Blog

Social Networking Sites: Security and Privacy Issues

Recent hacks involving several high-profile social networking accounts once again highlight the potential vulnerability of social media. The sheer volume of users and the information that gets posted on social media sites create plenty of opportunity for an attacker to use social engineering or other methods to gain access to the accounts of individuals and organizations. The more information you post, the more your security and privacy are at risk.

Precautions to Take
Below are some helpful tips regarding security and privacy while using social networking sites:
  • Ensure that any computer you use to connect to a social media site has proper security measures in place. Use and maintain anti-virus software, anti-spyware software, and a firewall.

  • Be cautious when clicking on links. If a link seems suspicious, or too good to be true, do not click on it…even if the link is on your most trusted friend’s page. Your friend’s account may have been hijacked or infected and is now spreading malware.

  • If you are going to request that your account be deleted, first remove all of the data. Request that the account be deleted, rather than deactivated.

  • Type the address of your social networking site directly into your browser or use your personal bookmarks. If you click a link to your site through email or another website, you might be entering your account name and password into a fake site where your personal information could be stolen.
  • Be cautious about installing applications. Some social networking sites provide the ability to add or install third party applications, such as games. Keep in mind there is sometimes little or no quality control or review of these applications and they may have full access to your account and the data you share. Malicious applications can use this access to interact with your friends on your behalf and to steal and misuse personal data. Only install applications that come from trusted, well-known sites. If you are no longer using the app, remove it. Also, please note that installing some applications may modify your security and privacy settings.

  • Use strong and unique passwords. Using the same password on all accounts increases the vulnerability of these accounts if one becomes compromised. Use different passwords for different accounts, and do not use a password you use to access your organizations network on any personal sites you access.
  • Be careful whom you add as a “friend,” or what groups or pages you join. The more “friends” you have or groups/pages you join, the more people who have access to your information.

  • Do not assume privacy on a social networking site. For both business and personal use, confidential information should not be shared. You should only post information you are comfortable disclosing to a complete stranger.

  • Use discretion before posting information or comments. Once information is posted online, it can potentially be viewed by anyone and may not be able to be retracted afterwards. Keep in mind that content or communications on government-related social networking pages may be considered public records.
  • When posting pictures, delete the meta data, which includes the date and time of the picture.

  • Do not announce that you are on vacation or away for an extended period of time.

  • Configure privacy settings to allow only those people you trust to have access to the information you post, and your profile. Also, restrict the ability for others to post information to your page. The default settings for some sites may allow anyone to see your information or post information to your page.

  • Review a site’s privacy policy. Some sites may share information, such as email addresses or user preferences, with other parties. If a site’s privacy policy is vague or does not properly protect your information, do not use the site.

Stay tuned to our blog for more on cyber security tips throughout the year. For additional information, please visit cybersecurity.sd.gov.

Gone Phishing

In the pre-Internet era, con men, also known as confidence men, would gain victims’ confidence through the use of deception, to defraud them. The same principles are being used today, only now to an even greater efficiency through the use of online scams.

One of the most prolific means for online scamming is phishing. When using email, it is difficult to know, with certainty, with whom you are communicating. Scammers will utilize this uncertainty to pose as legitimate businesses, organizations, or individuals, and gain the trust of users. If a scammer is able to gain the trust of victims, they can leverage this trust to convince victims to willingly give up information or click on malicious links or attachments. 
To gain users trust, scammers will appear like legitimate businesses or organizations, by spoofing the email address, creating a fake website with legitimate logos and even providing phone numbers to an illegitimate customer service center operated by the scammers.
Two Common Types of Phishing Attacks 

  1. Phishing scams are perhaps one of the best-known forms of email scams. This type of scam involves a scammer pretending to have a fortune that he or she is incapable of accessing without the help of someone trustworthy, which happens to be you! The scammers will try to obtain the user’s financial information using an empty promise of sharing the wealth in exchange for their help.
  2. Spear-phishing is a targeted and personalized attack in which a specific organization or an individual is the target. These attacks will utilize information about the user email addresses, which are similar to those of their acquaintances to entice the users to either divulge sensitive information or download a malicious file. This often requires a lot of information gathering on the targets and has become one of the favored tricks used in cyber espionage.

If you are mindful of potential phishing traps and observant of the telltale signs of a scam, you can better defend against a phishing attack.

  • Be cautious about all communications you receive including those purported to be from “trusted entities” and be careful when clicking links contained within those messages. If in doubt, do not click. 
  • Don’t respond to any spam-type e-mails. 
  • Don’t send your personal information via email. 
  • Don’t input your information in a pop-up; if you are interested in an offer that you see advertised in a pop-up ad, contact the retailer directly through its homepage, retail outlet or other legitimate contact methods.

Keep an eye out of these simple telltale signs of a phishing email:

  • The email has poor spelling or grammar.
  • For secure transactions, look for a lock icon in the URL.
  • The use of threats or incredible offers is a common tactic that tries to elicit an emotional response to cloud the user’s judgment.
  • The URL does not match that of the legitimate site. Scammers cannot use the same URL associated with the legitimate websites, so they will tweak the address of their spoofed website so that at a quick glance it looks legitimate.
    • The URL may use a different domain name (e.g., .com vs .net)
    • The URL may use variations of the spelling of the actual address

Don’t trust a file based on its extension either. There are a variety of tricks to hide the nature of the file. Lastly, make sure you have an up-to-date anti-virus software program installed. Enable the feature to scan attachments with the anti-virus program before downloading and saving them to your computer.