How Hacker's Use Social Media For Social Engineering Attacks

Social media has now become a gold mine of easily-accessible information for online crime, packed with sensitive and (what should be) personal data - providing the perfect ingredients for social engineering attacks.Close up of iPhone 6 with colourful background

It's quite easy to picture a sort of Swordfish-esque hacking scenario when picturing cyber crime in action. But, in contrast to an intense and fast-paced Hollywood blockbuster scene, cyber criminals can now get all they need simply by visiting your social media accounts. Not quite as entertaining, eh?

Well, although this sort of scenario doesn't sound half as thrilling, digging into the repercussions of over-sharing on your social media accounts will certainly liven things up a bit. That's because social media has now become a gold mine of easily-accessible information for online crime, packed with sensitive and (what should be) personal data. In other words, bad employee social media habits mean that we're dishing out the needed ingredients for a successful social engineering attack - and on an almost daily basis.

What is social engineering?

Social engineering is the art of manipulating people so they will part ways with their confidential information - with anything from passwords to banking details in their line of scope. It's normal to think that this sort of thing wouldn't happen to us or our business, or even thinking that we're immune to falling for a scam, but 60% of employees in the workplace were victims of social engineering in 2016.

When individuals are targeted, they can be easily tricked into giving away their private information, making a legitimate-looking transfer, or even handing over access to their computer. Criminals use social engineering tactics as it is a lot easier for them to manipulate people into gaining their trust, rather than trying to hack into their software.

Oversharing personal information on social media

You may have heard that Facebook have the ability to create a virtual profile of us simply by keeping track of the things we do, like and say when using their social platform. Although not in as much depth, cyber criminals can do the same.

Even details such as where you have been or an upcoming work trip can have any effect on social engineering. The best example of attacks that apply this publicly available information to online scams is with the business email compromise (BEC) technique (otherwise know as email account compromise (EAC)).

A BEC attack tends to target a high-ranking employee or one who has access to wire transfer payments. The target is found via their social media where the attacker also has accessed to a host of valuable information - then comes the social engineering attack used to gain access or gain further information.

In many cases, the attacker will impersonate either a c-level exec or a trusted figure, such as a supplier or solicitor, via a phishing email. Cyber criminals can even use this technique to build further relationships and establish trust with their target.

How can social media affect your company?

It can be quite difficult for a business to manage company security and employee social media security. Some business may choose to have strict social media policies in place about can and can't be shared on social media.  

It's all well and good having a policy but are your employees actually abiding by the policy as well as understanding how oversharing could result in a social engineering attack on the business or even the individual.

The problem with social media is people have a tendency to overshare,  this however, only opens up many opportunities for a social engineer to conduct an attack. The more information they have on you the better. If you give them enough "fuel" to start a fire, then there is a higher chance of the succeeding. 

Here are the top things your employees need to avoid sharing on social media:

  • Location

  • Job role

  • work email address

  • Credentials

  • Screenshot of conversations 

  • phone numbers and addresses

  • Your financial status  

How to avoid social engineering attacks

Educating employees on the social engineering risks of over-sharing on social media is the key to preventing a loss of financial or personal information. Of course, it's difficult to encourage employees to completely avoid sharing sensitive information on social media, but raising security awareness on what your company deems unacceptable to share, along with how this information can be used to target the business, is a good starting point.


Free 2019 Information Security Awareness and GDPR Posters

It's also important to focus on educating end users to spot the tell-tale signs of social engineering (our blog on "the 4 social engineering scams your employees are falling for" is great for an initial insight into the main threats!). One important detail to mention, however, is that simply explaining the basics of employee phishing and social engineering is not enough, as there are no clear metrics for whether or not people are actually taking these messages on board.

The answer to this problem?... Phish your end users!

Phishing your employees is a great way of educating your end users on real-world phishing scams. Try our phishing simulation service (for free) to see exactly how this works.

What Should You Do To Avoid Social Engineering Attacks?

Finally, you should always be aware of what you and your employee's out on to social media. according to Norton by Symantec " there have been several instances in which security breaches were made in large institutions because of a social engineering scam primarily curated through social media." 

It's crucial to continue to educate your end-users on a regular basis, training once a year will simply not cut it. Security awareness training should consist of a variety of topics and not just the common attacks such as phishing and ransomware, after all social engineering is the most used tactics when it comes to cyber attacks. 

Read More In Our 2020 Guide to Security Awareness

                                                   Try usecure For Free →