There has never been a more perilous time to be an employee actively using social media in the UK. As we post more and more information about ourselves on sites such as LinkedIn and Facebook, scammers can increasingly find ways to steal not only our personal details, but also the company details of the organisations we work for. New threat vectors have been well and truly opened with the rise of social media and its interconnectedness with our professional lives. If you haven’t heard of phishing before, it’s the fraudulent practice of sending emails that would appear to be from a credible source, such as your bank, to entice individuals to reveal personal information such as credit card details and passwords. Phishers can now access and infiltrate our corporate networks by tailoring fake emails from ‘business associates’ which actually contain malicious links and malware. The days of simple scams are in decline and every employee in the UK needs to be aware of the increasingly sophisticated ways that phishers can target us. Following these simple tips will help every employee to spot and avoid phishing scams in 2014:
1) Less is more
Social media sites such as LinkedIn are great resources to promote yourself, network with like-minded professionals and detail all of your career achievements to date. But how much professional information should you really be posting about yourself online? A simple way to prevent your identity from being stolen is to limit the amount of personal details you share. If you are in a position of high importance, it is probably best to avoid mentioning the names of colleagues you have worked with on LinkedIn, for example. You could also seriously consider whether it is absolutely necessary to post your real name on line. If new contacts in your network genuinely need to get in touch with you, you can simply introduce yourself via a private email.
2) Be selective
Think carefully about who you are adding to your corporate network. This is important in two instances. Firstly, you may think you know who you are adding, but how are you to know that you are not connecting with a fake account? It is always a safer bet to get in touch with a contact personally via email. Secondly, and more simply, phishers can easily identify your connections if they are targeting you personally. You don’t want to be in danger of offering a veritable buffet of targets to motivated hackers.
3) Be careful what you ‘Like’
Phishing scammers are finding more sophisticated ways to trick us. Many phishing scammers can now create fake Facebook ‘Like’ buttons on websites. A pop up then appears and you are asked to login via Facebook- only this is not Facebook but a site held by the phishers. To avoid this, login to your Facebook directly to ‘Like’ an article.
4) Be wary of hyperlinks
If phishers do happen to hack into your social media accounts they can use them as a platform to send links containing malicious software to all of your contacts. As they have access to your previous messages and conversations, they can then generate more realistic looking emails, even containing your own wording. This can be avoided by not only regularly updating your passwords, but also by getting in touch with people privately via email or direct message to minimise the risk of your network receiving malicious links.
5) Remember, your data spreads…
A key point to bear in mind is that even if websites restrict publishing there are now aggregation sites which gather data from multiple sites. If you publish data on multiple sites, someone sooner or later will connect the proverbial dots. Again, be vigilant and think carefully about posting the same information about yourself on multiple social media platforms.
6) The new threat: ‘Spear phishing’- educate yourself
One way to beat the phishing scammers is to stay one step ahead of the game and to be aware of the new, emerging threats. ‘Spear phishing’ is the latest trend that poses a threat to your professional profiles and social media accounts. ‘Spear phishing’ works by generating a dossier on the individual, with the intention of compromising their specific IT equipment or account. This is where social media becomes a great tool for the phishing scammers. Phishers can now hack into our systems with “Open Source Intelligence Collection”; this is a term used to describe when hackers or nation-state sponsored adversaries gather as much information as possible from information available on the internet or other sources to allow the attack to be launched. By understanding the sheer threat that phishers can now pose to our companies, employees must take every measure to ensure that personal, corporate and professional information is not posted widely online. If in doubt, leave a direct message or suspicious email alone. If someone legitimate wants to contact you- they’ll get back to you.
You’ll notice that a common thread has been weaving its way through all of the above tips: minimise the amount of information you post about yourself on social media. It sounds obvious, but employees are still not doing enough to lessen their online profiling. The chance to promote yourself and network online is great, but this shouldn’t be at the risk of your personal identity being stolen, or even your colleagues finding themselves are the receiving end of a phishing scam. Always remember there are cyber criminals and state-sponsored attackers who are prepared to exploit the data you are voluntarily uploading to social media to attack you and your employer. Social media is the ultimate weapon for phishing hackers, and this is not going to change any time soon.
Peter Armstrong, director of cyber security, Thales UK
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.