Social media channels such as Facebook, Twitter, Instagram and YouTube have emerged as attractive gateways for cybercriminals. Other platforms are also becoming hotbeds for hacking, such as social news sites like Reddit and review sites like TripAdvisor and Yelp. Close to home in Florida, the Pentagon learned the perils of social media exposure when the Twitter and YouTube feeds of the U.S. Central Command in Tampa were breached by apparent sympathizers of an Islamic State militant group.
What makes social media platforms so desirable? One easy answer, according to Chief Privacy Officer (CPO) magazine, is that “these sites make it very easy to share and pass on just about anything – and that includes malware.” On average, social media platforms have 20% more methods for scamming consumers than other internet sites; techniques like advertisements, sharing buttons and plug-ins. In addition, most people have hundreds to thousands of connections on social media making it very convenient to distribute malware to a wide audience with few negative consequences. Additionally, the same type of human error that causes people to click on links sent to them in emails is exponentially greater on social media platforms because people are more likely to consider themselves among friends.
Hacking social networks requires very little technical skill. Bad actors simply use the information available on personal profiles to win a complete stranger's trust. “Cybercriminals exploit the personal details we share online to trick or impersonate us—piecing together every photo we post, location we check into, person we tag, or pet photo we upload to build an understanding of their targets,” explains Fast Company, a business magazine that focuses on technology and business. “The social engineering scams they create are designed to entice people to download malware, send money, share personal information, or disclose log-in details.”
Examples of how hackers use social media to commit cybercrimes include:
- Identity theft – Scammers use information and photos easily found online to create fake Twitter, Facebook and LinkedIn accounts, and then use these fake social media profiles to scam others out of money or to tarnish your firm’s reputation.
- Malware – Social media is an effective way to distribute malware because the links, messages and posts come from a trusted source like a client, co-worker or friend. Chief Privacy Officer (CPO) magazine reports nearly 1 in 5 organizations worldwide are now infected by malware distributed by social media platforms.
- Social phishing – Fun fact: 85% of people posting puppy photos on social media are trying to scam you. Much like the more traditional phishing attacks that use email or malicious websites to solicit personal information by posing as a trustworthy organization, social media phishing uses platforms like Facebook or Twitter to steal personal data or gain control of a person’s social media account. One example is a post that offers free vouchers and giveaways by clicking on a link that goes to a malicious website.
- Data exploitation – Think about the information on social media platforms that could give hints to your frequently used passwords. While it’s considered a best practice to avoid using things like your child’s first name or birthday, many people still do so – and hackers know it. Think twice before taking that quiz that asks your mother’s maiden name or what high school you went to.
Social media hacking happens more often than you think, according to Dr. Aaron Brantly, director of the Tech4Humanity Lab at Virginia Tech who studies the impact of technology on the human condition. “The numbers are very hard to come by on almost all social media platforms because they keep those very close to their chest,” he said. The motivation is usually financial or malicious.
The scope of social media scams is limited only by the imagination of the cybercriminals and once your account is hacked, there’s not much you can do about it. Your best defense is a good offense. Here are some ways to protect your firm from social media hackers:
- Know how your firm uses social media – Understanding which platforms your firm benefits from most can help determine the ones you need to secure. This protects not only your firm but also those who visit your pages and profiles.
- Train employees on best practices for social media use – Educating new employees about your firm’s cybersecurity policies should be a standard component of the onboarding process and reinforced with constant training updates for all staff. This includes social media security training and making sure employees are aware of how important it is to the overall security of your firm. Kevin Mitnick, considered the world's most famous hacker, has often said the best security you can have is trained employees who are on their toes with security top of mind.
- Create an effective password policy – Passwords have been called “the keys to the digital kingdom.” The strongest passwords are those that are eight or more characters long; contain a combination of upper and lower case letters, numbers and symbols; and use made-up phrases. Do not use common words or personal information like the name of a family member or pet.
- The AICPA’s Director of IT Security Strategy recommends changing passwords at least once per year and having unique passwords for each website and application. Other tips include using two-factor authentication as an extra layer of protection and logging out of websites and devices when you are finished using them.
- Employ strong security solution – The right security solution can protect your firm’s accounts and network from attacks like malware, phishing campaigns, malicious URLs and other evolving threats.
There are a reported 4.62 billion social media users today and 22% have fallen victim to a security-related incident. Many are businesses that use some combination of social media for recruiting, marketing and customer service purposes. Others could be your employees who use personal social media accounts on business devices and transmit posts, videos, and messages over your network. Now, more than ever, CPA firms should assess their cybersecurity risk from social media and take steps to mitigate it, from auditing social media use and deploying a cyber secure IT infrastructure to ongoing employee training.
As an endorsed program of the FICPA, Coaxis offers special member pricing for its CPA program package. To learn more, visit www.coaxiscloud.com/ficpa or contact Lisa Bryant, executive vice president of corporate development, at (850) 391-1022 or [email protected].