Why Facebook is a Hacker’s Best Friend, Why and How to Secure Your Account

March 3rd, 2017 - Category - IT Security, Security

Over 70% of businesses have been targeted by cyber attacks and two thirds of large UK businesses were hit by a cyber breach in 2016. But it’s not just big businesses who are at risk. 66% of small businesses in the UK have been victims of cyber crime, costing the UK economy over £5 BILLION.

Small and medium sized businesses are being targeted more than big businesses because they’re more likely to pay ransoms to retrieve company data, and attacks are more likely to be successful due to less staff cyber security training and less likelihood of encountering cyber defences.

It’s more lucrative, and easier, for cyber criminals to target 20 small businesses and successfully steal £10,000 from 10 of them, than it is to target one large business and steal £100,000.

If you want to give yourself the best chance of NOT becoming one of the above statistics, you should download our easy to read, “geek free” guide containing 65 tips to stay cyber secure. Click the button below to get it.

 

Get Your Free Cyber Security Guide Here

 

Continue below for why you should secure your Facebook account and how to go about doing it:

Why Facebook is a First Class Tool for Cyber Criminals Targeting YOUR Business

Facebook is one of the first places a cyber criminal will look if they've decided they want to target your business, therefore it's vitally important you review your privacy settings and take steps to keep your account secure. 

If you own a business, or you're someone a cyber criminal might think would have access to sensitive company data or access to financial accounts, they will very likely try to research you on Facebook and other social media sites before attempting to strike.

They will ultimately try to get you to click on a link or attachment in an email that will install malware once you do. This malware could be ransomware like CryptoLocker - which will encrypt all of your files so they're unreadable unless you pay a ransom to get the decrption key. Alternatively, it could be malware which allows the cyber criminals to covertly monitor your communications or keystrokes - including login details.

Cyber Criminals use Personalised Emails to Trick You - and All the Information Needed to Personalise them is Online

Imagine you own Company XYZ. All a cyber criminal has to do is look up Company XYZ on Companies House, look at the latest financial statement (to determine if the company is a good target or not) and then look at the listed directors and officers. Further research can be done on the company website, or on LinkedIn, to determine who might hold the crucial keys to data or money that the cyber criminal wants.

The major tool in the cyber criminal's arsenal that will eventually gain them the access they desire is very likely going to be a phishing email.

TAKE NOTE: Phishing Emails Won't Be Obvious!

Expecting these emails to be obvious when they arrive is a huge mistake that will probably mean you become a victim. Some still are, but many are incredibly convincing, almost indistinguishable from authentic or innocent emails. 

Some criminals still send generalised phishing emails, casting their nets very wide by sending the same email to thousands of recipients and hoping to snare a few people who click.

On the other hand, the ones we are more concerned with are the ones that are sent to one individual and snare that same individual. How they do this is by being very tailored to that person. They write content specifically to that person about things that person is interested in. But first, the sender must research their victim. That often starts on Facebook.

Want Cyber Criminals to See Pictures of Your Kids?

If you've never paid any attention to you Facebook privacy settings, anyone in the world could potentially view your profile and any of the informaiton on it. They can see your pictures, see your posts, see who you're friends with. They can see absolutely everything on your facebook page that you yourself can see. Depending on your settings, they may be able to see your email address and phone number. They can also see your interests. You might think this is harmless, but it's not.

A person with complete access to view all of your Facebook information could find out your kids names, see pictures of them, see that you like to go cycling on weekends etc.

Imagine you're a business owner called Bill who plays golf with his friend John on the weekends. Your wife's name is Kari, and you have two kids. A cyber criminal could find all that out on Facebook, and then send you an email like this:

 

Sender: "[email protected]"

Subject: Did you forget this?

"Hi Bill - you left this (see attached) at the course on Sunday. Hope Kari and the kids are well.

John" 

 

Of course, it's not really from John, it's from a made up email address which anyone can do easily. There's no picture attached, and downloading the attachment will install malware which either encrypts your data and demands a ransom, sits in the background monitoring you, or feeds data back to the attacker.

This kind of email phishing is very likely to be successful because it is so personal. Therefore, we should all limit the amount of information that is available to people on Facebook and other websites so it's harder to personalise emails.

Your "Friends" May not Really be Your Friends

You may think this won't happen to you if you already know that only your friends can see your information on Facebook, but that's not a sure fire way to be safe either. Cyber criminals get round that tactic rather easily.

All they have to do is view your friends list, or figure out who you "might" be friends with (i.e. look up other people on your company website, people who listed you as their employer on LinkedIn etc.). They just need to find a picture of a person like this somewhere if they can't just get it straight from Facebook (your company website and linkedin are good places to look). Once they have a picture they can create a fake Facebook profile impersonating that person, and send you a friend request. Once you accept, your new "friend" can likely see the same things you allow your mother to see.

Even if you're already friends with this person, you're only likely to hesitate for a second thinking it a little strange, before accepting. If you ever receive a friend request from someone you're already friends with, it's highly recommended to be suspicious, and check with that person using another means of communication before accepting. It's a good idea to do this even if you weren't already friends with that person.

How to Secure Your Facebook Account by Doing a Privacy Check-Up

Now you know why it's important to ensure your Facebook account is secure, let's go over how to do it.

The first place you should go is this page on Facebook. 

This is where you can learn about privacy settings on Facebook, and at the bottom there's a button to take you to do a privacy checkup. This will walk you through the most basic of Facebook's privacy settings. There will be an option later to go over all of the detailed settings (which we'll cover in this post).

You can also reach it by clicking the padlock symbol in the upper right of any Facebook page that you are logged into. Once you're in, you will get a dropdown window presenting you with walkthroughs of your current settings relating to "Your Posts", "Your Apps" and "Your Profile".

The first section of the privacy checkup is to do with your posts on Facebook.

You want to change anything that says "public" to "friends" or "only me". You can also create a smaller group of friends who you know are definitely safe - like your immediate family. It's often a good idea to only share posts with this smaller group.

 

 

The second section is to do with apps that you have connected to your Facebook account. Don't skip over this section! Granting apps permission to access your account can allow them to access data on your profile. This is a concern for two reasons. One, you don't know if all of those apps can be trusted with your information, and two, apps can become hacked too. So if an app has access to your data or has the ability to post on your behald, and it gets hacked by cyber criminals, now they have access to your data or can post on your behalf.

 

The "only me" in the screenshot above refers to who can see that you use this app, and who can see posts made by this app on your profile. These posts are usually things like "Robert just played words with friends and won" or "James just ran 4.9 miles with RunKeeper".

If there's anything here that you no longer use, just revoke its permissions by clicking the "X" next to it in the list.

The last section of the privacy checkup is probably the most important of all, your profile.

This is where you'll see what personal information like phone number, email address, date of birth, home town etc. is visible on Facebook. You'll want to make sure this is all only visible to you. The only people who would need this information about you most likely already know it.

In the screenshot below, I have blurred my own information.

Edit Your Full Privacy Settings

On the third step of the privacy check-up, you may notice that there is a helpful link to go to the "About" section of your profile to "see everything and check who you're sharing it with." I recommend you click on that and review all of your settings. When you get there, you'll see more of your "about" details like where you've worked and where you went to university and school. It will also show where you've lived, contact information, family members you've listed on Facebook, life events like when you were born, when you graduated and when you got married, and any other information you've added like favourite quotes, nicknames etc.

I recommend removing or hiding all of this because it's information that could be used in a tailored phishing email designed to get you to click and install malware.

It's not immediately obvious that you can edit this information on this page, so you might miss it. You need to click the menu on the left hand side to navigate the different sections, and click on the information itself to change its visibility or remove it.

 

Below the "About" section on this page, you'll be able to do the same for other information. I recommend you remove the ability for anyone on the internet to view your friends list. This way it will be harder for cyber criminals to work out who they should imitate when they send you a friend request - which would potentially give them access to the information you've just removed from public visibility.

To do this, click on the pencil icon that says "manage" when you hover over it. Then click again once "edit privacy" appears. 

Managing Who Can See Photos of You

The next section is photos, but unfortunately this page does not allow you to easily edit who can view your pictures on Facebook, including pictures uploaded by others that you've been tagged in. The good news is, if you changed the visibility of "posts" to "friends", "only me" or a custom group of friends, then that should cover all pictures you uploaded yourself. It won't cover pictures of you uploaded by other people in which you've been tagged, you'll have to manage those individually.

Clicking on "manage" and then "view photos hidden from timeline" brings you to a page where you can see all of your photos in reverse chronological order. You can use the filters at the top to change which photos appear. If you select "Shared with: See All" and "On Timeline: Hidden or Visible" this will show all photos on Facebook of you.

You would now have to go through all photos one by one, and change the visibility of each one. If you uploaded it, you'll be able to change who can see it. If someone else uploaded it and tagged you, you'll have to click the link to go to the photo, and then remove the tag of yourself (which can be done by hovering over your name in the post, then clicking "remove tag" in the pop-up preview of your profile that appears.)

 

 

Check-ins also can't be removed easily. See this post for more information (and why you shouldn't always geotag or add a location to your posts). If you want to remove these, you'll have to edit every "checked in" post manually. Luckily, these aren't aggregated anywhere on the "about" section of your profile - so if you've hidden your posts from strangers, they won't be able to see places you've checked in either.

The last few sections deal with Sports teams, books, films, tv programmes and other similar things you've added to your profile. To remove all of these, just click on the "Add TV Programmes/films/books" button, then click the icon beside the search bar to change visibility to "only me" - or you can remove them all completely by clicking each one and selecting "delete".

 

 

Even with all the security settings enabled, you still need to be aware

That's all of the Facebook privacy settings - however, changing your account to maximum security alone isn't enough to keep you safe.

Even if you only show personal information to your friends on Facebook, and you pare your friends list down to the minimum, and you always make sure friend requests are genuine - you never know which one of your friends has had their account compromised since you accepted them. This would allow a stranger to use their account to view your private information.

It's therefore important to always look extremely closely at any unexpected emails you receive. If it contains a link or attachment, then the more it piques your curiosity, the less it should be trusted!

This short checklist of email security red flags may help you.

It's also important to note, that all of this will only be effective at deterring cyber criminals who are looking for the lowest hanging fruit. Most will move on to easier targers once they realise you won't easily be phished. If a cyber criminal has a specific reason to keep targeting YOUR business, then this will likely not deter them and they'll keep trying. 

It is therefore wise to use cyber security defences alongside best practises. Email security can filter out suspicious messages containing malicious attachments, DNS monitoring and cloud based anti-virus can stop you from attempting to visit suspicious domains (i.e. by clicking on a link) or downloading known malware in an attachment. In addition to these, a firewall that can scan encrypted traffic should be installed and all users should be trained on cyber security best practises.

Want more tips to secure your business?

We've put together a guide containing 65 short and actionable tips, or things you should avoid doing. All of it is in easy to follow language, contains no "geek speak" and will help you to stay safe and continue to keep cyber criminals away from your sensitive data!

 

Get Your Free Cyber Security Guide Here

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter for IT advice, tips & resources for your business

Netstar IT Support

83 Clerkenwell Road
Clerkenwell
London
EC1R 5AR