The Risk Management Group - The A to Z of Safe Social Media

First page 1 Next page Last page

The A to Z of Safe Social Media

Our simple guide to wise Social Media habits

Not for resale

Produced by The Risk Management Group 2012 Written by Mark Johnson I Illustrated by Corinne Blandin I Foreword by Lord Toby Harris I Produce by The Risk Managem nt Group, 2012

Foreword

Businesses and other organisations are increasingly being encouraged to use social media both for marketing purposes and for better internal communications. At the same time, many organisations worry about exactly what they are doing on social media and whether they are posting messages that might damage the brand. All this is made more complicated as people increasingly use their own devices for work purposes (whether this is sanctioned/encouraged by their employers or not). Yet social media are also used by those who are malevolent to attack firms and individuals, not only by planting malware but also through social engineering to effect identity and data theft. Most of us do not know enough about the risks or are blind to the threats that may affect us: a recent Legal & General survey found that a significant percentage of users are happy to "friend" total strangers online without a second thought. Awareness and common sense are the best and simplest form of security and this "A to Z Guide" is an excellent starting point for everyone - from senior managers to the newest joiner.

Lord Toby Harris

Produced by The Risk Management Group 2012

Introduction

Early in 2012 we were asked to support the efforts of UK financial services firm Legal & General in the production of their Digital Criminal 2012: Cybersafety Report . This report, which can be downloaded here , focused on consumer risks arising from poor social media habits. The results of the survey were alarming: • 91% of the Facebook users surveyed had received friend requests from strangers • 51% of those users admitted having accepted such requests • 56% of users also discuss evening and holiday plans ‘ wall-to-wall’ Our own tests, using a network of fake Facebook, Twitter and LinkedIn profiles, demonstrated that many of our fake profiles were able to gather up to 150 friends within a few weeks. One fake profile amassed a staggering 79 friends in under 12 hours, simply by using a pretty picture. Many of these new ‘friends’ were willing to share personal data with our fake personas. The risks for business and consumers arising from poor social media habits are very real, with fraud, identity theft and the exposure of corporate data being only the tip of the iceberg. The second in our series of free A-to-Z Guides is designed to raise awareness and to suggest commonsense security measures for social media activities carried out by the average person in the home and at places of work.

Mark Johnson

Produced by The Risk Management Group 2012

Sanity Check Number One:

Do you really know all of your online ‘friends’?

is for…

A wareness

Relatively few social media users are aware of just how many vulnerabilities these services can have. The failure of some leading social media sites to introduce effective validation of users’ identities means that fake accounts are very easy to setup and use. Social media users sometimes have no idea who they are really connected to and this can lead to them giving out information that could be used by fraudsters, burglars and other criminals.

Produced by The Risk Management Group 2012

is for…

B ragging

‘ Face bragging’, or showing off online about your material wealth, could make you a target for criminals. Reformed burglar Michael Fraser has spoken frequently of the ways in which today’s burglars, fraudsters and con artists are using social media sites as a source of target data. (See the Legal & General report .) Posting photos of your car, house or jewellery, or comments about your income, bonuses and other assets might win you a few new ‘friends’, but it could also win you some unwelcome visitors.

Sanity Check Number Two:

Do you ever post comments online about your income or possessions, or photos displaying them?

Produced by The Risk Management Group 2012

Sanity Check Number Three:

Have you ever accepted a friend request from a stranger just because you liked their picture?

is for…

C hecking

The average Facebook user has 140 Facebook friends and in one survey, 95% of users admitted having accepted friend requests from total strangers. Often, a friend request is accepted because the person making it appears attractive to the user, or because they are already a ‘friend of an online friend’. Many of us fail to check before accepting such requests, to establish whether the friend who appears to link us would actually recommend this new person, or whether they even know them.

Produced by The Risk Management Group 2012

is for…

D eleting

What you post online could, in theory, stay online forever. However, you do have some control and if you delete your old social media posts there is a reasonable chance that they will be difficult or impossible for others to retrieve. It may be as simple as a former relationship you’d rather hide from your new love, or a silly comment that could affect you professionally years later. Whatever it is, it’s always a good idea to:

Sanity Check Number Four:

Have you deleted any old posts that, in retrospect, you probably should not have made?

• have a trawl through your old posts • do a bit of house cleaning

But your best bet is to avoid saying anything silly in the first place!

Produced by The Risk Management Group 2012

Sanity Check Number Five:

Is your email address shown in your public profile?

is for…

E mail

When you first sign up for many social media sites, your email address is requested of you and it may even be displayed in your public profile. Not only that, but your email address often becomes your user name for the service because many social media sites take shortcuts around more sensible security measures. Having your email address in your public profile exposes you to SPAM as well as harassment. It will also give a fraudster the first half of your logon information and thus help them to take over your account.

Produced by The Risk Management Group 2012

is for…

F raud

Online fraud is a growing problem. As more and more services go online we can expect fraud levels to rise even further. Many fraudsters who once searched through rubbish bins for discarded bank statements now browse social media sites for personal data. Most of us are oblivious to this risk and our online posts and profiles often contain a wealth of information that a clever fraudster could use.

Sanity Check Number Six:

Have you ever disclosed information in an online profile that a fraudster could use, such as your date of birth?

Always limit what you post and what your profile discloses about you.

Produced by The Risk Management Group 2012

Sanity Check Number Seven:

Do you ever post information about your geographic locations, past, present or future?

is for…

G eography

Some social media sites are moving users towards a geographic paradigm. This can involve putting your posts and images on a timeline and inviting you to add more information, such as the geographic location you were in. Why would you want to put that online? Your real friends probably know where you were anyway and you wouldn’t want to tell strangers these facts about you, would you? After all, your movements in the past might serve as clues to your likely movements in the future.

Produced by The Risk Management Group 2012

is for…

H ome

The Legal & General Digital Criminal report also revealed that 4% of Facebook users surveyed had included their home address in their public profile. This is not only a matter of concern for those users, it also affects any partners and children they may have. Posting your home address next to your real name in any online public forum is a big no-no, as is posting someone else’s address details.

Sanity Check Number Eight:

Have you ever publicly posted your home address online?

Keep the real world and the online world separate.

Produced by The Risk Management Group 2012

Sanity Check Number Nine:

Are you careful about what types of image you post?

is for…

I mages

The posting of images online has become commonplace, often without the consent of those depicted. Several services are driving this trend. The problem is that even if you are careful about what images you post, anyone else can post images of you without your knowledge. You should be particularly wary about posting images of your children. One tool you can use is to setup notifications anytime you are ‘tagged’ in a post or image, if the social media service you are using supports that.

Produced by The Risk Management Group 2012

is for…

J oining

You are likely to make most personal security mistakes in social media on the day you first join a site. After all, it’s exciting to sign-up and you are looking forward to connecting to old friends, loved ones or new found contacts. Social media sites want to collect as much information about you as they can – they might use this for marketing purposes and your data is often their main asset. They will encourage you to complete your profile, providing all manner of personal data. You should only provide the bare minimum of data required to obtain service. Why would you provide more?

Sanity Check Number Ten:

Do you only enter the minimum profile information required to get an account?

Produced by The Risk Management Group 2012

Sanity Check Number Eleven:

Do you blindly follow links suggested by online friends?

is for…

K eystrokes

Did you know that there are forms of Spyware out there (software that can monitor your activities) that can capture every one of your keystrokes? The type of Spyware that records your keystrokes is known as a ‘Key logger’. This kind of Spyware may send a record of each of your keystrokes to someone else. Social media sites are one route used to get Spyware onto your system. For example, a ‘friend’ might suggest that you click on a link. Then, while you watch a video, Spyware may also be downloaded and installed on your machine.

Produced by The Risk Management Group 2012

is for…

L iking

Clever online fraudsters and con-artists make good use of the like button to attract prospective targets. It works like this: • A fraudster will persuade someone to accept their friend request, perhaps by using an attractive photo. • The fraudster will browse that person’s pages and click the ‘Like’ button under posts or images of their friends. • Some of those friends will be curious about the person who liked their post or image. They might actually invite the fraudster to be their friend. The fraudster can thus attract ‘friends’ who may never even realise that they have been targeted.

Sanity Check Number Twelve:

Have you ever ‘friended’ someone because they ‘liked’ your posts or photos?

Produced by The Risk Management Group 2012

Sanity Check Number Thirteen:

Do you auto-update the anti-virus software installed on ALL of your devices?

is for…

M alware

Malware is malicious software that can do more than just steal data – it can harm your system or turn your machine into part of a ‘Botnet’: • Botnets are networks of infected devices • they are controlled remotely by a hacker • the largest known contains 12 million PCs • 25% of all PCs may be infected Malware can be accidentally downloaded by following links to infected sites. Other examples of Malware are Viruses, Trojans and Worms. Any of these can wreak havoc on your PC, laptop, mobile smart phone or tablet.

Produced by The Risk Management Group 2012

is for…

N ames

There are many instances in which using our real names online is our only option. Setting up a social media account for professional networking is one example. However, if you are going to link to social contacts via a social media site then using your full name might be more of a risk. This is especially true for younger users and until site providers fix their weak security and identity verification systems, we suggest never using your whole real name if you are a young user.

Sanity Check Number Fourteen:

If you are a younger user, do you use a nickname online?

Produced by The Risk Management Group 2012

Sanity Check Number Fifteen:

Have you deactivated any old social media and email accounts you no longer use?

is for…

O ld accounts

Social media sites come and go and today’s giants will most likely become tomorrow’s forgotten dinosaurs. This has happened in the past and many of us have old social media accounts that we haven’t used for years - we may even have forgotten their existence. Dormant social media accounts are a gold mine for fraudsters because they can take them over and use them without us ever noticing. A hacked account might: • reveal information about you • be used to fool your friends into disclosing their data

Produced by The Risk Management Group 2012

is for…

P assword

If your email address is the same as your login name then a strong password is essential as a hacker or fraudster may already know 50% of your login information. Having your account taken over, denying you access and exposing you to fraud or reputational harm, is an identity theft experience you don’t want to have.

Sanity Check Number Sixteen:

Are your passwords difficult to crack?

• Use strong passwords • Use 7 or 9 characters

• Use a mix of letters, numbers and cases • Avoid using real words, dates & places

Keep your password secret!

Produced by The Risk Management Group 2012

Sanity Check Number Seventeen:

Do you refuse to answer personal questions from those ‘friends’ you are not 100% sure of?

is for…

Q uestions

If you do stumble across a fake online profile, you might become suspicious. Fakers are generally out there to trawl for personal data and the questions they ask you are often a little unusual.

Examples we have seen include:

• “ What’s your email address?” • “ When’s your birthday?” • “ Where are you now?” • “ Can you suggest me to your friends?”

You can see a video about what it’s like to have your identity stolen here .

Produced by The Risk Management Group 2012

is for…

R ecommendations

Social media fraudsters sometimes setup one fake profile in order to recommend other faked profiles to people. The first profile is never used for fraud or to collect data – only the recommended profiles do that. This approach allows the fraudster to create the impression of an innocent network of friends where, in fact, there is only one person - the fraudster. This may lead innocent users to trust the recommended fake profiles on the basis that they are ‘friends of a friend’.

Sanity Check Number Eighteen:

Do you accept friend recommendations from online friends you don’t know well?

Produced by The Risk Management Group 2012

Sanity Check Number Nineteen:

Do you have links to social media ‘friends’ who never seem to be online?

is for…

S ilence

A common sign of a faked online account is silence.

As explained, a fraudster will have multiple motives for connecting with people and while some connections exist for the purpose of targeting or harvesting data, others are designed simply to build up a convincing contact base. Once you are a part of such a fake network, the fraudster might not have a reason to continue talking to you.

Produced by The Risk Management Group 2012

is for…

T etris

Tetris is only one example of a popular online game that can be very addictive. Game addiction is a growing problem worldwide. Addiction clinics have even been setup in some countries. Some online games also access your social media profile and other data. This data may be stored by the game provider. It has been alleged that in some games you may actually be competing against automated ‘Bots’ and not against real people as you might have assumed. Many games demand payment from you if you want to continue playing once you have become hooked.

Sanity Check Number Twenty:

Are you investing too much of your time and money in online games?

Produced by The Risk Management Group 2012

Sanity Check Number twenty-one:

Do you ‘un-friend’ contacts you are unsure about?

is for…

U n-friending

Did you know that you can often ‘un- friend’ a social media contact at any time?

If you are suspicious about any of your online contacts, don’t be shy:

• ask questions to validate who they are • check with your real life friends • un-friend anyone you have doubts about

Produced by The Risk Management Group 2012

is for…

V irus

Some viruses have been specifically built to target social media users.

Sanity Check Number Twenty-two:

The LilyJade Virus is the most recent (2012) virus seen that specifically targets social media users of sites like Facebook. The first iteration of LilyJade used infected PCs to send out Spam messages about teen pop star Justin Bieber.

Is your anti-virus software set to automatically download and install updates?

You can read more about LilyJade here .

Produced by The Risk Management Group 2012

Sanity Check Number twenty-three:

Do you realise that anything you post in public may have a worldwide audience?

is for…

W orldwide web

Unless you secure them, your pages can be public places. Anything you post there might be read by others, whether friends or not. Strangers can sometimes post on your page as well, potentially saying anything they choose about you or your friends. There have been many cases of online bullying that exploit this loophole. One of the most serious involved a convicted Internet Troll named Sean Duffy. He posted offensive comments on the tribute pages of teenagers who had committed suicide. You can read about the Duffy case here .

Produced by The Risk Management Group 2012

is for…

X tra careful

The bottom line when it comes to using any social media site safely is personal awareness of the risks as well as the benefits. We use several sites ourselves and we think the positive aspects of the technology are truly amazing. However, because we work in the risk arena, we also see numerous cases of security breaches, personal data loss, fraud and harassment via social media.

Sanity Check Number Twenty-four:

Do you keep your personal and business security in mind when using social media?

Be aware, be extra careful and stay safe online.

Produced by The Risk Management Group 2012

Sanity Check Number twenty-five:

If you are responsible for children, are you managing and monitoring their social media and other online activities effectively?

is for…

Y oungsters

Younger users often have a more advanced understanding of how to exploit the features of new technologies, but without necessarily being able to comprehend the risks. As parents or simply as adults, we all share a responsibility to inculcate safe practices and to set a good example, whether for our children, guardians, younger siblings or other relatives. Our A to Z of Safe Children Online provides specific advice for keeping children safe online. It can also be downloaded free of charge here .

Produced by The Risk Management Group 2012

is for…

Z oning

A simple but effective mechanism for operating safely online is to ‘zone’ your activities. For example, you could use:

Sanity Check Number Twenty-six:

• •

Facebook for social friendships LinkedIn for business relationships

Do you use different social media tools to create separate types of social media Zone?

• Twitter for general broadcasts to the world • Blogs for more considered opinion • A website for corporate statements • Email for official correspondence • Instant messaging for team use You should choose your own approach, but having clearly defined zones can really enhance your personal and professional security.

Produced by The Risk Management Group 2012

About the authors

The writer, Mark Johnson, is a prominent thinker and speaker on emerging communications security, online and social media risks. He is the author of Demystifying Communications Risk, to be published by Gower Publishing in late 2012, as well as numerous industry training guides and papers. Mark is currently working on his second book which addresses the subjects of Cyber Security and Digital Intelligence. The illustrator, Corinne Blandin ( www.corinneblandin.com ) , is a teacher, demonstrator and artist, born in France and now living in Cambridgeshire, England. She works extensively with children and has produced illustrations for teaching materials now in use by a leading private school in Cambridge. This is Corinne’s second set of illustrations in the A to Z series, her first being used in The A to Z Guide to Safe Children Online.

Read, enjoy and stay safe online!

Cambridge, 2012

Produced by The Risk Management Group 2012

About The Risk Management Group

TRMG delivers consultancy, training and product design services in the area of high technology risks. Our main areas of focus are financial fraud risks, telecoms fraud control, cyber security, digital intelligence, revenue assurance, and the control of money laundering, cyber-laundering and terrorist financing online.

TRMG Services

• Risk assessments and business case reviews • Business process design & re-engineering • Software solution design, project management & acceptance testing

TRMG Training Courses

•

Introduction to Cyber Security

• Communications Fraud Control (Introductory through to Advanced) • Crime Investigations (Introductory through to Advanced) • Digital Intelligence and Internet Investigations (Introductory through to Advanced) • Telecom Revenue Assurance (Introductory through to Advanced) • Social Media Risk Awareness (Workshop)

Contacting TRMG

Email: info@trmg.biz Web: www.trmg.biz Blog: http://theriskmanagementgroup.blogspot.com/ Phone: +44 1223 257 723

Produced by The Risk Management Group 2012

About this work

This work has been sponsored and published online by The Risk Management Group (TRMG) Compass House, Vision Park Chivers Way, Histon Cambridge CB24 9AD United Kingdom

www.trmg.biz

All rights reserved. This Guideline is provided free of charge subject to the condition that it may be reproduced and distributed freely and without restriction but that it may not be resold or used for any commercial purpose without the written agreement of the publishers.

Disclaimer

In creating this Guideline every effort has been made to offer the most current, correct, and clearly expressed information possible. Nevertheless, inadvertent errors in information may occur. In particular, the authors and the Publisher all disclaim any responsibility for any errors contained within the Guideline or in any related communications, web pages or other printed or online resources. The information and data included in the Guideline have been gathered from a variety of sources and are subject to change without notice. The authors make no warranties or representations whatsoever regarding the quality, content, completeness, suitability, adequacy, sequence, accuracy, or timeliness of such information and data.

E-Brochure

This E-Brochure has been created by Unicorn Designers, www.unicorndesigners.co.uk

Produced by The Risk Management Group 2012

Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32

Made with FlippingBook