Social phishing, the old-age pothole, is increasingly becoming a common incident that could have a serious impact on your digital footprint. Recently successful social phishing campaigns have drawn attention to vulnerability of employees and a need for prevention best practices.
With enterprise awareness of email scams rising, hackers are moving from duping unsuspecting employees into submitting details through emails to much more sophisticated attacks. Social media is the new weapon of choice for cyber criminals; once an account is compromised, malware is deployed on the victim’s computer, potentially compromising the entire enterprise network.
Mashable’s social media spam study reported a 355% increase in social media spam in the first half of 2013. The source cites a study analyzing 60 million content pieces collected from social networking sites such as Twitter, LinkedIn, YouTube and Facebook. The results of the study revealed social media spam is growing at an unprecedented rate due to attackers moving to social networks instead of email.
Organizations are underestimating a threat that is clearly making information more available to attacks. By posting company information on social networking sites, employees are providing cyber-criminals with a deep insight on internal operations and security vulnerabilities. Security Affairs cites a 2013 Norton report which informs that in 25% of cases, users share social media credentials and one out of three accept requests from unknown profile.
With the number of employees using social media at work soaring each year, phishers get to cast a wide net; a phishing attack tailored on a single employee profile can effectively target the entire organization, resulting in less work for the attacker and better yield of corporate victims. Therefore, it is important for all organizations to know how to prevent their employees falling to social media phishing. Following these best practices will significantly help:
Implement two-step authentication
Even if employees are using strong passwords, a weak link could allow the hacker to gain access by resetting the password. In two-step authentication, instead of just a password, employees also need to have their phone ready to receive a notification including a second code for a successful login.
This means that unless a hacker knows both the social account password and has access to the employee’s phone, they’ll not be able to gain access. Facebook, Twitter, LinkedIn and Google+ already support two-step authentication, and the option is also available for services that manage multiple accounts, like Buffer and HootSuite. And while it can be a hassle for employees to get used to entering two passwords, it will have a big impact on the organization’s cyber security.
Limit posting permissions
Entrusting interns and entry-level employees with company social media accounts carry significant risks. A viable approach is to regulate employee access through limited permissions to social accounts.
For example, companies can use HootSuite to grant entry-level employees permissions to draft messages, which is then transferred to a queue for senior management approval before publishing. Limiting permissions would ensure all social activity complies with company standards and illicit information doesn’t slip through. A centralized management system also enables password access restriction and – should a phishing attack happen – the option to revoke accounts instantly.
Educate employees on social phishing
It is crucial that companies educate their employees about the threat posed by their social media activity and take the necessary precautions. Employees should be educated about social media privacy, suspicious links and random social connections.
For instance, employees can configure work-related information as invisible to the public under privacy settings. Tools like LongURL can be used to expand a suspicious link and evaluate if it’s legitimate. Furthermore, employees should be asked to access social accounts from up-to-date browsers.
It’s never possible to fully control social media activity, but a combination of these best practices can dramatically reduce the possibility of phishing attacks.