Is social media placing your personal privacy or your small business at risk?

Mark Pribish offers guidance on minimizing risks of social media

Some critics of social media say our addiction to apps in general and social media (in particular) open ourselves up to privacy risks. My question to app and social media users is, “When was the last time you read the terms and conditions or adjusted the privacy settings of your app or social media accounts?”

While apps and social media offer convenience, entertainment, and networking opportunities — cyber thieves and ID-theft criminals are leveraging social networks and apps to do their dirty work.

According to the second quarter 2022 Brand Phishing Report from Check Point Research, which “highlights the brands that were most frequently imitated by cybercriminals in their attempts to steal individuals’ personally identifiable information (PII) or payment credentials over the quarter,” LinkedIn remains the most impersonated brand by phishing campaigns.¹

As most know, LinkedIn is not only a social media site but also the world’s leading professional networking site. Hackers have imitated brands in business sectors such as social media (LinkedIn), technology (Microsoft), shipping/courier services (DHL), and online shopping (Amazon) and highlights the ongoing risks facing users of trusted business platforms.

I have listed below from the Check Point Research Brand Phishing Report the top-ranked brands by their overall appearance in brand phishing attempts.²

1. LinkedIn (45%)
2. Microsoft (13%)
3. DHL (12%)
4. Amazon (9%)
5. Apple (3%)
6. Adidas (2%)
7. Google (1%)
8. Netflix (1%)
9. Adobe (1%)
10. HSBC (1%)

These imitation phishing scams of leading brands are effective and lucrative for cyber thieves and ID-theft criminals because both consumers and business executives are more likely to click on a well-known name/brand.

But sometimes it’s more than just the hacker you must worry about. Consumers and business executives need to know that apps and social media can track your search engine history, purchasing habits, geographical location, and even investigate your files and contact list — all without your knowledge and sometimes without your permission.

For example, when you install an app, most apps will require you to “accept” their terms and conditions — but did you read and really understand the type of information that is being collected and the kind of privacy threats you now are exposed to?

How bad can these “privacy threats” be? Just imagine an app vendor or third-party marketer collecting and selling your smartphone’s unique device ID, phone’s location, phone number, your age, gender, likes, dislikes, search engine habits, emails, usernames, and more to data brokers. And then imagine how these data brokers collect, analyze, and package your most sensitive personal information in a unique profile and sell it over and over again — without your knowledge.

But it gets worse as The Federal Bureau of Investigation (FBI) released its Internet Crime Complaint Center (IC3) 2021 Internet Crime Report and accompanying 2021 State Reports last March.³ The FBI reported 847,376 complaints of suspected Internet crime in 2021, a 7% increase from 2020 that resulted in losses exceeding $6.9 billion. This is happening even though small and big businesses along with state and Federal governments spend billions of dollars to fight daily cybersecurity attacks.

Microsoft is an example of a large and sophisticated technology company with annual revenue of $168 billion that spends about $2 billion annually to respond to current and future cybersecurity challenges and threats. At the same time, hackers focusing on Microsoft vulnerabilities have successfully beached Microsoft 4 times, creating four significant data breach incidents that have exposed customer data and placed clients at risk during the last 12 months.⁴

In addition, the FBI Internet Crime Report stated that of the more than 30 crime types reported, the top three cybercrimes were phishing scams, non-payment/non-delivery scams, and personal data breach, closely followed by identity theft and extortion.

The reality is that small- and mid-sized businesses such as dental and medical practices are viewed as easy targets because of limited resources and poor information security best practices.

The fact is that cyber thieves and ID theft criminals love the trail we leave on social media. Specific to individual consumers and small business employees, here are my five tips to help you minimize your social media privacy risks:

1. Limit and/or eliminate sharing your personal information online.
2. Increase your privacy awareness by reviewing and adjusting your privacy settings.
3. Be aware that some apps reset your privacy settings during major upgrades.
4. Learn more about how your personal information is used and for what purposes.
5. Consider using “privacy assistant or automation software” to help keep your privacy preferences current.

Specific to small (and big) businesses, no one company can ever prevent itself from ever experiencing a data breach event — especially with how apps and social media can place a small business at risk. Some of the most notable data breaches in 2021 and 2022 include CNA, Experian, Facebook, GEICO, Instagram, LinkedIn, Marriott, Microsoft, Tesla, and Twitter.

The irony to these data breaches is that these businesses pride themselves on safeguarding PII, and these businesses have more financial and information technology resources than most other business. Yet they still cannot prevent a data breach event from happening.

The reality of data breaches is that they occur almost every day — whether it is an accidental release (which is a polite phrase for carelessness or incompetence) or malicious intent (with the insider threat a common focal point, although the media heavily focuses on IT and hacking events).

The Verizon 2021 Data Breach Investigations Report can help both consumers and small businesses be proactive in mitigating their exposure to identity theft and data breaches. Last year’s Data Breach Investigations Report (DBIR) highlights the reality of data breaches that can support a cyber-risk management strategy for all businesses in general but small business in particular, including these findings.⁵

• Social engineering is the most successful attack.
• 85% of breaches involved a human element.
• Older vulnerabilities that haven’t been patched are being exploited by attackers.
• Credentials remain one of the most sought-after data types, followed by personal information.
• Employees continue to make mistakes that cause incidents and breaches.
• Business email compromises were the second most common form of social engineering.
• Most social engineering incidents were discovered

This year’s 2022 Verizon Data Breach Investigations Report highlights “the importance of building a culture of cybersecurity vigilance,” including these findings.⁶

• There are four key paths leading to your estate: credentials, phishing, exploiting vulnerabilities, and botnets.
• All four are pervasive in all areas of the DBIR, and no organization is safe without a plan to handle each of
• This year ransomware has continued its upward trend with an almost 13% rise — an increase as big as the past 5 years combined.
• The human element continues to drive breaches. Whether it is the use of stolen credentials, phishing, or simply an error, people continue to play a large part in incidents and breaches alike.
• Error continues to be a dominant trend, and the fallibility of employees should not be discounted.

Whether you are an individual consumer, employee, or a small business owner, you need to be aware that social media can place your personal privacy and/or small business at risk. Be aware of the latest social engineering trends including apps and social media where hackers imitate leading business brands.

As for receiving links of well-known brands on social media, my recommendation on receiving notifications from LinkedIn, Facebook, or any other social media is to ignore the links or attachments. If a social media notification is legitimate, you will receive it again, and then you can go to the social media network login page to retrieve it directly.