Clicking “Like” on a Tweet, tagging yourself in a photo on Facebook; today, almost everyone has at least one form of social media account where information is shared openly within their immediate friend circle. But in reality, your information is shared far beyond your network and can easily be captured by social engineering criminals who are looking to exploit your privacy and security.
Twitter, LinkedIn, Facebook and Google are all popular platforms that people use to stay connected with one another in the world whether it be socially or professionally. But one reason why they became and continue to be popular is because they are free to users. And it is no secret that these platforms build revenue from advertisers looking to get users’ attention. But people often forget that when utilizing a free social media database such as these, that their personal information is sold to marketers, advertisers and the like. From the moment that an account is made, that company starts to build a profile on you. Not only do they often have your name, date of birth and demographic information, they are also slowly learning about you, your habits, and likes and dislikes based on your website activity. Each time you interact with your friends, like posts and make comments, that information is being stored and built upon so that they can then turn and sell your information.
This may or may not bother some people after all these companies have been very open about what they do with your information, and in the end, it is the user’s choice to hold accounts. But the real worry is where else is my private information going? It isn’t just going to the marketing firms. Cyber criminals have mastered the art of social engineering using social media and the information it gathers to learn about you as well.
Examples of social engineering are happening all the time. Often the information gathered by cyber criminals through social engineering techniques is quickly turned into a common tactic we all know as a phishing scam. Phishing would be far less convincing to victims of cyberattacks if criminals didn’t first dig deep into personal information and learn about the victim first.
Imagine that you’re on Facebook where you are tagged in several photos with your best friend Joe who lives in California. You receive a Facebook message from Joe that there has been a terrible fire at his house and he and his family have lost everything; he was hoping to borrow some money until they get back on their feet. Of course, you say ‘yes!’ to your best friend and send him money hoping that everything is alright. However, the reality is, that wasn’t Joe writing the message, but someone phishing you based on all of the information you have online. They can see your account and all of the connections you have with Joe; your correspondence back and forth over the years, photos you’re in together that date back to college, where you live, work and your interests. They can also see the same information about Joe and use his account against you.
Other examples have happened using LinkedIn pages where phishing emails are crafted using the information of a company executive to gain trust and start conversations with other employees in the company. Once the conversation has been established, employees won’t think otherwise and will comply with requests from executives, managers and other company decision-makers.
Staying cautious while operating on your social media platforms is always a good rule of thumb. Remember that even though you might think your information, pictures and interests are private, they aren’t. It is always wise to carefully evaluate what you’re giving out online and if it isn’t necessary to put certain information about yourself, don’t.
“Whenever something is free, you are the product.” – Twinstate Technologies CEO and Acting CISO, Devi Momot, CISSP®, GSLC®, GISP®
Originally published on 05/02/2017