Use of social media is pervasive, invasive, consuming, and immensely entertaining. It can also be a useful business tool on an individual and a business level. We are all also aware — or should be by now — that posts are immutable, widely accessible, and permanent (or near-permanent). Imprudent, hasty or downright offensive posts are at best embarrassing; they may also lead to a host of horrors, including reputational damage, client loss, employment sanctions, and social ostracism (or at least Unfriending).
Add to the list of risky behavior over-sharing. We have previously warned of the danger of disclosing your physical absence through certain Out of Office voicemail or email messages and daily Facebook posts of the wonders of your overseas vacation. Less obvious, but maybe more risky, is the opening over-sharing posts provide to scammers. The National Cyber Security Centre (NCSC) disclosed a case study in which a law firm employee was convinced to pay a fraudulent invoice — despite policies and procedures in place to prevent such scams — in response to a spear phishing email from a partner’s spoofed email account. The partner had unnecessarily posted on social media the details of an upcoming business trip overseas, including flight information, meeting plans, and even weather forecasts. Cyber criminals who search for just such postings then used that information to target the firm with what would then seem to be a legitimate business expense request.
Similarly, the NCSC reported another successful spear phishing attack where the targeted email requested payment of a fraudulent invoice referencing the business’ installation of a new accounting system. The criminals learned of the software conversion because an employee had mentioned in a Facebook post that the accounting team was tied-up installing and training on the new system.
Even the most innocuous social media posting can be business intelligence to cyber thieves whose only job is to search for exploitable information. Chat if you choose, but keep your cards to your chest.
Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact a member of our Privacy & Data Security team.