Social engineering: how hackers are using your open information

Published on 06 November 2017

Tag. Like. Share. Post.

With social media, it’s now too easy to live a part of your life online.

While this may be good news for your online friends and the tech companies who want to sell you things, it’s also great news for hackers. Because, when used without caution, social media has the means to give criminals the arsenal they need to substantially magnify the effectiveness of their attacks.

Viral clicking

Employees are an important first line of defense against hacking. But they’re also the most vulnerable. While most employees know not to open suspicious emails, seemingly innocent links on social media are another story. Whether it’s discount vouchers, surveys with prizes if forwarded along, or fake recruiters asking for personal details on LinkedIn – people are often more trusting when clicking on links that appear to come from a friend. But once a link is clicked, it can quickly lead to malware being installed on a browser, revealing a user’s location, type of device and operating system. Information which can be handy for launching future attacks.

Without proper privacy settings and vigilance, social media posts can be used to pursue socially engineered fraud, launch targeted phishing campaigns, or commit identity theft. And even when posts are set to private, it’s still possible to be compromised. For example, say a crook gets hold of your Head of Finance’s personal Facebook account by posing as a high school acquaintance. From there, they can see what nickname he or she goes by, and what interests he or she might have. The crook can use this information to hack into their password and gain privileged access to other accounts.

Malicious attacks can also come in the form of bogus plugins. The Google Docs phishing scam in May this year fooled many Gmail users into handing over access to their email. And compromised third-party tools can lead to widespread damage. Earlier this year a number of prominent Twitter accounts, including Forbes and Amnesty International, were hacked to tweet Nazi-related messages after the Twitter analytics tool, Twitter Counter, was hacked.

There’s also insight tools to consider. Today’s technology can scan an employee’s social media account to find out what their interests and tastes are. AI solutions can also scan an image to guess a person’s age and gender. And it doesn’t take a genius to figure out personal addresses through the electoral register and geotagged photos. Combined with the techniques above, these insights can be used to launch a highly personalized and sophisticated phishing scam.

Finally, there’s the old-school method of physical theft. By stealing someone’s phone, tablet or laptop, crooks have immediate access to social media profiles – unless adequate protections are put in place

Why vigilance is the way forward

Large investments in password-centered online security tools won’t necessarily do the trick, especially if employees continue to click on dubious links. And banning social media altogether will cause more harm than good, given the likely cultural backlash and employees tendency to use social media anyway.

Going forward, the best defense is a hybrid one. Businesses must foster a security-conscious culture through continuous training and education. There must be a social media policy in place that ensures all checks and balances are made before any information is shared on the company’s social media. And employers must also look at making sure their security solutions have the means to scan and stop malicious attacks in real time.

Remember, it’s not just the big corporate enterprises or government bodies that are at risk. While they may be the ones we hear most about in the news, the fact is that businesses of all sizes can be affected. LinkedIn, Twitter and Facebook aren’t just harmless distractions. When used without discretion, it can lead to potentially disastrous results.

Businesses and individuals alike should be wary. Here are some tips everyone can use to protect themselves and their businesses.


  1. Update passwords regularly

Social media passwords should all be unique and routinely updated. Don’t stick these on a note. A password manager may help.

  1. Be careful when handing out credentials

Third-party sites should all be treated with caution. Regularly check what sites your social media is linked with.

  1. Exercise caution on public Wi-Fi

BYOD means sensitive information can be accessed by anyone, anywhere, unless the right precautions are in place.

  1. Check privacy settings

Birthdays, family members and education can easily be found on social media and used to bypass security check questions in password recovery. Keep these hidden.

  1. Be vigilant

Check what your company is posting and make sure it can’t be used to socially engineer employees. A social media policy can help.

Download our whitepaper on Privileged Identity Theft for more information on protecting against hackers online.

by Balabit

Balabit, a One Identity business, is a leading provider of Privileged Access Management (PAM) and Log Management solutions. Founded in 2000, Balabit has a proven track record of helping businesses reduce the risk of data breaches associated with privileged accounts.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser