In early 2017, a Russian spearphishing operation ensnared more than 10,000 U.S. Department of Defense employees. According to TIME, the perpetrators sent each victim a personalized social media message with a link to seemingly innocuous content, such as sports highlights or an Academy Awards recap.
The link’s payload was anything but innocuous. When clicked, it delivered a devastatingly effective malware program that commandeered victims’ devices, co-opting them for some unknown purpose.
Given the victims’ occupations and security clearances, this was no typical security breach, and its full ramifications may not yet be known. Nevertheless, it’s a clear example of the sophistication of black hat cybercriminals and malicious state actors – and a sobering reminder that we all have a lot to lose from careless social media use, even if we don’t know state secrets.
Here’s a closer look at the most common risks for everyday social media users and some straightforward tips to stay safe in the digital public square.
Top Social Media Risks for Everyday Users
Some of these risks involve attempted or successful account compromise. Others involve the theft of personal information or credentials not directly related to the social media accounts in question. Still others aim to harass account holders without compromising their accounts or stealing personal information.
1. Identity Theft
Like email and e-commerce, social media is a common medium for identity theft. Scammers looking to steal sensitive information such as usernames, passwords, account numbers, and personal identification numbers use tactics including:
- Posing As Authorized Representatives. Attackers may impersonate trusted individuals or organizations and request sensitive information. This tactic is commonly known as phishing, and its less-adept practitioners are no doubt clogging your email spam folder as you read this.
- Direct-Messaging Business or Employment Proposals. This is the social media version of the “Nigerian prince” email scam: the offer of a too-good-to-be-true windfall or can’t-lose business opportunity that – surprise, surprise – won’t end well for you.
- Spoofing Post Authorization Requests. Executed properly, this is a convincing strategy. It alerts you that someone in your network has tagged you in a post or photo, perhaps of a salacious nature, and requests your approval before the content goes live. Once you’ve entered your social media login credentials, it’s too late.
Identity thieves are endlessly creative, so don’t assume that every attempt to steal your personal information or credentials via social media will look like these scenarios. When in doubt, don’t engage.
Pro tip: Identity Guard is a great way to help monitor your credit. For a small monthly fee, they will use IBM Watson Artificial Intelligence to process billions of pieces of information, alerting you when a potential threat exists. They will monitor your social security number, credit card numbers, bank accounts, health insurance number and more to help you protect your identity, monitoring it on the dark web.
Malicious actors can impersonate, or “spoof,” your social media persona without gaining control over your accounts. Sophisticated, persistent impersonation efforts are known as “social engineering” campaigns, as they condition people and organizations in your network to accept you as the legitimate source of information you didn’t create or authorize. Because impersonation campaigns require more effort than other scams, they’re usually targeted at specific individuals or organizations.
Impersonation campaigns involve the creation of a fake account that resembles the victim’s, complete with a generic public domain photo of the account owner and a near-identical handle, typically with a single character missing, added, or changed.
A long-running impersonation campaign may include weeks or months of “incubation,” during which the impostor account posts non-objectionable content and steadily gains followers. This is often followed by an active period, during which the impostor account’s behavior is intended to discredit or embarrass the victim. Impostor accounts may also spread malicious links, malware, or both. (More on those below.)
All social media platforms take countermeasures against transparent impersonation attempts, but the problem is overwhelming on some networks. Twitter’s fake account problem is particularly egregious, though not all false Twitter accounts are impostors. Millions of false accounts are either automated bots built to amplify content created by other accounts or human-controlled troll accounts created to harass other users or spread fake news.
3. Account Capture
“Captured” accounts are legitimate accounts that are taken over by attackers, who may gain control by:
- Tricking the victim into clicking a malicious direct-message link
- Hacking the victim’s account through the network itself or a third party, often as part of a larger hack
- Guessing the victim’s password
- Skimming login credentials from another compromised location, such as a hacked Google account
Captured accounts are often conscripted into botnets used to spread malicious links or objectionable material. My own social media accounts have been on the receiving end of vast amounts of poorly devised, highly objectionable botnet appeals, usually of a pornographic nature.
Capture attacks may also target specific users. Such targeted attacks may have personal motivations, such as revenge. When the victim is well-known, attackers may have notoriety or specific political goals in mind.
“Malware” is an umbrella term for malicious programs that infiltrate victims’ devices and do the attackers’ bidding. It includes:
- Viruses. Like biological viruses, computer viruses infect “clean” programs on the host device and self-replicate, corrupting the infected program in the process. Viruses are difficult to mitigate; the most common remedy is deleting the infected program.
- Worms. Worms “burrow” into the host device without overt action by the system owner. They spread like wildfire, sometimes traversing the globe in a matter of hours.
- Ransomware. This increasingly common malware variety encrypts the host system’s files, locking out the rightful user until the victim pays a cryptocurrency ransom. Though ransomware attacks are costly for the unprepared, a full system backup to the cloud or an external storage device is a sufficient solution in most cases.
- Trojans. Trojans mimic legitimate apps, tricking system owners into infecting their own devices. The most devious trojans masquerade as anti-malware or “file cleaning” apps that supposedly improve system performance.
- Spyware. Spyware lurks in the shadows of apparently healthy systems, quietly monitoring user activity. One of the more common and potentially destructive spyware functions is keystroke logging, which provides total visibility of any information entered by the user, including passwords and personal identification numbers.
Doxxing is the act of publicly “outing” someone, usually by publishing private information about them or their activities. It’s often used as a form of retribution or revenge – in other words, to get even with or punish a rival. Doxxing is non-consensual and often, but not always, occurs without the victim’s specific knowledge.
Though doxxing isn’t always targeted and often affects more than one person at a time, it’s generally purposeful. For instance, The New York Times reports that doxxing is increasingly common among ideological antagonists. While you may believe outing adherents of violent, racist ideologies is beneficial, collateral damage can occur, as illustrated by a New York Times report on an Arkansas professor wrongly identified as a participant in the neo-Nazi march on Charlottesville, Virginia, in August 2017.
6. Harassment & Cyberbullying
Online harassment and cyberbullying take many forms and degrees, from easily ignored trolling to violent, specific threats against life and property.
Harassment and cyberbullying are especially concerning for minors and their parents. According to the U.S. Department of Education’s 2015 School Crime Supplement to the National Crime Victimization Survey, about one in five students reported some form of bullying during the survey period. The Centers for Disease Control’s 2017 Youth Risk Behavior Surveillance System found that about 15% of high school students experienced cyberbullying during the survey period. Sadly, persistent, pointed harassment is a common contributing factor in self-harm and suicide among young people and some adults.
Examples of social media harassment and cyberbullying include:
- Spreading Rumors or Innuendo. Even if the content is accurate or credible, persistently spreading derogatory information about a non-public individual without that individual’s consent constitutes harassment. The same goes for unfounded rumors and innuendo. This can occur with or without the target’s knowledge.
- Posting Compromising Content. The most egregious example of this is “revenge porn,” the non-consensual posting or sharing of explicit content not meant for public dissemination, often by a former intimate partner. Revenge porn is illegal in most states, even when the victim is of age and the content was created with their consent. Other examples include pictures or videos of individuals in ethically or legally compromising positions, such as passed out drunk or consuming illegal drugs.
- Impersonating the Victim. Harassment isn’t always the intent of impersonation or social engineering campaigns, but it’s common enough to warrant mention. Impersonating a harassment victim is an effective way to discredit them before friends, acquaintances, colleagues, and potential employers.
- Spamming Private Messages or Public Mentions. Though the line between socially acceptable communication and harassment is blurry, it becomes a clear problem when the aggressor fails to heed the target’s clear and repeated pleas to stop. Such harassment can occur publicly in the target’s public profile or mentions, privately via direct messages visible only to the aggressor and target, or both.
- Sharing Violent or Disturbing Content. The unsolicited sharing of violent or disturbing content constitutes harassment, even if it isn’t explicitly threatening. Common types of objectionable content include cartoon violence or pornography, but it’s up to the recipient to determine the line between objectionable and permissible content.
- Making Specific Threats. Specific, targeted threats of violence or humiliation are always unacceptable and may expose the aggressor to civil claims or criminal charges.
Tips to Stay Safe on Social Media
These tips to strengthen your social media security are ones any social media user can follow; you don’t need to be an expert. Upfront and ongoing costs are noted where relevant.
1. Practice Impeccable Password Hygiene
Your password is your first line of defense against hackers looking to compromise your account. Make sure it’s a sound deterrent. Follow these password hygiene tips to thwart automated password-guessing programs and those who know you well enough to deduce probable passwords.
- Never Reuse Passwords. Every account you own, no matter how trivial or infrequently you use it, should have its own password, period. If hackers compromise an account secured with a common password, every account secured with that password is at risk.
- Change Your Passwords Frequently. Change your passwords at least every month, even if you have no reason to suspect anything unusual. There’s often a lag between the theft of login credentials and the compromise or takeover of the accounts they secure.
- Use Complex, Nonsensical Passwords. Make your passwords as random and complicated as possible. Avoid English words and grammar and include random strings of letters, numbers, and special characters.
- Avoid Easy-to-Guess Passwords. This rules out “Password1” and all its variants, but also personalized passwords that someone who knows you – or has access to the public parts of your social media profiles – could guess. For instance, avoid incorporating the names of your kids, parents, siblings, pets, hometown, alma mater, or employer.
- Use a Random Password Generator. Randomly generated passwords pass the “complex,” “nonsensical,” and “not personalized” tests. If you’re worried about these apps’ security, use them to generate a starting string, then modify the characters before setting the password. Some browsers have built-in password generators, and your device may have one pre-installed.
- Store Passwords Securely. Remembering all your passwords is the hardest part. Write them all down by hand, or type them up on a device not connected to the Internet, and store them in a safe location in your home or office. Don’t save your password document to your hard drive or the cloud.
- Consider a Reputable Password Manager. Many people swear by password managers, or secure apps that safely store account passwords so you don’t have to commit them to memory. Password managers are undeniably convenient, and the most reputable among them are generally secure. But no password manager is perfect, and some are downright sketchy. Carefully weigh your options and pore over third-party reviews before committing to one. One of our favorites is 1Password.com. Expect to pay anywhere from $10 to $40 for a premium program.
2. Use Two-Factor Authentication
Use two-factor authentication (2FA) as an added account security measure whenever possible, even if it’s not the default on the site you’re logging into. Accounts protected by two-factor authentication require two separate credentials for access, not including the username. The first factor is usually, but not always, a secret password. The second is commonly a unique numeric or character code delivered via SMS (text messaging), email, telephone call, or other means to an account controlled by the authorized user.
Choose SMS as the vector for your second factor, rather than email, because your cell phone is less likely to be compromised than your email account.
3. Use a Separate “Burner” Email for Social Media Accounts
You might already use a burner email address to collect marketing promotions and other low-priority communications. It’s wise to also set up an entirely separate burner account solely for your social media activity and check it a few times per week. Unless you turn off notifications entirely, your activity will generate a high volume of alerts you’ll no doubt be eager to compartmentalize, anyway.
More importantly, a burner email keeps your social media personas separate from your real-world persona. This is crucial for account security purposes and – if you want to remain semi- or fully anonymous on social media – for privacy purposes as well.
4. Secure Mobile Devices With Social Media Apps
When you get a new phone, immediately download all the social media apps you plan to use regularly if they aren’t pre-installed. This avoids the need to log out of each account at every activity session’s conclusion. The alternative – setting your mobile browser to remember your login credentials – weakens your security.
5. Update to the Latest App Versions ASAP
The longer you put off version updates, the likelier you are to forget about them entirely. When your social media app prompts you to upgrade, do so as soon as possible. New app versions typically have security patches that address vulnerabilities discovered since the last version’s release.
6. Understand What Information You Can and Can’t Control
Each social media platform has its own relationship with the concept of privacy. It’s up to you to learn what that relationship looks like and know how much you can do to shape it.
Finally, review the limits of each platform’s ability to control information flows. Many Facebook users are surprised to learn that even private or semi-public photos may appear in search engines’ image indexes. If you don’t want an image or written post to appear on the Internet, don’t post it at all.
7. Restrict Post Visibility
Every social platform has different visibility protocols. On Facebook, you have the option to make your content:
- Visible within your friend network only
- Visible to friends and friends of friends
- Visible to all users
Twitter lets users “protect” their tweets, rendering their posts invisible to non-followers. Instagram has a similar setting.
Choose a post visibility setting with which you and your loved ones are comfortable. If you want to share content and photos without having them associated with your real-life persona, consider creating a second, anonymous account on social platforms that allow this. Twitter and Instagram both do, as does Snapchat. Networks populated by anonymous accounts are like members-only clubs where users can be more honest with themselves and others, and where the rules of social media etiquette aren’t so stringent. Some low-key social platforms exist for specific purposes; check out The Guardian’s deep dive into the world of “Finstagram” for a good example.
8. Limit or Disable Location Sharing
Location sharing has countless legitimate uses, such as alerting friends that you’re a fan of the new coffee shop you frequent, putting a pin in a novel experience for posterity, or making a humblebrag about the international vacation you’re enjoying.
If you’re using social media in a professional capacity, you might use location sharing to advertise your presence at a trade show, build buzz for a presentation you’re about to give, or highlight the charitable work you’re doing in the community.
That said, location sharing is at odds with privacy. If you’re not eager to let people know where you are at any given moment, then disable location sharing in every social media account and decline to specify where you’re posting from when prompted. For added protection, disable non-social location sharing too; WIRED has a primer on how to thwart Google’s under-the-radar location tracking.
9. Omit Personal Details From Your Profiles
Treat every social media profile or “about me” page as optional. If you want to reveal your home city or neighborhood, your high school or college alma mater, your employer, or your birthday, go right ahead. But don’t feel obligated to; “everyone else is doing it” is irrelevant.
10. Vet All Friend & Follow Requests
Not everyone who wants to make friends on social media has pure intentions. Set the bar high by requiring prospective friends and followers to seek your permission on platforms that allow this. For instance, Instagram’s default setting is “open follows,” meaning anyone can follow your account, but that’s easy enough to change.
Get in the habit of vetting every friend or follow request, even when the requester seems familiar. Look at their profile and public-facing content. Do you recognize their photo? Do they appear to be posting legitimate content, rather than generic photos pulled from the public domain or vague updates that say little about who they are? Does the message accompanying their request to connect make sense, or is it clearly cut and pasted from a template?
It goes without saying that you’re less likely to be spammed, harassed, or scammed by social media users you know and trust. But the mere act of vetting your followers won’t prevent your exposure entirely, particularly on platforms that allow non-followers to communicate with public users. For increased protection, up your account’s privacy settings and dial down your content’s visibility.
11. Be Wary of Friend & Follow Suggestions
Approach your social media platform’s friend and follower suggestions with the same skepticism as you would friend and follow requests. Remember, whatever you’re trying to get out of your social media experience, those running the platforms you’re using probably don’t share those goals. They have shareholders and boards of directors to please, so they’ll do whatever it takes to boost their metrics. It doesn’t matter to them whether the connections they suggest have any value. That’s up to you to determine.
12. Watch for Fake or Compromised Accounts
While careful vetting should weed out demonstrably fake or compromised accounts, well-designed deception can get around this. Accounts can also change for the worse after you’ve connected with them.
I run into this problem a lot on LinkedIn. Since LinkedIn doesn’t have many transparently fake or spammy accounts, I’m pretty credulous about accepting connection requests and suggestions. I’ve come to regret that credulity when new connections I don’t know very well, or at all, in real life direct-message me unsolicited sales pitches or work requests.
It’s an issue on Twitter too. I had “open” direct messages at one point, meaning any Twitter user could send me a private message. Dozens of spam messages later, that’s no longer the case, but I still get weird, unsolicited messages from bots and trolls too frequently for comfort.
13. Block or Mute Liberally
The best way to deal with bots and trolls is to silence them. Learn how to do this effectively on every social platform you use. Twitter and Facebook have “block” functions that render you invisible to antagonists. Twitter also has a “mute” button that silences tweets from specific accounts without notifying the account owners. They can hassle you all they want but to no avail.
Blocking and muting are effective ways to tamp down harassment without unintentionally escalating the situation. However, they’re not appropriate once threats turn pointed and specific or you have reason to believe you or your loved ones may be in danger. Report persistent social media harassment, and any credible threats directed at you or your loved ones, to the social media platform’s customer care team and local or federal law enforcement authorities.
14. Avoid Posting Sensitive Information
Never respond to social media requests for your Social Security number, driver’s license number, or financial account numbers, no matter how trustworthy the requesting party seems.
Most reputable organizations state outright that they don’t ask for such information by email or social media message. If they do need your sensitive information for any reason, they’ll typically ask you to log into your account rather than respond directly to a request. Report social media accounts that ask for personal information to the appropriate quality assurance team, as there’s a high likelihood they’re a scam.
15. Don’t Reveal Detailed Information About Your Daily Routine or Travel Patterns
Don’t over-document your daily routine or out-of-town travel in real time. The more information you provide about your movements, the easier it is for malicious parties to take advantage. Examples of information you probably shouldn’t share include:
- Your home address or the name of your apartment building
- Your online purchase patterns or when you’re expecting a package
- Where and when you work
- Planned travel dates and destinations
- Child and pet care arrangements
16. Manually Log Out After Every Session
Get in the habit of logging out of your social media accounts after every activity session. Logging out reduces your exposure to unwitting account compromise. For example, if you use an insecure wireless network while logged into your social media accounts, those accounts may be exposed to hacking or capture without your knowledge.
17. Don’t Let Others Post to Your Accounts
Don’t give out your social media passwords, even to trusted friends and family members. You might make an exception here for a romantic partner, though you’ll need to change any shared passwords if the relationship goes south.
The reasoning here is twofold. First, keeping your passwords to yourself dramatically reduces the risk they’ll be revealed, inadvertently or intentionally, to the world. Second, even when they have the best intentions, authorized account users are not you. Their questionable judgment reflects on you when they post from your account.
The same goes for employees or contractors authorized to post to your social media accounts. If you can’t avoid giving your social media manager or virtual assistant access to your personal or corporate social accounts, it’s on you to clearly establish posting standards and regularly review the content they share.
18. Don’t Click Unsolicited Links
Never click unsolicited links, even when you know the sender. Remember, the Department of Defense spearphishing debacle began with seemingly innocuous links that passed as legitimate.
19. Vet Apps That Require Profile Permissions or Personal Information
Vet all third-party apps that request social media profile permissions or login information to function properly, and consider declining such requests. The list of well-known apps that haven’t been compromised is shorter than the list of apps that have, so it’s important to be aware of the chances that a third-party app could become a medium for the compromise of your social media accounts. This goes for your favorite third-party apps as well as the many little-used apps gathering dust on your hard drive.
20. Avoid Quizzes & Games
Fun as they are, social media quizzes and games may reveal more personal or behavioral information than players are willing to reveal, sometimes with stupefying consequences. According to Politico Europe, now-defunct U.K. data firm Cambridge Analytica used internal and third-party personality quizzes to gather data about tens of millions of Facebook users worldwide, then used its findings to create behavioral archetypes for British and American voters.
Though users voluntarily participated in these quizzes, U.K. authorities have accused Cambridge Analytica of collecting user data without permission and using it in violation of users’ privacy expectations. It’s not clear how widespread this practice is, but it’s a reminder that there’s often more to silly social media quizzes than meets the eye.
21. Don’t Log In on Public Wi-Fi Networks or Computers
Avoid public Wi-Fi networks and devices, such as computers in hotel business centers, whenever possible. If you must log into social media accounts on public networks or devices, use a virtual private network (VPN) to encrypt the information you send and receive during the session.
Use neutral, credible resources to differentiate the many VPNs on the market today –CNET’s roundup is very good, for instance – and download the VPN that appears to best fit your needs. Top-shelf VPNs typically cost anywhere from $3 to $10 per month, but the expense is well worth the protection and peace of mind.
22. Use Strict Parental Controls
Use age-appropriate parental controls to restrict or deny your kids’ social media access. Some social media apps come with built-in controls; for instance, Facebook Messenger has a “sleep time” feature that lets parent set permissible use times. For a more comprehensive approach to parental controls, consider a reputable third-party app like FamilyTime, which costs $45 per year.
23. Think Twice Before Posting Personal Photos
The only sure way to maintain your anonymity on social media is not to use social media in the first place. Absent that, you can set a high standard for your posts and err on the side of not posting at all.
This is especially important for photos, which may appear in search engine indexes even with aggressive privacy controls. Don’t post anything you wouldn’t want your employer, colleagues, or clients to see.
24. Limit Social Sign-Ins
Countless third-party apps, from music suites like Spotify to publishing platforms like Medium, allow users to sign in and stay signed in through their social media accounts, most often Facebook. While this is convenient, it’s also insecure. One of the scariest aspects of Facebook’s 2018 hack was the compromise of a slew of third-party app accounts that the affected users had linked to their Facebook accounts. Using a unique password for every third-party app is worth the trouble.
Social media is, on balance, a positive influence in my life. I use Facebook to keep up with old friends and distant relations with whom I’d almost certainly lose touch otherwise. I rely on Instagram for inspiration and comic relief. Twitter satisfies my appetite for news and insight from varied sources. LinkedIn lends my professional activities credibility and keeps me in touch with influential people whose opinions and counsel I value.
Still, I recognize that it’s impossible to discount social media’s ills, both its safety and security threats and its insidious influence on society and public discourse. I’ll leave it to smarter people to grapple with the latter, so for now, all I’ll say is: Stay safe out there.
Have you ever been the victim of identity theft or other malicious activity on social media? What happened?