Top Five Social Media Security Risks

Four people holding up colorful social media icon signs against a brick wall.

January 27, 2021 | Karolinn Fiscaletti

Reviewing these vulnerabilities can ensure your data is safe and sound.

Even before the isolation of the pandemic left us searching for more digital forms of connection, social media sites were extremely popular.

Studies show that around 70% of Americans use social media, so even if your organization doesn’t run any accounts under your district name, chances are that many of your employees have personal accounts on platforms like Facebook and YouTube (the first and second most popular of such platforms, according to the data).

Regardless of whether social media is a component of your district’s day-to-day operations, it’s definitely worth reviewing the below risks to ensure that your data is as safe as possible.

Sharing Sensitive Information

There are several ways that information may be shared on social media. Seemingly benign activities such as polls or surveys can be used by hackers to obtain personal information. In this type of attack, a bot or hacker will publish a survey that asks about the user’s favorite teacher or childhood pet. The intent is to obtain the answers to the user’s account security questions in order to hack the account or sell the credentials on the dark web.

What’s more, an employee’s own posts may be used to the same end. The more information employees post publicly on social media, the more material hackers have to work with.

While it’s unreasonable to expect employees not to make social media posts at all, it’s good to keep them informed of the types of information that are most often targeted, including the names of family members, birthdays, phone numbers, addresses, etc. – basically anything that qualifies as sensitive or personally identifiable information.

Phishing Attacks

Phishing is another tactic that hackers use to obtain information from unsuspecting users. While many people may think of phishing strictly in terms of email messages (a popular medium for phishers), another tactic is for a hacker to create a fake account and send connection requests to their targeted victims.

This is sometimes accomplished using bots. Once a connection request is approved, the hacker or their profile bot can begin directly messaging the victim through the platform, as opposed to sending emails.

For example, in 2017, Russian hackers gained access to a Pentagon official’s computer simply by exchanging messages with the official’s wife on Twitter.

The Twitter message contained malware disguised as a link to a vacation package – used specifically in response to a conversation the unsuspecting Twitter user had been having with her friends regarding their summer plans.

Once she clicked the link, the malware gained access to her computer and allowed the hackers to get from her computer to her shared network, and from her shared network to her spouse’s computer.

Third-party Applications

In addition to malicious attacks like phishing, data may be compromised due to neglect.

While even social media giants like Facebook are sometimes directly breached, it’s far more likely that a breach will occur via a third-party application (i.e., all of those apps and games that ask for permission to access your data when you use them in conjunction with Facebook or Instagram).

This is because third-party applications are developed by smaller companies that may struggle to meet security standards, or may flout such standards altogether.

Case in point: last September, 235 million records containing personal information such as usernames, contact information, and account statistics from profiles across Instagram, YouTube, and TikTok were released in a massive data breach.

The culprit was a third-party social media data broker called Deep Social. Both Facebook and Instagram banned Deep Social for repeatedly violating terms of service, but that ban came too late to stop the breach.

Profile Hacks

If hackers do access your organization’s profile or the profile of a trusted employee, they can do irreparable damage. This damage can range from ruining your brand’s reputation to using the account to spread malware and collect massive amounts of data.

For instance, in January and February of last year, a hacker collective gained access to the official @Facebook Twitter account, and to 15 NFL team accounts across Twitter, Facebook, and Instagram.

While no financial losses happened as a result, these account owners had to work to re-establish trust and brand reputation with their followers.

In 2019, hackers posed as University of Cambridge researchers on LinkedIn. After they had gained the trust of oil and gas professionals, they sent a link to a file that contained malware used to collect login credentials and other protected information.

Untrained Employees

By far, the greatest risk to your organization’s social media security is a lack of training for employees, regardless of whether your district runs social media accounts under your organization’s name.

Most of the tactics used to obtain information from users involve tricking or scamming them. The more informed and aware your employees are, the better equipped they will be to prevent a serious data breach.

Consider the following tips:

Establish a comprehensive social media policy. Don’t just focus on the typical topics (political stances, public vs. private posting, speaking on behalf of the organization, etc.); instead, provide ample direction around information security. Make sure that all employees are familiar with this policy and that it is distributed and posted for quick reference.
Limit access to your organization’s social media accounts. If possible, appoint one or two fully trained employees to run social media for your organization.
Partner with your communications team to establish a posting approval process for posts made to your organization’s accounts.
Review which third-party applications have access to your accounts. Do not grant permission to applications that aren’t known and trusted.
Regularly check privacy settings.
Use a unique password for every account, and regularly change your passwords.
Use multi-factor authentication whenever possible.
Don’t accept friend requests from people you don’t know.
Don’t click suspicious links.
Don’t share sensitive information.

Additional Resources

The CSD Pool provides several valuable programs and services to help our members improve their information security. Turn to our article on cloud information security on pages 10-11 for a list of resources, or contact us at info@csdpool.org for more information.

Website Accessibility Statement

Colorado Special Districts Property and Liability Pool (the "District") is committed to ensuring that its services are accessible to all members of the public. As part of this commitment, the District strives to provide an accessible website compatible with the Web Content Accessibility Guidelines (WCAG) version 2.1, AA, and commercial screen reading software. Features of the website are created to allow individuals with vision and other impairments to understand and use the website to the same degree as someone without disabilities.

If you need any special assistance or accommodations:

Contact our compliance support team via telephone at: (888) 765-1970

Ongoing Compliance Information

Compliance Coordinator

The District has designated a Compliance Coordinator for website disability-related accommodations. The Compliance Coordinator has received training in website accessibility and updates the site in accordance with those best practices and requirements.

Compliance Procedures

The District is working to ensure all website content complies with the Americans with Disabilities Act and controlling State laws. In an ongoing effort to continually improve and remediate accessibility issues, the website is regularly scanned to ensure ongoing compliance, and timely changes are made to any inaccessible content if found.

Accessible Documents Policy

The District is committed to providing all documents hosted on the website in an accessible format or making accessible alternatives available.

Linked Documents and Third Parties

Please note that this site may link out to third-party websites that do not have accessible content. This site may also include documents provided by third parties. While we cannot control the accessibility of content provided by third parties, we are happy to assist any member of the public with reading and accessing content on our site.

Report a Website Accessibility Issue

We are committed to your ability to access all content, and we will respond to all requests in a timely manner. If you need assistance or accommodations while accessing content on this website, please contact our Compliance Coordinator via the form below: