enough, cyber criminals can also trick users into giving them access to their entire contacts lists, Walt says.
“Social media direct messages are increasingly used to send victims malware that locks them out of their accounts and sends legitimate-sounding messages to all of their contacts. Many small business owners who sell their goods and services through social media have fallen victim to ransomware attacks in this way,” he adds.
Information people reveal on social media also supports ‘vishing’ – voice phishing – scams, he warns.
Vishing
“For example, if you complain about your bank on social media, cyber criminals will be equipped with the information they need to call you, claiming to be from your bank’s customer service desk. They may know your ID number, address, and what problems you have experienced with your banking. Because it sounds so convincing, many people will be fooled and will part with critical information such as their bank card PIN number,” he states.
To reduce these risks, businesses take measures such as enforcing password updates, running regular training, and monitoring the devices and systems employees use.
“Humans are the weakest link in the cyber security chain, and could inadvertently expose their organisations to massive risk and losses,” says Walt. “This is why ongoing training and awareness programmes are essential. Many organisations also have phishing simulations to help staff recognise deceptive emails or phone calls.”
“Password hygiene – with strong, unique passwords and frequent updates – may be annoying for staff, but it’s very important to strengthen overall security,” Walt says. “It’s also crucial for staff to report incidents or suspicious emails, so that action can be taken immediately.”
