Social media platforms have become the indispensable tools of marketing. Companies use the social media promotion to increase brand awareness, expand the reach and engage existing and potential clients, media and monitor the industry news and trends. Companies’ executives and employees use their personal accounts on Twitter, Facebook, and LinkedIn to post business updates. Marketing masterpieces have been written on how social media can propel a business to success.
There is a dark side to the use of social media, though. And marketing advisers and SEO gurus have yet to grasp the dangers that lurk in the darker corners of social media – social engineering.
Scammers that engage in social engineering (phishing, whaling, or CEO email scam) are the sophisticated kind. Instead of targeting the software/hardware component of any business infrastructure, phishers target the user. And where, if not in social media, do the scammers mine the treasures of the personal and business information that helps them build a detailed profile of the target?
Companies that use social media to post business-related information may be making their companies vulnerable to cyber frauds.
A user is easier to hack than a machine, alas. Hackers use social engineering techniques to commit multimillion frauds all over the world. Brian Krebs quotes FBI warning about a “dramatic” growth of “CEO fraud,” where hackers target a high-profile executive in a message coming from a “boss” requesting a wire transfer. According to the FBI, the CEO fraud, aka whaling, cost companies more than $2.3 billion over the past three years.
Companies big and small are equally targeted. Some lose $25,000, others $2.500,000, depending on the company size and the sophistication of the attack. Notably, companies recognize the value of cybersecurity and invest IT security solutions. This pushes the hackers to target the user element ever-more.
Social engineering includes but is not limited to, malware and ransomware spreading links, phishing emails, social media private/direct messages, SMS, phone calls, chat apps messages.
They look legitimate, they read legitimate, they express “legitimate” requests.
These messages appear to be coming from business partners, affiliates and third-party contractors, banks, company executives. In some cases, an email address does resemble the email address of the person it claims to be coming from, but for a small detail (a letter, a number, a slash, etc.) In other cases, the phishing email IS coming from the legitimate email address of the person it claims to represent because the said email account had been hacked.
Phishing emails contain actual business information – names, usernames, passwords, addresses, bank accounts. One of the common types is the phishing email scam that targets an employee in a financial department and appears to be coming from a boss requesting a wire transfer. Or, an email from a partner requesting to clear an invoice, but send the payment to a different bank account.
Hackers profile their targets by scrutinizing their social media profiles.
They target a company, gather detailed intel from company social media accounts, and those of the company’s employees. Of special interest are the accounts of personnel with authorization to make financial transactions, and CEOs as of late.
Phishing messages will not come from a random person, but from people that you trust, or organizations that you work with.
A part of the problem is that the current generation of employees has grown up or matured with the habit of over-sharing their personal and private data on social media. The same over-sharing issue persists when they take their work duties to social media. Offensive or reputation-damaging posts aside, your employees just might be spilling the beans about your corporate secrets in your social media. A slip of the tongue in a conversation, a selfie taken in front of an active desktop or with corporate paperwork in plain sight can be enough for a well-executed phishing attack.
However, it is the personal and private information your employees and executives share on social networks that allows hackers to make a detailed and accurate profile of the target.
This data helps hackers craft credible baits. In the end, it is the human they need to hack to perform a transaction. Not the system. Not your cybersecurity plan, with enabled end-to-end encryption, two-step authentication, top-notch IT team and a CSO.
The phishing messages appear legitimate because the hacker knows the names of the CEO and CFO, and have hacked into their email accounts. The hackers scan the company’s press releases for information on acquisitions, partnerships and mergers to know when there are many new people on board. That is when phishing is very efficient because new staff isn’t quite in the know of who is who in a company, yet.
The social media enable hackers to conduct sophisticated reconnaissance on companies and their employees, and bypass company cybersecurity perimeter undetected.
Employees share, or make easily accessible, the information about their physical location, digital identity, phone numbers, IP addresses, date and place of birth, marital status, family members, colleagues and peers, projects, business trips itineraries and schedule – and so much more. According to former FBI counterterrorism and counterintelligence operative Eric O’Neill, there are no hackers, only spies. The job of a hacker engaged in social engineering does resemble that of a meticulous profiler from “The Criminal Minds.”
Last but not least is the proliferating malware that gets downloaded onto corporate computers when employees click links in direct messages and posts without giving it a second thought.
Join FortKnoxster and start protecting your online privacy.
Visit our Facebook page and Twitter page for more inspiration.