Social Network of Information: How Threat Actors Take Advantage of Social Media

Updated: 12.01.2022
Reading Time: 5 minutes

Social media platforms serve many important functions like connecting long distance family members, reconnecting old friends, finding jobs, and more. However, as they store and encourage sharing personal information such as birthdays, locations, and hobbies, the wrong person putting these pieces together can lead to harmful repercussions. 

Social media companies hold millions of peoples’ personal information and it’s unclear exactly how they’re protecting it. They can collect this information to tailor ads to you, or sell the information to third-party companies (take a look at what Facebook thinks it knows about you). 

Social media generally has two large areas of concern around data privacy:

  1. Social media companies track and store information: The average social media user doesn’t know what would happen if (and when) there’s a data breach. Organizations should have cybersecurity measures in place to prevent breaches but even companies with major investment in security are not immune to cyberattacks. 
  2. The normalization of sharing information about yourself: People voluntarily share personal information without fully understanding the risks, as this behavior has become commonly expected. Places you frequent, family members’ names, pictures/mentions of local establishments, and past jobs can be more than enough data points for threat actors to gain an understanding of your life and habits. 

It’s relatively widely accepted that social media poses data privacy risks and people want greater data protection (79% of Americans are concerned with the way companies use their data). But the individual social media user typically does not actively care about adjusting their habits, which isn’t necessarily their fault. The burden to protect their information should largely fall on the social media companies. 

In recent years in some regions of the world, the governments have begun implementing regulations, like the European Union’s General Data Protection Regulation and the U.S. state of California’s California Consumer Privacy Act. However, these laws are playing “catch up” to the ways social media companies conduct business.

On the other hand, it could be easy to say the solution for people who are worried about privacy shouldn’t have social media at all. However, in a world that is increasingly connected by technology, this can be difficult to practice. 

Strangers (and Malicious Actors) May Be Closer Than You Think…

According to Facebook, each person with an account on the platform is connected to another Facebook user by an average of three and a half other people (3.57 degrees of separation to be exact). There is the perspective that it’s powerful to know how closely the world is connected. However, the dark side of this is that a threat actor could be much closer than expected.

Tagged Photos

Information that you might feel comfortable sharing to your network of friends may actually be available to Facebook users you are not aware of. For example, if you tag a friend in a photo, depending on their privacy settings, the friend’s whole network of friends can see that picture and understand there is a relationship between you and that friend. They could also see any other information associated with that photo, for example if you tag a location, or have a descriptive caption. 

Sharing that You’re Away 

Posting fun vacation photos or checking in to a location while traveling can be exciting, and some businesses even give discounts to people who check in to their venue. However, these real-time updates of your whereabouts can also let people know that you’re away from your home, and leave it vulnerable to a burglary. 

According to a Léger survey, 29% of Canadians who are active on social media say they post about their vacation plans before or during the trip. 

Because most smartphones record the location of where the photo was taken through geotagging, even if the photo itself may or may not be too revealing on its own, the geotag could even share the specific location. 

Ruby Gonzalez, Communications Director at NordVPN states, “Although it’s fun to post vacation photos and let everyone know you’re having a cocktail on a sunny beach, that sends a clear signal to burglars that your home is empty.”

Threat actors (or anyone online) can gather a lot of information from someone by piecing together different posts and profile information. 

Spear Phishing and Publicly Available Data

Even a relatively small amount of personal information, which is often normalized to publicize online can lead to elaborate phishing attacks. Malicious actors can put this together for elaborate spear phishing attacks by impersonating relatives, coworkers, and more. 

Data Breaches and Spear Phishing

Threat actors stole personal data of 530 million Facebook users across 106 countries in 2019 and made it publicly available in 2021, and there have been previous breaches too. This information included information from profiles like phone numbers, full names, locations, and more. Though it didn’t include financial information, threat actors can work with this data to scam these victims. Non-financial information can still be used to crack account security questions or establish legitimacy in a scam attempt

Though outside the realm of social media, data breaches from any companies have overlaps in consequences. One of the largest data breaches of this year included the Australian telecommunications company Optus. After a threat actor stole and posted 10,000 customer records, other malicious actors took advantage of this breach by sending spear phishing texts to try to scam $2,000 AUD from the victims.

LinkedIn and Spear Phishing

LinkedIn is a platform that encourages updating as much information as possible as it may be relevant to someone’s job to be active on LinkedIn, or helpful for a job seeker. 

This can be a risk factor, as employees who update their position and company can end up as targets of spear phishing. Especially for new employees, who may not be as knowledgeable to be wary of falsely urgent communication from coworkers and company leaders, can be the main targets for threat actors.  

Outside of the context of being the target of a spear phishing attempt, the texts or emails could seem to clearly be scams, but it could be easy to fall in the trap for the person receiving the communication. 

How to Become More Cyber Secure on Social Media

Though social media may be more in the personal realm than professional, as a cybersecurity professional, here are some things to train your organization’s employees on:

  • Understand that social media can bring immense benefits of connecting with others, but also sharing more information online can have risks. Vacation photos are not as popular to share on LinkedIn, but when announcing work events like conferences, make sure that employees’ secure their houses before leaving to travel. 
  • Social engineering and spear phishing attempts are becoming more sophisticated. Have a healthy sense of wariness. 
  • Nurture a culture of coworkers checking with each other on any suspicious communications, and for company leaders to notify employees about any necessary processes that require downloading files or clicking on links from email.

Read more about ways to prevent malicious actors from gaining access into your organization.
Flare monitors the dark web, clear web, and instant messaging platforms for information that may have been leaked through data breaches. Book a demo to learn how to better protect your organization.

Share This Article

Start your free trial today

Yuzuka

Senior Content Manager

Author Description: Yuzuka developed her copywriting skills through several years of content marketing and coaching + editing writing for students, journalists, C-suite leaders, local government officials, peers, and more. As Flare’s Senior Content Marketing Manager, Akasaka engages cybersecurity professionals by creating and promoting interesting content about Flare’s capabilities and original cybersecurity research.