7 Hidden Social Media Cyber-Risks for Enterprises
Leaning on social media to amplify your company's brand? Here's a look at the emerging cybersecurity risks that can arise from TikTok, LinkedIn, Twitter, and other platforms.
October 27, 2022
![Social media risks Social media risks](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt26bd3300fb12c29a/64f15c56f7744d06c8e748dc/socialrisks-golibtolibov-AdobeStock.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Source: golibtolibov via Adobe Stock
Whether they use it to amplify the brand, recruit new employees, advertise new products, or even sell directly to consumers, corporate brands love social media.
According to recent figures, brand advertising on social media is up by 53% in the last year, and that's not accounting for further investments that brands are making in developing and distributing content. They're pushing viral videos, funny memes, podcasts, written material, and more to increase engagement with their customers.
And brands are doing it across not only the old reliable social networks like Facebook and Twitter, but also emerging platforms like TikTok.
In fact, according to another recent study, in 2022 marketers are expanding their horizons, with their increased content investments focused on areas like live streaming, long-form and short-form video content, virtual reality and augmented reality content, experimental content, and live audio chat rooms. The top platforms they're focused on most for increasing spending are now TikTok, Instagram, YouTube, and LinkedIn.
With the broadening of these social-media marketing strategies comes more risk. Whether an organization uses social media to amplify its brand, or its executives and employees leverage social channels to bolster their professional and personal brands, these marketing platforms are a breeding ground for a wide range of cyberattacks and scams, including in the areas of artificial intelligence, deepfakes, and biometrics.
Cybercriminals, fraudsters, spies, and activists work around the clock to take advantage of emerging attack surfaces that arise from enterprise use of social media. Here are just a few avenues that organizations may overlook when they double-down on their social media investments.
A new study out by TrendMicro details how sharing high-resolution photos and videos can pose a long-term threat to individuals (and enterprise executives), namely by providing cannon fodder for hacking biometric protections.
"Unfortunately, by sharing personal media content in high resolution, we also unintentionally expose sensitive biometric patterns," the report explains, detailing that a high-definition video or image can provide facial, eye, or fingerprint details that could potentially be used to game facial recognition or fingerprint scanners. Similarly, audio could be exposed that could manipulate voice-recognition biometrics.
"One of the problems with biometric data is that, unlike a password, once it is exposed, it is nearly impossible to change. How can we get a new iris pattern or fingerprint?" the report explains. "These are lifelong 'passwords,' and once exposed to the public, an attacker can use them five or even 10 years from now."
In the same vein of video and audio being mined for biometrics, an endless slew of social content from corporate executives could also be used to build convincing voice cloning and deepfake videos.
Social content-fueled deepfakes can be used to power a range of different cybercriminal ends; cybercriminals can scrape content from platforms and doctor it. With cheap and free AI tools that can be used to build this synthetic content more available than ever, the FBI says it expects malicious actors of all types to increasingly leverage deepfakes in their attacks. In a report last year, the FBI warned that cybercriminals and foreign governments are going to be leaning on deepfakes to bolster their capabilities.
"We anticipate malicious cyber-actors will use these techniques broadly across their cyber operations — likely as an extension of existing spearphishing and social engineering campaigns, but with more severe and widespread impact due to the sophistication level of the synthetic media used," the FBI wrote.
The volume and depth of personal and business information that people share on social media make social networks a fruitful hunting ground for anyone actively or passively doing reconnaissance.
This includes a mix of foreign state actors, corporate spies, and everyday fraudsters hoping to boost their social engineering ploys.
They can learn a lot about high-profile executives or corporate activities just based on what companies publicly share on their profiles, including who they regularly do business with, their travel habits, and who they interact with most within their organization. Spies can do even more damage if they connect with their targets through fake profiles.
A recent warning from the UK government says that spies are using malicious profiles on "an industrial scale" to pump well-placed professionals for information.
According to analysis released by the Identity Theft Resource Center (ITRC) last month, social media account takeovers have skyrocketed in the past year, increasing by more than 1,000%. Attackers are going after any social account they can hijack, but corporate accounts are particularly juicy, as they can be used in lucrative frauds or to embarrass the brand.
For example, just last week the cryptocurrency exchange Gate.io had its Twitter account taken over by scammers, who used the opportunity to promote a phishing scheme. And even big brands have fallen prey to social media account takeovers. For example, several years ago, McDonald's Twitter account was taken over by activists who pushed out a political tweet attacking President Donald Trump. Even Twitter itself has been famously breached for such outcomes.
Utilizing a mix of different techniques already described, including deepfakes, social media reconnaissance, and social media account takeover, attackers can leverage corporate and executive social media as the ultimate tools for carrying out a business email compromise (BEC).
BEC attacks are all about creating a very convincing impersonation of a high-placed individual in order to convince someone in an organization to make a huge mistake: transferring large sums of cash at the behest of the impersonator, who may claim there's an official business reason to do so. Social media can provide all the cues and clues the bad guys need to burnish the veneer of trustworthiness in their BEC ploys.
For example, attackers are now using deepfakes to steal money through very sophisticated BEC attacks. There are already several high-profile examples of that, including one that used a deepfake of a CEO's voice on a call to a financial representative at a German company requesting to transfer a large sum to a fake vendor.
With so much recruiting and hiring activity occurring on and around the LinkedIn platform, it should come as little surprise to cybersecurity veterans that the bad guys are sniffing around for a way to exploit this activity.
This summer the FBI Internet Crime Complaint Center (IC3) warned of increased movement by criminals who are gaming the online interview process for remote-work positions. The fraudsters are using a combination of deepfake videos, stolen personally identifiable information (PII) and other tactics to impersonate applicants.
The motivations behind the attacks are still hazy, but some security experts speculate that this could be a future avenue for attackers to place themselves as trusted insiders within an organization in order to carry out sophisticated scams and spying.
Heavy use of social media channels within an organization — both through corporate accounts and the private accounts of employees — to conduct professional communication opens up a whole world of compliance risks for enterprises.
Organizations can run afoul of the US Securities and Exchange Commission (SEC) "quiet period" regulations before an IPO via inopportune posts by marketers; they could fail to retain social media posts that are considered official business communications in highly regulated environments; or they could run up against a number of privacy or confidentiality rules.
One highlight that arose this year to show how costly these social risks could be was news of huge fines coming out of the SEC and the Commodity Futures Trading Commission (CFTC) — upwards of $125 million in one case — levied against financial institutions in which employees were using channels like WhatsApp to exchange confidential information. The banks, it turned out, were not retaining those messages.
Heavy use of social media channels within an organization — both through corporate accounts and the private accounts of employees — to conduct professional communication opens up a whole world of compliance risks for enterprises.
Organizations can run afoul of the US Securities and Exchange Commission (SEC) "quiet period" regulations before an IPO via inopportune posts by marketers; they could fail to retain social media posts that are considered official business communications in highly regulated environments; or they could run up against a number of privacy or confidentiality rules.
One highlight that arose this year to show how costly these social risks could be was news of huge fines coming out of the SEC and the Commodity Futures Trading Commission (CFTC) — upwards of $125 million in one case — levied against financial institutions in which employees were using channels like WhatsApp to exchange confidential information. The banks, it turned out, were not retaining those messages.
Whether they use it to amplify the brand, recruit new employees, advertise new products, or even sell directly to consumers, corporate brands love social media.
According to recent figures, brand advertising on social media is up by 53% in the last year, and that's not accounting for further investments that brands are making in developing and distributing content. They're pushing viral videos, funny memes, podcasts, written material, and more to increase engagement with their customers.
And brands are doing it across not only the old reliable social networks like Facebook and Twitter, but also emerging platforms like TikTok.
In fact, according to another recent study, in 2022 marketers are expanding their horizons, with their increased content investments focused on areas like live streaming, long-form and short-form video content, virtual reality and augmented reality content, experimental content, and live audio chat rooms. The top platforms they're focused on most for increasing spending are now TikTok, Instagram, YouTube, and LinkedIn.
With the broadening of these social-media marketing strategies comes more risk. Whether an organization uses social media to amplify its brand, or its executives and employees leverage social channels to bolster their professional and personal brands, these marketing platforms are a breeding ground for a wide range of cyberattacks and scams, including in the areas of artificial intelligence, deepfakes, and biometrics.
Cybercriminals, fraudsters, spies, and activists work around the clock to take advantage of emerging attack surfaces that arise from enterprise use of social media. Here are just a few avenues that organizations may overlook when they double-down on their social media investments.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024