[Skip to content]


Go Button

Learn More

Log In to Other Services

BaZing web button

Deluxe check order

Live chat by SightMax


Social media, while fun to use, can present a variety of new threats posed by cybercriminals. For example, when people use a social media website, they do not know how vulnerable the website is to security breaches. Furthermore, there is the problem of social engineering, a term used when someone is trying to fraudulently acquire confidential personal information from a user. Another problem is that social media websites also allow users to run third-party applications, such as games, and provide tools to personalize their page, and these uses have vulnerabilities.  There are a variety of threats, but most that are perpetrated through social media fall into one of two types: identity theft and malware.

Mitigating the Risk of Identity Theft
Identity theft is a crime that may occur to individuals or groups as large as hundreds of thousands of people at a single time. The damage may be as little as the loss of a hundred dollars (usually borne by financial institutions, in the case of stolen credit or debit cards) or hundreds of thousands of dollars in the case of fraudulently opened bank, credit, or even mortgage accounts; resulting in more losses from the legal work that must be done by both financial institutions and individuals to achieve resolution and restitution. To mitigate this risk, it is essential to understand how identity theft is perpetrated. Identity theft can occur by information scraping via social media websites and social media applications; social engineering; phishing; and spoofing.

Mitigating the Risk of Malware
Malware is short for “malicious software,” and covers a range of threats, including viruses, worms, trojans, bots, and other harmful code. Hackers develop malware for a number of reasons. Some malware is designed to attack the system in which it is installed; other forms are intended to take over their host system to launch an attack on a third party; and yet other applications are written not to cause any damage to the system, but to enable the creators to steal data residing on that system.

Whatever the goal of the malware, there are steps that end users can take to mitigate the risk of malware. The point of attack determines the best countermeasures. The three most common sources for malware are e-mail attachments; websites, including social media websites; and unsecured data storage devices, such as thumb drives.


Understanding the Risk
People put an astounding amount of personal information online: a phone number on one website, a picture on another, a birthdate on a third, an address on a fourth, and so on. What they fail to realize is that this information can be harvested or “scraped” from many websites and compiled into a single, comprehensive portrait of the user. This information can then be used by cybercriminals either to commit identity fraud or to sell to organizations who will commit identity fraud.

Why Social Media are Vulnerable
Social media websites are especially tempting targets for information scraping. There are two ways that this can happen. The first way is simply through accessing a person’s information page. Often, people will divulge information through a social media website, and then relax their privacy controls. Thankfully, this is easy to correct.

Social media websites also allow users to personalize their pages and to run third-party applications such as games. However, this grants the application access to all of a user’s personal information, irrespective of any privacy setting made in the social media website (Thomas et al., 2010). The vast majority of these applications only need basic personal details of a user. Furthermore, anyone can write an application and so some applications will have no security controls. Worse still, an application could have been developed by a cybercriminal.

Risk Mitigation Activities
End users can help mitigate the risk of information scraping by creating and then following prudent social media guidelines. Though the specifics will be different for each user, the guiding principle is the same: don’t put any more personally identifiable information (PII) online than is strictly necessary.

You should:

  • Set privacy settings to their maximum, so that only trusted sources have access to personally identifiable information.

  • Review all changes to the privacy policies of frequently visited websites, including social media websites.

  • Carefully review the permissions requested by social media applications, including games and other add-ons requested by friends.

  • Never divulge more personal information than absolutely necessary on any website.  Personally identifiable information includes:

  • Tagged photos

  • A social security number (even a partial number)

  • Full name

  • Full date of birth

  • Schools attended

  • Work address (and phone number)

  • Family photos

  • The names of children and family members

  • Home address (and phone number)

  • Places regularly visited

  • Dates and details of future outings and vacations, and other times that the user will be away from home


Understanding the Risk
Social engineering is a method used by hackers to acquire confidential personal information through fraud. Sometimes the hacker will contact the victim directly and try to solicit personal information over the phone, through a web-based application like e-mail, or through a social media website. Another tactic is for a hacker to contact a third party, like a relative, an office administrator, executive assistant, or someone else you work with. The hacker may ask for personally identifiable information such as birthdates, home or work addresses, or other data.

Why Social Media are Vulnerable
We all  must recognize that connecting with people online poses privacy and security risks. One form of social engineering occurs when a cybercriminal on a social media website tries to befriend others. The intention is to build up trust so that confidential private information can be more easily extracted. The cybercriminal can create a fake Facebook profile or a bogus Twitter account.

On social media websites there are difficulties in establishing the authenticity of a person’s identity when communicating with them, and in determining the accuracy of posts. Social media providers may be ineffective at detecting compromised accounts and subsequently restoring them. Another cybercriminal ploy is to try to befriend someone by claiming to have something in common; the cybercriminal may then contact the person through e-mail, over a social media website, or even on the telephone.

Risk Mitigation Activities
Social engineering relies primarily on person-to-person contact, bypassing many technical security measures. Because of the focus on individuals, the precautions fall mainly to end users. You should never reveal personally identifiable information (PII)—whether through e-mail, a social media website, or even a phone conversation—unless certain of the recipient’s credentials.


Understanding the Risk
When social engineering is done via e-mail or social media website, it is referred to as phishing. The messages could be sent indiscriminately, or target an individual or a specific group. In the latter case, the practice is referred to as spear phishing. When the individual or group is a powerful one, the term whaling is used.

Phishing using social media messages raises additional security implications as these messages are not subjected to the checks performed by e-mail systems. Many web browsers do, however, have a phishing filter in them. The filter helps detect suspicious websites by comparing a website against a list of known rogue websites, and by checking to see whether a website fits the profile of a phishing website.

Why Social Media are Vulnerable
A message is more likely to be taken seriously if it contains information about the receiver. This infor- mation could be publicly available, as on a social media website, or it could be stolen.

The more the message is tailored to the receiver, the easier it is to pass through systems that filter out spam and messages with virus links or attachments, as the messages do not fit the pattern of typical rogue communication.  There are also many scams, such as an e-mail asking for money because the presumed sender (a trusted person whose e-mail has been hacked) is stranded somewhere.

Risk Mitigation Activities
Phishing can be countered both through technological and behavioral approaches.

By users

  • Social Media Websites

  • Join only those social media websites with explicit and strong privacy policies. Not all social media websites’ privacy policies fully protect users’ personally identifiable information. Several social networking websites allow non-registered individuals to view a profile, and others share users’ e-mail addresses and preference information with third parties.

  • Account Settings

  • Frequently check the available privacy options to ensure that personal information is private.

  • Use the “How others see you” tool on the ReclaimPrivacy.org website to check that the privacy settings are functioning as expected. (ReclaimPrivacy.org provides a tool that can be used to inspect a user’s Facebook privacy settings, and give warnings about settings which make the user’s information public.)

  • When available, configure privacy settings so that only trusted individuals  have access to posted information. Restrict the number of people who can post information on a personal page.

  • Have a setting that will limit access to account data to protect it from an undesirable audience, as well as limiting access to your profile to family members, friends, teammates, or personal acquaintances.

  • Personal Information

  • Publish only the information  necessary to maintain communication with other social media users.

  • Ask “what personal information about me do I wish to be available online?” (Once information is online, it is no longer private. Individually, personal facts can seem to not pose a security risk; collectively, these personal facts constitute an individual profile.)

  • Consider the type of information to be posted. For example, do not publish credit card numbers, financial account numbers, or confidential workplace information. Even birthdate information, coupled with a zip code, is often enough to identify someone.

  • Remember the importance of personal privacy, either while creating profile information or posting information on a social networking website.

  • Use only private messages (if available) to send personal or sensitive data to responsible per- sons. Sending sensitive data through social networking websites is not advisable, however, as it is not possible to be sure of the security protection on these websites.

  • Post only general information that you are comfortable sharing with any social networking website member.

  • Do not divulge certain information pertaining to plans, hopes, and goals. This information is often used by social engineering schemes.

  • When uploading a photo, remember to take advantage of security measures that prevent others from copying and making use of the photo. (Before downloading a picture, a user should have concern for the owner of the picture and seek permission to download it, where necessary.)

  • Do not publish private information about other people or the workplace.

  • Divide friends into different lists, such as “Family,” “Friends Outside of Work,” “Colleagues,” etc. (A different level of access can be given to each list.)

  • Building up a Relationship

  • Exercise caution when adding a previously unknown ‘friend’ or joining a new group or page.

  • Before admitting a new person behind a privacy wall, whether a friend-of-a-friend or someone suggested by the social media website, attempt to confirm details about this new person. Find out their relationship to another trusted friend, perform a web search for the person, or use some other way of finding out more about the person.

  • Be conscious of behavior while on a social networking website. Remember to go through the above steps in order to avoid any unpleasantness. (Getting to know people in a virtual environment has many hazards. Although it can be rewarding, such interaction also carries significant risk. The above steps only suggest ways of countering some threats and do not necessarily prevent threats from materializing.)

Screen Names
•  Choose a screen name (identifying online pseudonym) that does not reveal too much personal information.


Understanding the Risk
The term spoofing refers to the practice of developing a website that mirrors a trusted website, but can be used either for identity theft—typically by asking users to send login information for the duplicated website—or to install malware onto the user’s computer. Spoofing can be accomplished in two ways: first, by sending a link in an e-mail or social media message; second, by hacking a trusted website, changing its behavior in a way that most users would not notice.

E-mail spoofing. Clicking  a link in a message could cause a malicious webpage that installs malware to be displayed. The webpage sends malicious script to the user’s browser. When this happens it is referred to as a drive-by download. It is possible to get a rough idea of where the link is taking a user by looking at the URL. Note that the link that you see does not necessary take you to that address.
To see where the link is taking you, you have to position the mouse cursor over the link. Furthermore, there are services which will take a URL and rename it. This is particularly useful in Twitter posts where the number of characters is limited. TinyURL and bit.ly are examples of URL shortening ser- vices. Developed to replace long URLs with short ones, they can also be used by malicious individu- als to obscure the actual URL.

Website spoofing, including social media websites. Even if the website is a legitimate one, it may have been compromised with malicious scripts that will be downloaded to the user’s browser when the webpage is displayed.

Two examples are cross-site scripting (XSS) and cross-site request forgery. Cross-site request forgery is similar in operation to XSS, but allows a hacker to send unauthorized  messages to the genuine
website accessed by the victim.

Why Social Media are Vulnerable
The hyperlink that appears in a message may not necessarily lead to that address; it may redirect visitors to a fraudulent website that tricks users into revealing PII. Furthermore, it may take visitors either to a malicious website or a legitimate website that has been compromised. The fact that the initial URL is presented to visitors within the context of a trusted venue—whether e-mail or a social networking website—may add a false sense of legitimacy.

Risk Mitigation Activities

  • Do not click on unsolicited  messages. Exercise the same caution with messages received via social networking as with unsolicited  e-mails. Messages offering gifts are often fraudulent and may trick users into revealing personal information.

  • Think carefully before clicking on a link, particularly if it is a shortened URL. If the sender of the link is known, they could be asked to confirm that the link is a legitimate one. URL shortening services usually have a mechanism through which the full URL may be viewed before using it. For example, for TinyURL service, simply enter preview.tinyurl.com/LINKNAME.

  • Consider manually entering a URL rather than following a link.


Understanding the Risks
Files can be attached to an e-mail message. Similarly, files can be attached to social media mes- sages, such as in Facebook. Attached files could be malware. Once again, the receiver is more likely to open the file if the filename is relevant to the receiver. For example, if an employee of the IBM Center for The Business of Government receives a message with an attachment that looks as though it has come from a co-worker, then the employee is more likely to open it.

Why Social Media are Vulnerable
A social media message can have a file attached to it and this could be infected.

Risk Mitigation Activities
Because many offices use e-mail to send files, it may not be feasible simply to ban the practice. Short of that fail-safe method to counter this threat, there are measures that end users, managers, and IT staff can take to mitigate this risk.

You should:

  • Watch out for messages which require guesswork by user to determine subject and sender of the e-mail.

  • Exercise caution in opening files attached to e-mails and social media messages.


Understanding the Risk
With the advent of interactive websites, hackers gained a way to install malware on a user’s com- puter through seemingly innocuous means—sometimes without the user even being aware that their machine was being infected at all. Using any one of a number of technologies—AJAX, Java, and DirectX are examples—and in combination with spoofing or social engineering, hackers can bypass security software and introduce malware.

Why Social Media are Vulnerable
Visitors to social media websites do not always know how vulnerable the website is to security breaches. Although a security standard has recently been developed for web application developers to adhere to, it is difficult to know if a particular website is adhering to it or not. The standard is the
Application Security Verification Standard, developed by the Open Web Application Security Project. It specifies four levels of security control provision.

Risk Mitigation Activities
Threats from websites are emerging all the time, and it can be difficult for end users to keep abreast of all the dangerous websites. Even well-known  websites can fall victim to hackers—in fact, the most popular websites are also the most tempting targets due to their large audience. End users, can still play a part in reducing this risk.

You should:

  • Use a password that is at least 10 characters long and has a mixture of letters, numbers, and symbols. Use a different password for each website, so that if a cybercriminal discovers one password, the user’s identity at only one website is compromised.

  • Before creating a password, ask “what personal information is available about me online?” (The new password should not contain any of this information. When setting up a password, a website often asks the user to specify security questions and the answers to them. Do not select questions or answers containing personal information available online.)

  • Exercise caution when using third-party applications within social media websites.

Additional Security Resources:

Online Banking Security Tips