Social media platforms are the success story of the century, certainly as far as numbers of users go. To give you an idea of the popularity of this type of software here are some of those numbers:
- Facebook – 2.45 billion monthly active users[1]
- Twitter – 300 million monthly active users[2]
- Instagram – 1 billion monthly active users[3]
Popularity like this means that social media is like honey to a wasp where cybercrime is concerned. Fraudsters see social media users as a captive and trusting audience, that can be manipulated into performing acts they would normally be more vigilant about. Social media has effectively built a platform, not just for sharing ideas and cat pictures, but as a playground for cybercrime.
Here, we look at some of the ways that your social presence is being used to commit cybercrime.
How Social Media is Used in Cybercrimes
In a report from security vendor Bromium, “Social Media Platforms and the Cybercrime Economy”[4] they describe this conduit for cyber-attacks as “platform criminality”. The social media platforms that many of us love and use daily are a portal that opens new opportunities for cybercriminals to exploit. The nature of social media means data sharing is an inherent part of the apps. Trust is also a crucial part of the social media engine. These two things align to create a perfect cyber-storm.
The Bromium report explains how cyber-attacks are facilitated by social media platforms; it concludes:
- A “global distribution centre for malware”: The report explains that 20% of organizations have been infected by malware via social media.
- Specifically, the spread of cryptomining malware: Simply clicking on a YouTube advert could end in cryptomining malware infection.
- The boundary between the darknet and social media is blurring across social platforms, such as WhatsApp and Instagram, which are being used to promote and sell the tools of the hacker.
Social media is also a deep pool of personal data. People feel safe to share personal details on social media platforms; a sense of safety is an important part of being on social media, that is designed to be used between friends and family. However, without due care, personal data, such as name, phone number, address, and even your location can be stolen and used for identity theft or the creation of synthetic identities.
How to improve your cybersecurity in your social media profiles
Social media is not all bad. It offers a way to keep in touch with family and friends and generally communicate. Professional versions of social media, such as LinkedIn, are an important way to keep up with industry intelligence. But using them safely requires some effort. Here are some ideas of using your social media account, safely.
Privacy settings
Privacy has been in the news a lot over the last couple of years. Regulations such as the EU’s GDPR, have resulted in privacy becoming mandated. In 2019, Facebook, one of the worst privacy violation offenders, ended up with a fine of $5 billion (approx. £3.9 billion) for the Cambridge Analytica debacle because Facebook sold user data without consent.[5] In another Facebook case, the company was accused of storing hundreds of millions of passwords in plain text, accessible by Facebook employees.[6]
When using social media, you should always ensure you are comfortable with the privacy settings on the platform. Each platform is different, but some general rules of thumb are:
- Do not overshare – avoid putting highly sensitive information on a social platform, especially those such as Twitter which are essentially public.
- Know the audience – some platforms allow you to set granular controls over who can see a post, e.g., only friends, use these settings wisely.
- Control your public profile – if the platform allows this, control who can view your account details.
- Control your data – do not place data such as birthday or phone number on a platform that is public. Avoid these types of data even in more private settings too.
Some social media platforms are more insecure than others.
Twitter: This is essentially an open social platform. Your profile is public, or it is private, there is no granularity. Private profiles mean that only those who follow you can see your tweets. Twitter asks for your date of birth during profile setup. If you add it (this is optional) then the world can see it unless you set your profile to private.
Facebook: Because of privacy violations, Facebook has been forced to make changes to improve overall privacy on the platform. Groups are now public, private, and private and hidden. The platform has also updated its “Privacy Check-up Tool” to help you decide if your privacy settings are robust enough.[7] Other privacy settings have been improved too.
LinkedIn: This professional social platform has good levels of privacy granularity. You can choose which degree of connection can see various profile settings, such as email address. There is even a level of control over who can see your last name.
Instagram: Owned by Facebook, this platform has suffered from inherent security vulnerabilities like its parent, putting data at risk. The platform has also been used as a way to recruit Money Mules.
Fake Accounts
One of the reasons that social media can be so useful to fraudsters is that, currently, it is fairly easy to set up a fake account. Facebook has recently had to delete 5.4 billion fake accounts across its platform.[8] Fake accounts are used to trick legitimate users, socially engineering them into clicking malicious links or even giving away sensitive information.
The fake account method can also be used to spoof a real user account, using photos of that person. The fraudster then posts offensive material in an attempt to extort money from the target.
Phishing on Social Media
As well as being a target for malicious account access via phishing emails and texts, social media is being increasingly used to deliver phishing. The combination of wide reach and elevated trust levels is making social media an attractive way for cybercriminals to use social engineering tricks against their targets.
Cybercrimes on social media include “Romance Scams” where a fake account is used to groom a victim, eventually tricking them into handing over money. Another scam type is the offer of free vouchers and giveaways. The fraudster provides a link in a post that goes to a malicious website.
Examples of Social Media Platforms and Privacy Settings
Below is a quick guide to some of the most well-known social media platforms and how to avoid becoming a victim of cybercrime when using one.
Before reading on, a general comment about all social media accounts. Most social platforms now offer second-factor authentication options, such as SMS text codes, to augment username and password when logging into an account – whenever available, always have this option set.
Post privacy
Granularity in setting post privacy has improved a lot since the various Facebook privacy violation fines of the last few years. When you post to your Facebook page you can set the post to be viewable by options including public, specific friends, only me.
In terms of older posts, pre-the new privacy options, you can retrospectively set restrictions on older posts too[9].
Other privacy settings
Other settings such as “Who can see your friends list” and “Do you want search engines outside of Facebook to link to your profile?” can also be controlled.
IMPORTANT: Always remember to be careful about oversharing personal or sensitive data on social media platforms such as Facebook.
Twitter is a platform that is designed to be much more public than other social media outlets. As such, you have either a public account or private.
Public accounts
Public accounts are totally open. Potentially anyone searching could come across your tweets and read them.
You can set your ‘DM’ (direct Messages) to only available to those who you follow by unchecking “Receive messages from anyone”
Private accounts
You can use the setting:
“Only show your Tweets to people who follow you. If selected, you will need to approve each new follower.”
This effectively controls who can see your tweets.
General Privacy
There are several other privacy settings, including under the section “Personalization and data” an option to switch off sharing of your data with third-parties.
Instagram is very much more of an off/on type of platform in terms of who can see/not see your posts.
There is an option to set your account to “Private”. This means that only approved persons can see your Instagram posts. Otherwise, your account is public.
Story Sharing is an option that if set to ‘allow’, permits anyone following you to share your Instagram Stories as messages.
IMPORTANT: Anyone can tag you in a photo unless you specifically block them. You can alternatively, remove your name tag from an image by tapping the image and your name, and choosing “Remove me from post”
YouTube
YouTube is a gateway to your watching habits which is part of the privacy of your behaviour. On YouTube, you can make those habits private. There are two options to manage this “Keep all my saved playlists private” and “Keep all my subscriptions private”.
Google uses your online browsing behaviour and YouTube watch history to send you targeted adverts. To control ad preferences and switch off targeting, you need to set this as an option in Google settings/Ad personalisation.[10]
Revealing personal details on YouTube
If you make your own videos that you post to YouTube, make sure you don’t reveal any sensitive or personal details in the video. Similarly, if you post comments on other people’s videos, don’t overshare personal data.
It is worth noting that across various social platforms, including Facebook and Instagram, Photo-Tagging can be hard to control or even know about. If you are tagged in a photo by someone else, you may not be able to control who subsequently shares that image, simply because you may not be aware of it.
The watchword for prevention of cybercrimes on social media are:
Stay vigilant and don’t overshare
Further Reading: Blogs Relating to Social Media and Cybercrime
Below we have linked to some further reading on the use of social media in cybercrimes.
- Advice on avoiding phishing on social media platforms: https://www.getsafeonline.org/social-networking/social-media-phishing/
- Use of Instagram for Money Mule recruitment: https://thedefenceworks.com/blog/breaking-scams-kicked-by-a-mule-the-social-media-scam/
- Cybercrime attacks and social media: https://blog.cyberint.com/social-media-a-heaven-for-cyber-criminals
- Trends in social media use and cybercrime: https://www.rsa.com/en-us/blog/2019-04/social-media-and-the-digital-transformation-of-cybercrime
[1] Facebook, Q3 2019, Results: https://s21.q4cdn.com/399680738/files/doc_financials/2019/q3/Q3-2019-Earnings-Presentation.pdf
[2] Statistica: https://www.statista.com/statistics/282087/number-of-monthly-active-twitter-users/
[3] Instagram: https://about.instagram.com/about-us
[4] Bromium, Social Media Platforms and the Cybercrime Economy: https://www.bromium.com/wp-content/uploads/2019/02/Bromium-Web-of-Profit-Social-Platforms-Report.pdf
[5] FTC vc. Facebook: https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions
[6] Krebs on Security: https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
[7] Facebook Privacy Check-up Tool: https://about.fb.com/news/2020/01/privacy-checkup/
[8] CNN: https://edition.cnn.com/2019/11/13/tech/facebook-fake-accounts/index.html
[9] Facebook, older post privacy settings: https://www.facebook.com/help/236898969688346
[10] Google Ad Personalisation: https://adssettings.google.com/