BERLIN -- One thing became clear during a presentation on cybersecurity and payments fraud at the latest meeting of the Payments Innovation Alliance—social media is a fraudster’s most powerful tool.
Denyette DePierro, vice president and senior counsel for the American Bankers Association, advised the group to consider the amount of information that people put out there on Facebook, Instagram, Twtter, etc., often unprotected and easily accessible. “Your dog’s name might not be public record, but I bet if I search social media, I can find out your dog’s name, the age of your oldest child or your niece’s middle name,” she said. This is significant because many people use information like this in passwords because they think no one knows it. But it’s often easily available on social channels.
Furthermore, there’s a reason why business email compromise (BEC) scams occur when your CEO, CFO or CISO is on vacation. “I guarantee you, he’s posting pictures on social media of his vacation in Aruba,” DePierro said. “We’ve seen a lot of that. The reason they’ll be able to send an email requesting an immediate $10,000 wire transfer that is so well-crafted, that knows your dog’s name, that knows that you have the kids in Paris for the summer, is because they got it from social channels.”
She urged attendees to change their settings on Facebook to “anything that isn’t public.” Because fraudsters aren’t just following a bank’s or a corporate’s official social media accounts—they’re following their employees, their primary customers—anyone that could be a liability that could give them information about the way the company operates.
Furthermore oftentimes, bank and corporate employees will unwittingly post about things that could actually compromise security, like making a joke about an armored car showing up for a pick-up. “That just gave me a whole lot of information about what’s going on at the bank,” DePierro said. “We’ve even seen one instance where social media contributed to a physical security breach. Somebody at a bank posted about waiting for a plumber to fix the executive bathroom. One plumber called, and two showed up. That is the kind of thing that can happen, if you aren’t aware of how information will be used.”
Added DePierro: “You have to think a little bit like a criminal, unfortunately, in order to make sure that the content that you’re pushing out isn’t going to cause a physical breach, a cybersecurity breach, or some other risk or harm to your company or your customers.”
Even your friends list on Facebook can open the door for cybercriminals. Angel Grant, CISSP, director of RSA, Fraud & Risk Intelligence, warned attendees about the dangers of having 5,000 friends. If a hacker can get into your Facebook account, they can share a malicious link with your friends. “They can leverage your Facebook population,” she said. “The more friends you have, the more valuable you are as a target. So I recommend you all defriend people when you get home.”
Additionally, fraudsters have found a new use for social media—selling credit card information. Ironically, the Dark Web has gotten too risky for many carders, so they’ve taken to selling card numbers on social media. “There are over 500 groups doing this on social media—whether it be Facebook, Twitter, WhatsApp, etc.,” Grant said. “And this is globally; we looked at all the international social networks—500 groups, and about 300,000 users. In the past six months, it’s grown over 300 percent a month and it keeps on growing.”