SOCIAL MEDIA DRIVES JUST ABOUT everything in today’s society, from fashion trends to politics to pop culture. It’s absolutely staggering how many people across the world are using apps like Facebook, Twitter, Instagram, and LinkedIn. A recent survey by Sprout Social Inc. found that 68 percent of U.S. adults between the ages of eighteen to twenty-nine are using Facebook, which was expected to generate $21.57 billion in U.S. advertising revenue in 2018.
More than one million hours of video are viewed on Facebook every single day! Instagram has been growing rapidly, with about 60 percent of U.S. adults on the Internet using it, and Twitter is most popular among mobile users, with more than three hundred million users around the world. Social media has literally changed the way we communicate and document everything in our lives.
There’s no question about it: Social media is an amazing tool that can be used for both personal and professional purposes. However, if social media is used without understanding the risks, it can destroy a business, brand, or reputation. Am I saying you shouldn’t use social media? Absolutely not; I’m only saying you should use social media wisely and use the built-in security features to keep yourself safe.
Along with playing nice on the net and refraining from bullying and other bad behavior, we need to make sure we’re protecting ourselves from the bad guys lurking out there. If you still have doubts they’re there, I have a few Russian Facebook ads I’d like you to read. Believe me, social media is a prime target for cybercriminals, and they can do a lot of irreparable damage with surprisingly little effort.
Let me tell you about my friend Bill, who is the owner of a successful real estate company and a heavy user of social media, both personally and professionally. Bill and I have been friends for a long time, and I’ve given him a lot of tips about cybersecurity over the years. He still uses my advice today to keep his company’s information safe, which I hope gives him a strategic advantage over his competitors.
As a relocation-company owner, Bill stores a lot of sensitive information for his clients, and he knows how to keep it safe and secure. He uses social media every day to stay in touch with his customers, and he routinely provides them updates in the form of Facebook updates and tweets. Of course, he employs my strategy of using separate passphrases for his mission-critical accounts and multifactor authentication on his social media platforms. He’s way ahead of the game.
But nobody’s perfect, and let’s say, for example, that Bill’s company Facebook account is compromised. It happens to companies around the world every day. What if Bill received a spear-phished email from either an unknown or a known sender (someone he knows and trusts), and then he clicked a link he should have stayed away from? Imagine, when Bill clicked the link, the bad guys installed a keylogger and stole his password. With Bill’s username and password, the hackers could easily log in to his corporate Facebook account.
Most organizations wouldn’t be too concerned at this point, because their Facebook accounts certainly don’t contain any sensitive information about their clients, such as date of birth, place of birth, bank accounts, credit cards, or Social Security numbers. But what if the hacker didn’t even want that information? What if he was going after something much more important? What could possibly be more important? Trust. Corporate social media accounts are trusted platforms for clients, associates, and friends. And, if a bad guy is able to breach Bill’s corporate platform, he can start pretending to be Bill.
Still with me? Good. Now let’s assume the crook stole Bill’s identity and became an imposter. He then has the ability to craft a message from Bill’s Facebook account to all of his friends and clients, informing everyone that he has just landed a massive account that will take his company to new heights. Bill is so excited and grateful, the imposter tells them, and the only reason it happened was because of their overwhelming support and referrals. Bill wants to thank all of them by giving them a digital coupon for a free large cup of Starbucks coffee.
Bill’s friends and clients only have to click a link included in the message, and they’ll be directed to a website where they can either print the coupon or store it electronically on their smartphones. Bill’s friends and clients will probably believe the message is legitimate because he’s successful and always generous. Now, the first time I ran this scenario by Bill, I asked him how many of his friends and clients would probably click the link and claim their free coffee. He guessed that 80–90 percent of them would probably do it.
You can guess the bad news. Imposter Bill wasn’t interested in giving away free coffee. Instead, he probably set up a web server on a compromised computer somewhere overseas. If Bill’s friends and clients clicked the link, they would be taken to the bad guy’s web server, which would use a new strain of malware that isn’t easily recognized by an intrusion detection system (IDS). As I told you earlier, malware writers are creating more than one hundred thousand new strains every day, and intrusion detection systems can’t keep pace with the new strains until someone’s computer is infected and it’s reported.
Let’s say in Bill’s case that most of his friends are employed and they’re checking their Facebook accounts on company-owned computers as most U.S. workers do. When they click the link for the Starbucks coupon, they’ll immediately infect their corporate network with a computer virus, which can cause their employer grave damage. The infiltration might include the installation of a keystroke logger, which steals multiple usernames and passwords for email and bank accounts. Or maybe it’s ransomware, which will force their employer to pay tens of thousands of dollars to unlock the computers.
After going through each of these doomsday scenarios with Bill, I asked him, “How will your social media followers feel about you if you cause an outbreak of ransomware or malware at multiple corporations?” He guessed that no one would ever trust any email or social media message from him again, which would irreparably damage his company’s brand.
He finally admitted that he really needed to evaluate how his company used social media. I didn’t advise him to stop using social media as a business tool; it can be very beneficial. He only needed to prevent cybercrooks from accessing his social media. How might he do that? With multifactor or two-factor authentication, which we discussed in the previous chapter.
Again, two-factor authentication is free and easy to set up. So, open Facebook’s Security and Login page and find the options for two-factor authentication. You can choose to receive text messages on your cell phone or preferably an authentication app like Google Authenticator or Duo Mobile. Facebook even allows you to receive alerts if anyone logs in to your account from an untrusted device, and you can choose three to five friends who can send you a code or URL from Facebook when you’re locked out.
What if you don’t use Facebook for business and only use to it share family photographs and recipes for your killer brisket? Is having two-factor authentication really that big of a deal? Well, the big deal happens when Boris Badenov takes over your Facebook account and crafts a really nice message from you, providing your family and friends with a funny kitten video with a message like, “Here is something to brighten your day.” When two hundred of your closest friends and relatives receive the message and click the link, they’ll be redirected to a computer overseas that will install a keystroke logger to steal usernames and passwords. You might not have many friends left afterward. That’s the big deal!
At one point in my life, I swore I would never have a social media account; I just didn’t think it was worth the risk. About eighteen months before I was eligible to retire from the Federal Bureau of Investigation, however, I took the plunge and got a LinkedIn account. I was heading up to the FBI office in Toronto for a thirty-day detail, and I wanted to connect with two old friends who were both on LinkedIn. Once I registered, I reconnected with a lot of old colleagues and made new connections through Cyber Subject Matter Experts. So much for never getting on social media! But I really believed LinkedIn was less dangerous because it was essentially a networking app for business professionals. Who would bother hacking that, right? I had new people asking to connect with me all the time, and LinkedIn seemed pretty harmless.
Each time someone wants to connect with you on LinkedIn, you receive an email from LinkedIn with a link. In reality, it’s actually pretty easy for a bad guy to create a spoofed email from LinkedIn. What if the connection request was from someone you know? The email asks you to click a link to accept the person’s request, or you can see a brief profile of the person making the request. I hope I would stick to my rule of thumb, Think before you click. I hope I wouldn’t get caught up in the moment and accept the request from someone who I believed was an old friend or future business partner.
To be sure, I’ve created an overriding rule or internal policy to reduce my risk: I will only accept requests from connections within LinkedIn. That means I delete the email, open my web browser, type www.linkedin.com to be sure I’m going to the real site, find the request in my in-app updates and notifications, and then accept the request from within the service. Or, I do this with the official LinkedIn app on my phone. This way, I avoid clicking any links in emails, thereby reducing my risk of malware infection. Honestly, you should use the same rule in all your social media platforms.
I now have close to three thousand contacts on my LinkedIn account. I was regularly sending out messages to my followers on how to stay safe on the Internet and how to avoid becoming a victim of cybercrime. I owe it my followers, and you owe it to each of your followers and friends, to keep your social media accounts safe. If a bad guy gained access to my account, he could easily send out a post that appeared to come from me, and then he could direct them to click a link to read a great article I recommended. I know most of my followers would click that link. But, instead of seeing something informative, the bad guy would take them to a website loaded with malicious code, where they’d become infected with malware. Infecting all of my followers would destroy my credibility as a cybersecurity expert—not to mention my sense of self-worth. So, what did I do? I installed the 2FA. And I want you to do the same thing right now. Just click on Security Settings and follow the steps to implement two-factor authentication.
If you’re avid Twitter user—and I’ll admit that I’m not—it’s painless to set up two-factor authentication there too. With the number of professional athletes, actresses, and politicians who are being exposed for the not-so-nice tweets of their youth, protecting your account might be essential in maintaining your reputation. You don’t want a cybercriminal or a jilted lover taking over your account and tweeting photos or something obscene. Like Google and Facebook, you’ll have to enter both your password and a code that’s sent to your cell phone when you log in. The codes can be obtained via SMS texting or Google Authenticator, Duo Mobile, Authy, or a similar authentication app, which is much more secure.
One of my favorite things to do on LinkedIn is to read articles that are recommended by my peers. What do I have to do to read them? I have to click a link on LinkedIn. How do I know these links are safe? Well, I don’t. There’s no sure way of knowing whether it’s legitimate. But now that you know what can happen if you click on a link in an email, website, or social media, you hopefully know that it wouldn’t be a good idea for a space shuttle pilot or nuclear power plant operator to check email, surf the web, or engage in social media on his work computer. But each one of us does it multiple times a day on multiple computers and mobile devices. This is one of the main reasons why cybercrime is out of control and will continue to get worse until we change the way we use computers.