Facebook says Ukrainian criminals used social media quizzes to get private information about users. This is not a surprise to anyone working in security. The same thing happened during the last election cycle, of course.
While your users are at home in the 'new normal,' they are juggling a lot. Social media use is way up, both because people are searching for news and because they are looking for connection to others.
That also makes them vulnerable to criminals looking to take advantage of the situation. Those crooks are either looking to get into the user’s accounts, into your corporate network now, or into your corporate network when that user's computer comes back to the office and reconnects to the corporate network.
This is a great time for social media security awareness training. And a good time to measure your WFH security risks. Read on for seven specific things your users shouldn’t do while working from home on social media.
Social Media Cybersecurity Risks Users Should Avoid
- Facebook Quizzes
Quizzes are all over Facebook: What does your eye color say about you? What kind of dog are you according to your zodiac sign? (Facebook says these were questions the criminals used) Which Harry Potter character are you? Most of the quizzes function and give users an answer but many take them to a questionable website and/or steal Facebook profile information. While it's true that some of these quizzes are safe and just for fun, it’s generally impossible for users to tell which ones are safe and which are malicious.
- 10 Things About You
As people try to connect during the stay-at-home order, they are answering cut-and-paste questionnaires from their friends. They usually start with something like “Tell me 10 things I don’t know about you” and go on to ask questions like: Who was your first love? Who was your favorite teacher? What was your first car?” Here's the problem: those are the exact same questions asked when you forget your password. So, be wary of posting the answers on social media.
- Posting Information about Your Passwords
People are posting all sorts of information about what’s going on at their homes with their children or with their pets. That’s fine, unless they use those same names as their passwords. We all love to see photos of Fido getting a new toy delivered... unless that user’s go-to password is Fido1sMyDog!
- Photos of the Home Work Station
At this point, people are pretty proud of their work from home stations. They have a new webcam, a makeshift desk, and maybe even a good microphone. But posting photos of that home work station might give criminals too much information. Can someone see the screen from a window? Are they giving away the brands and models of their IoT devices (which might or might not have exploitable vulnerabilities)?
- Clicking Questionable Links
There are a lot of questionable links on the internet. Users should be wary of sites they don’t recognize. While this is rudimentary advice, it’s a good reminder that the headline “New Pandemic Cure No One Is Talking About” likely leads to a malicious site. Not sure? Help users know what they are looking for by demonstrating how to use one's mouse to hover over hyperlinks to determine if a link is legitimate or not.
- Be Aware of What’s Public
Savvy users have changed their Facebook and Instagram profile settings to make them more private. But as soon as you post to a group or comment on someone’s post without strong privacy settings, folks outside your friend's group can see what you’re doing. And, other sites like Twitter and Reddit are not generally private.
- Friend Requests
“Hey, that’s weird, I just got a Facebook friend request from my Cousin Marsha. I thought I was already friends with her.” You are already “friends” with her, but you just got a friend request from someone who copied her profile information. Users should beware of this because no matter how good your privacy settings, if you accept a friend request from a criminal, they now have access to your profile information and friend list.
We hope these seven tips can help you help your users stay safe and stay aware.
For more security awareness training, here's CISO Mike Hamilton's top advice: Invite your interested employees to sign up for the Critical Insight Daily Blast email. With 20-30 news headlines delivered to the inbox Monday-Friday, readers get the latest cybersecurity news and learn new information along the way.