That cute photo of your fluffy Lagotto Romagnolo on Instagram. The TikTok video of your team finally back together in the office. An alma mater highlighted on your LinkedIn page.
Armed with all that publicly available intel, a cybercriminal can cobble together a profile of you—and use it in countless ways to break into your company’s network.
They might craft an email tailored to your interests (“Hello fellow dog lover!”) that gets you to click on a dubious link, inadvertently giving them access to the network, or insider details about service providers like your health-insurance company, so they can launch a ransomware attack. Or they might pretend to be you to trap somebody else at your business (“Hey, it’s Cindy’s birthday next week, click on this link to accept the invite to her party.”). And so on.
“About 60% of the information I need to craft a really good spear phish is found on Instagram alone,” says Rachel Tobac, chief executive officer of SocialProof Security, a hacker-led vulnerability-assessment and training firm. By scouring somebody’s social-media accounts, she says, “I can usually find everything I need within the first 30 minutes or so.”
It isn’t just things that you post, either. “Every ‘like’ you make on Facebook and heart you tap on Instagram can be aggregated together to paint a fairly clear picture of who you are and what you are into,” says Carrie Gardner, a cybersecurity engineer and leader of the Insider Risk Team at Carnegie Mellon University’s Software Engineering Institute.
The potential for attack is even greater given data breaches like the recent hacks at Facebook and LinkedIn, which exposed hundreds of millions of users’ personally identifiable information. Then there’s the fact that so much of this criminal snooping is done automatically: Hackers can use powerful AI and software tools to scan social-media accounts at incredible speeds looking for details.
“We can actually automate all that reconnaissance using AI, which criminals are increasingly doing at scale in hopes of finding a lucrative victim,” says Aaron Barr, chief technology officer of PiiQ Media, a social-media threat-intelligence and risk-analytics company.
We asked security experts what social-media users can do in terms of what they post online to keep from compromising their companies’ networks. Here is what they had to say.
This is a classic piece of advice for protecting your online security, but it bears repeating. Stop posting private information on public platforms—things like travel plans, personal interests, details about family members or specific news about a work product. All of that information can be used to gain your trust or deceive your co-workers. For instance, a hacker might find out personal histories from your social media, then send a phishing email that says things like: “I’m sorry about your parents’ passing. I feel like I remember you wore sweaters your Mom made at school.”
Even the smallest details, which malicious actors will certainly aggregate from more than one platform, may be unintentionally revealing. Take off your employee ID in photos so hackers can’t use yours as a model to create their own, says Ms. Tobac. Don’t tag images: Geotags alert threat actors as to where you have recently been, which is just the sort of kernel needed to send a malware-embedded survey about last week’s hotel stay, and they can search on Twitter for tags like “#LifeAtCompany” to get intel on you or your business.
And, in photos, “move a bit away from the workstation,” Ms. Tobac says, which easily reveals which software you’re using so bad guys can customize phishing attempts. Also, she adds, “You’d be surprised how often I see a Post-it Note with a username and password hanging there. Then I’m in.”
One of the easiest ways for hackers to do mischief in a company network is to compromise your email account to send phishing messages. And one of the easiest ways to stop these crooks is to make sure they don’t get your address in the first place.
That means using your work email for work only and never openly on your social-media profiles. In theory, this is easy: On sites like LinkedIn and Facebook, users can keep their emails invisible to anyone but themselves. But most people continue to make them public, thus leaving personal contact information open to data-mining firms or malicious actors.
The consequences can be alarming. Furnished with your email, an attacker can use spear phishing to infect other employees, exploit the company’s defense perimeter and potentially gain access to other employees—or spy on a company’s internal communications. In one common type of attack, called a payment-diversion-fraud scam, criminals get access to the email of an executive who approves invoices and then keep an eye on his or her message traffic, says Derek Manky, chief of security insights and global threat alliances at FortiGuard Labs, the research arm of the cybersecurity solutions firm Fortinet.
When a juicy invoice comes through, “they can change the wire-transfer instructions to go to an offshore account. And social media played a starring role in that,” he says.
Mr. Barr suggests that people have at least four email addresses—one for personal messages, one for work, one for spam and one just for social media—and, furthermore, that they never use their work email for anything else. (Of course, you shouldn’t use the same password for all of them, and change those passwords frequently—preferably using multifactor authentication to make it even tougher for crooks.)
AI and powerful software programs can quickly search social-media accounts looking for profile-picture matches, as well as other common characteristics (username, friends, interests) across accounts, says Mr. Barr.
For instance, if someone uses the same profile picture on Instagram and Pinterest, the AI can tell that the accounts belong to the same person, even if the usernames are different. Hackers can then build up a huge trove of information about you to impersonate you more effectively to your co-workers.
Fortunately, there’s one simple line of defense: Whenever possible, don’t use photos of you or people you know in profile pictures.
“If your profile image is not a photo of your kids or your spouse or you, then it makes it difficult for an attacker to make a positive correlation across platforms,” says Mr. Barr.
It is completely normal and even expected to share intimate details through dating apps. So, users typically don’t consider what could happen should that information fall into the hands of malicious actors.
It is a good idea to limit your share group and do a gut-check to decide whether or not what you are posting today might be leveraged against you later—say, using blackmail to coerce you into releasing sensitive information, such as your work credentials.
Cyber attackers are patient and persistent, says SocialProof Security’s Ms. Tobac: “They might hold back, quietly continue to try to get more and more access, and wait months for the right time and attack.”
If you’ve posted anything that could come back to haunt you, take it down—but best not to post it in the first place, since everything on the internet lives forever. And once you’ve made a connection, consider vetting your suitor through some online searches and then continuing the conversation over a different channel.
“The pictures we share, the descriptions we give, the conversations we have when we think it’s just the two of us…it’s worth thinking about when the right moment is to move all that over to a more secure place like Signal or even a phone call,” Ms. Gardner says.
Information you post on a job-search site can be valuable to criminals looking to get intel on you or a company. So, if you can get away with it, don’t do things like list a former employer or school by name, says Mr. Barr. “Unless I’m trying to find a job, I’m not sure it’s critical that people know I went to Old Dominion University, so I just make it generic and say ‘Major University,’ the years I attended, and my major.” Along with that, you should remove phone numbers and email addresses, while displaying skill sets and types of jobs you’ve held.
Should you be on a quest for a new gig, Mr. Barr suggests posting a fully loaded CV for a period, then taking it down once the job hunt is completed. What’s more, don’t send any information to people who ask for it unless you confirm their identity.
Mr. Manky advises job seekers to go through what is called a “zero-trust model.” That includes looking up the person who contacted you, going to their company website to make sure it is legitimate and that it links back to the correct domain, and trying not to fall prey to flattery.
“A cybercriminal will try to excite a candidate, saying that this is a perfect fit,” Mr. Manky says. “Oftentimes, the recruiter is pushy or a job is offered without an interview. Those are big red flags.”
Likewise, not everyone who reaches out with a friend request or invite on social media is who they claim to be. The request may be coming from someone looking to worm into your professional network to pilfer trade secrets, disrupt your systems, steal your identity or just harm your public reputation or brand. That’s why it pays to do some due diligence on that person.
PiiQ’s Mr. Barr remembers doing a security test for a tech company’s chief technology officer. With a little homework, he figured out where the executive went to high school.
“Then I got onto Classmates.com, and I found one or two peers who didn’t have Facebook accounts,” Mr. Barr says. He posed as one of those high-school peers, created a fake account and sent the victim a friend request—which he accepted.
Mr. Barr then had access to every breadcrumb available on the CTO’s Facebook profile. All of that could help him gain enough intel and trust to launch a well-crafted spear-phishing attack.
“Vulnerabilities can come from anywhere,” says Mr. Barr. “Social media is still the Wild West.”