With data from users of LinkedIn, Facebook, and other social media providers available online for criminals to buy, protecting your accounts and your data is more important than ever
News that data from over 500 million LinkedIn accounts is for sale on a hacker’s website, makes many of us with social media profiles wonder what that means. Will our accounts be compromised by cyber criminals? Will we suddenly be targeted by a phishing attack? Will our messages, potentially containing everything from casual approaches for a reference to snarky remarks about corporate leadership, be leaked?
In the world of cybercrime, what sounds like fiction, can rapidly become fact.
While the latest incident may involve data that has been scraped from the public parts of LinkedIn profiles, and possibly data from a security breach in 2012 where 164 million email addresses and passwords were exposed, the implications are still worrying.
Information such as a user IDs, names, email addresses, phone numbers, professional titles, genders, and links to other social media profiles, can do a lot of harm in the wrong hands, even if no private data is viewed or included.
The more information about you that is out there, the easier it is for criminals to leverage it, using the latest automation tools to pull it together.
In some ways, when you consider how a cyber criminal may use your publicly available personal data -piecing it together to craft targeted phishing emails or guessing passwords to hijack your email account - the boundary between public and private is no longer the issue.
The business case for better social media security
For organisations, what an employee posts on their social media accounts, and how they manage account security, can have implications on the employer as hackers may use compromised accounts to target a business.
The rise of remote working during the pandemic has changed the way many organisations have to think about security, moving from relying on protecting the outer ring of a network (with a firewall) to checking every user when they try to access any part of the network.
A cybercriminal mining the LinkedIn data can use the information to build up a picture of who does what in a company, and what they are interested in, targeting them with frauds and malware.
ENISA (the EU’s cybersecurity agency) reports up to 230,000 new strains of malware are detected around the world each day.
Organisations therefore need to keep security top of mind with employees, training and testing staff so they understand how to protect their data, and do not become the weakest link.
How to secure your data
While we might not be able to do much if a social media platform suffers a data breach due to issues with their systems or procedures, we can take control of the data we put out about ourselves.
The first step is to question whether you need or want to use a platform in the first place. If you decide to keep an account (or open an account) then check your privacy settings. Make sure you are not openly displaying information such as your date of birth (easily done if you show your birthday on an open profile). Do you want Facebook ‘friends’ to see your email or phone number via your account? Perhaps not, especially if your ‘friends’ are the sort of people who don’t take their security seriously and may end up having their accounts compromised.
How many times have you received a Facebook ‘friend’ request from someone who already has a Facebook profile? Does that person really have two profiles or is the second one a fake account, cloned by a criminal wanting to access the data shown by real friends of the real person.
Tightening your privacy settings, and removing information you are broadcasting may help prevent it being accessed by future data scrapes, however, what about if your information is already packaged up for cyber criminals to use?
You can check if your information has been included in a known data breach using a site such as https://haveibeenpwned.com/ which will highlight known events.
It is then a good idea to change your passwords and set up multi-factor authentication (MFA) to protect your email, and social media accounts.
Multi-factor authentication, or 2-step verification, means that each time you log in to an account from a different device, you will be sent a code which you will need to input to access the account. This code may be sent by SMS to your mobile, or via an authentication app such as Google or Microsoft Authenticator, Duo Mobile, or Authy.
When you set up multi-factor authentication you will also receive back up codes which you can print out and keep in a safe place in case you can’t access your device.
Multi-factor authentication is recommended for popular platforms such as LinkedIn, Instagram, Facebook, Gmail, Twitter, Amazon, PayPal, WhatsApp, eBay, and Snapchat.
However, it is worth remembering that no method is infallible. The latest Europol Internet Organised Crime Threat Assessment identifies ‘SIM swapping’ as a growing trend. This involves criminals hijacking a victim’s phone number by deactivating their SIM and swapping it with the number of someone in their criminal network. The criminals can then access a phone and take over accounts, changing passwords, sending messages to contacts, and stealing personal information or money.
This means that even with all the right protocols in place, we all need to remain vigilant, always thinking about the information we give, and the information we receive.
If you would like to speak to one of our experts to discuss your organisation's security strategy and how we can help address your business goals, please get in touch today. Email firstname.lastname@example.org and we can set up a call to understand your business needs.