Oversharing on social media can elevate your risk of fraud
Social media is great for staying in touch with friends, following the news, or being part of an online community. And, of course, there’s always the cat videos. It also may have even helped you find this very article.
Unfortunately, there are people out there who don’t spend time on social media to post about their couch for sale or share pictures from their daughter’s birthday party. Instead, these people view social media as an opportunity to steal. They use the information they gather from other people’s social media profiles to do something that security experts refer to as “spear phishing” — sending emails that appear to be from a trustworthy source, often tailored specifically to the recipient so that it seems to be safe.
For example, let’s say you post a picture of you dropping off your kids for their first day of school, and the name of the school is visible in the image, or is shown in the image’s geotag. A hacker could then reach out to you with an email that appears to be from one of the school’s principals, saying there’s an issue with your child’s registration, with a link to a website where you can provide the needed information. It would be all too easy to click on that link — which then loads malware onto your computer. If you do it from a work laptop, you’ve just created a security risk for the entire company.
“Most of us don’t think about social media profiles as being a point of vulnerability, but they absolutely can be,” says Chris Garcia, a manager of corporate investigations in Commerce Bank’s Enterprise Fraud division. “It’s best to be extra cautious about what total strangers can see about your personal life through your social posts.”
One of the strongest safeguards you can put in place is also one of the easiest: set your profiles to be private, so that only people you’re connected with can see what you post. Unfortunately, this is a step many people don’t take; a report from security company Tessian found that 55% of Facebook profiles and 67% of Instagram profiles are public. “That just makes it too easy for people to build a profile of you really quickly,” says Garcia.
While you’re changing your profiles to private, Garcia adds, you should consider making another change to the way your name is listed. “If you have children who are old enough to have their own online presence and financial accounts, don’t list your maiden name on your profiles,” he says. “One of the most common security questions on many websites is asking your mother’s maiden name. A thief who can look up your maiden name on social media is one step closer to accessing your kids’ accounts.”
You may also want to think about changing your profile picture. If you use the same profile picture on multiple social media services, it’s easier for hackers to know that they’re connected to the same person, which can give them even more information about you. The best kind of profile picture, says Garcia, is one that doesn’t show you or anyone you know. “It’s a good concept, because your picture might reveal things like your marital status, whether you have children and the stage of life you’re in,” he says.
It’s also important to never post any pictures of your workspace online — particularly if any monitors can be seen in the image. “Pictures of your workspace can reveal all kinds of things,” Garcia says. “They can show what software you’re using, which can help hackers target their attacks. It can also reveal your level of seniority, coworkers’ names and contact information, or even sensitive information about your employer. It’s especially bad if you have passwords on sticky notes attached to your monitor – which, by the way, you should never do.”
On a similar note, make sure your employee ID badge, if you have one, is never showing in a public photo; it can help a hacker create a fake one that looks very real.
One final note about keeping your workplace safe: never use your work email on your social media accounts — not even ones used for professional purposes, like LinkedIn. Even when using a personal email, be sure to keep it hidden so nobody can look it up. “Intertwining personal profiles with your work email could open you to more targeted phishing emails coming to your work email, where a hacker hopes to infiltrate your employer’s network,” says Garcia. “You also may inadvertently end up compromising sensitive work information.”
Avoid taking any “fun” online quizzes as well, Garcia notes. “Some of them may seem innocent, but they can be tailored to make you reveal information that’s often used in security questions,” he says. “Do enough of those quizzes and you may give a thief enough information to guess their way into your accounts.”
Finally, Garcia says, be sure that everyone in your friends list is actually someone you know. “Don’t blindly accept all inbound friend requests. Make sure it’s a real profile. Sometimes a fake account may use the same name as someone on your friends list, so do what you can to validate any requests before accepting them. And if you’ve never reviewed your friends list, go through it and clear out anyone you don’t recognize.”
Garcia is careful to note that none of these safety tips is intended to dissuade anyone from using social media in the first place, particularly if you have some safeguards against fraud in place — such as Commerce’s Suspicious Text Alerts feature, available through its online banking services. “You can use social media and stay connected with your friends and online communities,” he says. “Just be smart about it.”