Social media have become an important asset for organisations to use for communication and information. Despite the benefits those publicly available platforms might bring, they can also become a huge attack surface and be used for malicious purposes such as misinformation, identity theft, stealing of confidential information or fraud. Every organisation needs to make sure that all its social media are secured correctly.

Social media threats

Cybercriminals take advantage of social media to launch attacks as it only takes one account to compromise in order to be able to reach a great number of potential targets. Different types of attacks can be launched through social media, such as:

  • Social engineering: through manipulation or pressure, cybercriminals convince their victims to take action in order to reach a malicious goal such as stealing confidential information or wiring money.
  • Phishing: using emotions, daily situations (e.g., delivery of a package, a change of password required, …) and means of pressure, cybercriminals put a lot of efforts into convincing the victim to click on a specific link and then disclose confidential information or give money.
  • Identity theft: cybercriminals create a whole new account with accurate information and pictures to make people think it belongs to an existing organisation or person. They then use it to trick people into giving away personal or corporate information or to click on a malicious link that will lead to leaking data, gaining access to resources or installing a malware.
  • Malware: by promoting malicious links on social media, cybercriminals are able to install malware on the devices from which a person clicked on the said link. Through that malware, they can get access to other devices and networks, steal confidential information and cause damage on the resources they were able to reach.

Best practices to protect social media accounts against those threats

1. Secure the access to your accounts

Social media accounts gather a lot of confidential information such as personal information, home addresses, phone numbers, etc., which are an attractive target for cybercriminals. Accounts thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper

and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

2. Review your confidentiality parameters and restrict the visibility on your personal information

Usually, default parameters are set to let anyone see personal information and posts on social media. That visibility can be restricted by configuring it within the account and making sure the owner controls what the public can or cannot see. Those configurations should be regularly checked as they can sometimes be changed without alerting the user. In addition, some accounts can also be set to ‘private’ to reduce the visibility of the information and posts shared.

3. Pay attention to what you post and what others post

Social media offer an important reach and it is not possible to always fully control the audience that has access to the information and posts shared. Personal or confidential information shouldn’t be shared on those platforms, as they could be used for malicious purposes. In addition, work-related post should be written carefully as they could harm the reputation of the organisation, even when shared by a collaborator and not the organisation’s account itself.

Besides that, all information shared online by others should be read and re-shared carefully. Anyone can post whatever they want online, there is no control in place to verify the veracity of the message shared. Cybercriminals use this to share messages (e.g., fake news, promotions) that can have serious consequences. By sharing those yourself, you could be diffusing harmful messages to your network.

Finally, whatever you are sharing or reposting online, make sure to respect the law. Don’t share anything that might go against our established laws such as content related to cyberbullying, paedophilia, comments inciting racism or violence, infringement of image rights, etc.

4. Watch out for people impersonating an organisation or a collaborator

Malicious people use social media to carry out scams by creating fake accounts or by using a hacked one to impersonate an organisation or a collaborator. They reach out to people using those accounts in order to steal confidential information and/or money. Money, pictures, videos or any type of sensitive information should never be shared online without first making sure the person behind the account is really who they claim to be.

5. Control third-party applications

Some applications can request access to social media accounts to be able to login faster. Those requests should always be analysed carefully and access should be granted only to strictly necessary information. Also, even if using a social media account to login into an application can seem more handy, it should be used carefully as it gives access to a great deal of information available on the account.

Applications should only be installed from official vendors or websites to avoid downloading a virus with it. As soon as the application is not needed or used anymore, it should be uninstalled or the access initially granted should be revoked.

6. Avoid using public Wi-Fi and public computers

Public Wi-Fi or public computers are a handy solution as people can access professional resources, browse websites, or manage their social media almost everywhere. However, as the name indicates it, it is public and everyone can access it, including scammers and criminals. If it is wrongly configured, a public Wi-Fi or computer can be used to monitor the activities of people connected to it and steal their information. Always prefer your organisation professional WI-FI network and professional devices to access professional resources.

How to regain access to a hacked account

If an account is sending messages or sharing posts without the owner’s knowledge, it was probably hacked. In order to regain control of the account, the following steps can be taken:

  1. If the account is still accessible, immediately change the password of that account and all your others
  2. If the account is not accessible anymore, use the recovery options to try and gain access and change all your passwords
  3. Scan your device for viruses
  4. If bank or credit card details were stolen or if any suspicious activity is identified on your bank account, immediately contact Card Stop at +32 78 170 170 and inform the relevant institution (e.g., bank, credit card provider, …). If you notice that money has been stolen from your bank account, be sure to file a complaint with the police.
  5. If work-related data was stolen, immediately inform your employer

The aim of this content is to share and raise awareness of good cyber security practice. 
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.