If it happened to Mark Zuckerberg, it can happen to anyone.
In June of 2016, hackers briefly took control of Zuckerberg’s personal Twitter and Pinterest accounts. Using a password they’d obtained from a LinkedIn security breach – which Zuckerberg had re-used on the other networks – they gained access, and then posted messages boasting of their success.
Facebook itself has also fallen victim to cybercrime. From 2013 to 2015 the social media giant transferred tens of millions of dollars into bank accounts belonging to a Lithuanian swindler who had forged email addresses and invoices in order to trick Facebook employees into sending him payments that they believed were going to a major Asian manufacturer of computer parts.
Both incidents were enabled by online impersonation – also called e-personation – which happens when someone takes advantage of the relative anonymity offered by digital communications to masquerade as another with the intent of causing harm or perpetrating fraud. In Zuckerberg’s case, the hackers pretended to be Zuckerberg himself in order to show off their hacking prowess – and mock his incompetence. In the Facebook scam, the criminal forged email addresses, invoices and corporate logos to divert payments from the supplier into their own accounts.
For Zuckerberg personally, and for Facebook as a company, the consequences of e-personation weren’t severe. Zuckerberg’s hacked Twitter and Pinterest accounts were mostly unused, his access was quickly restored, and his primary Facebook account was unaffected. So he lost face briefly, but little else. Facebook maintains that they were able to recover “the bulk of the funds” stolen from their company after the hacker’s arrest and the start of extradition proceedings.
The outcome can be very different for small to medium-sized businesses victimized by digital fraud, however. Not only do these companies generally have fewer resources available to prevent or combat security breaches, but they’re often less able to survive the business disruptions or financial losses that accompany them.
And the consequences of victimhood might be even more serious for you – both as an individual and as a marketer.
With Opportunity Comes Risk
E-personation scams grow and thrive on a diet of publicly available information. The more facts scammers are able to gather about potential victims, the more likely targeted phishing or fraudulent email campaigns are to succeed.
As the largest social media network in existence today, and the most widely used by advertisers, Facebook has become a virtual paradise for identity thieves, who see it as a perfect “hunting ground” for stalking potential victims and gathering intimate details about their lives and finances. As Facebook’s total user base has increased in size, the number of users with illegitimate or malicious intentions has grown as well. One report states that as many as 600,000 individual accounts may be compromised daily. Another survey found that among social media networks, Facebook is trusted least by its users.
This is especially important to you if you’re among the more than 250,000 social media marketers who use Facebook on a daily basis for professional purposes. Because all Facebook Pages (business accounts) must be maintained and administered by users with personal Profiles (individual accounts), you’re essentially mandated to use an individual asset (your private Facebook account) at work.
You probably think quite often about how to protect yourself online, but you may not have considered how your job might be putting others – your family, friends, and acquaintances – at risk. But by publicizing their relationship with you (and your employer) you might well be making them into targets.
So what can marketers do to protect themselves, their networks, and their employers on Facebook? Here are some simple tips:
Apply current best practices to keep your personal Profile safe
Any business Page on Facebook is only as secure as the Profiles that administer it. To protect your employer – as well as yourself – configure yours correctly. Facebook recommends that you use two-factor authentication to protect your login details, and it’s a good idea to set up email alerts to keep you informed whenever your account is accessed from a new device. Choose a strong password, change it regularly, and refrain from sharing it with others. Facebook itself offers additional guidelines on its Security Page.
The benefits of following these guidelines are more than worth the time you’ll spend reviewing them. Make sure your company’s Page has the right administrators, and that these admins have the right privileges. Because Page security depends upon the security of the Profiles that administer it, and because all admins are humans who make occasional mistakes, it’s wise to have as few administrators as possible. Do designate at least two, so that someone’s available to step in should the primary administrator’s account ever be compromised. But you don’t keep a large number of people in this role.
Periodically review the list of privileges granted to writers, editors, advertisers, consultants and others within your company (Facebook calls these Roles). Delete any users who have become inactive and limit everyone’s access to the minimum level necessary.
Don’t publish Page content using administrators’ personal profile names.
By default, postings on a Page will appear under the company’s name, not the name of the individual who created it (though other administrators will see the Profile responsible for posting the content, this information will not be visible to others). Keep this setting intact, and ensure that all other administrators are posting under the company’s name as well. Not only does this unify your messaging and keep you on-brand, but it also prevents you from becoming a target of scammers seeking specifics about your company. Such information can be used to make phishing attempts look more believable and authentic.
Carefully weigh the pros and cons of identifying Team Members on your Page and their Profiles.
One of the ways that social media engagement can benefit your company is by making your brand more personal. Using your real name and photograph online can help building your customers’ trust. And identifying in-house subject matter experts (SMEs) as team members can help you showcase the intellectual capital that your company possesses.
However, Facebook is often used by criminals trying to map individuals onto the roles they fill within their organizations. These maps are then employed to create highly targeted and specific fraudulent email campaigns like the one that victimized Facebook itself. Before identifying anyone as a Team Member on your Page, ask yourself: what objective does this identification accomplish? What are the risks? People in some industries (such as cybersecurity) are more likely to be targeted, as are those in certain departments (accounting, payroll). Identify Team Members only in ways that are limited and strategic.
Regularly audit the information that’s available about you and your company online
You probably google yourself from time to time. It’s natural to be curious about what others might be saying about you online. But this natural curiosity can also help to keep you safe. One of the most common Facebook scams involves setting up a fake profile under a name that’s almost identical to yours, complete with a photograph copied via screen shot, and then using the fake account to request money from people in your network. It’s also common to see falsified Pages on Facebook, ones with no connection to the legitimate brand or real company they appear to be advertising. Sometimes scammers use these Pages to promote fake contests or sell counterfeit products. Other times they’re merely intended to defame the real brand. In any case, you should report any fake Profiles or Pages you come across to Facebook immediately.
Hold appropriate professional boundaries.
Don’t blog or post about your employer outside of the workplace without a clear goal and express permission. Maintain a clear separation of roles, and avoid promoting your employer to your personal network.
Cooperate and create strong relationships with members of your company’s IT department.
They can provide quick and reliable answers to your most pressing security questions. What policies and procedures does your organization have in place to deal with online fraud? Is there a process for remotely deleting data from personal devices that have been lost or stolen? What endpoint security software is currently being used in your company, and how often is it changed or updated?
These might seem like technical questions, but getting good answers involves building relationships. Years ago, IT departments and marketing departments were widely separated within organizational structures, but today’s marketers depend heavily on data analytics and computing-driven insights, and can only benefit by drawing closer to IT professionals. Not only can forging these alliances help you stay safe, but it can also enable you to take better advantage of the tools at your disposal.
Help create a culture of openness and transparency.
Companies have long lamented that social media causes their employees to waste huge amounts of time at work, but when it’s your job to be present on social media regularly and for extended periods, the game has changed. Nonetheless many marketing professionals may still feel embarrassed or ashamed to admit that they’ve clicked on an infected link or installed a questionable app. All human beings make mistakes, and even the most professionally accomplished social media manager has been distracted or careless at some point. A culture of honesty and open communications can help prevent the spread of malware by allowing security personnel to combat infections soon after they occur.
Good habits can go a long way when it comes to defending against online fraud, and organizations with carefully designed policies and procedures are less likely to be at risk. Start talking and thinking about privacy and security now, and you’ll be doing your part to keep cybercriminals from gaining a dangerous foothold in your company.
Dawn Blizard, PhD, was trained as an English professor and seasoned as a technical editor before becoming a freelance copywriter and content creator. She helps research-driven B2B companies educate their target audiences in the digital space with standout white papers, blog and feature articles, website copy and more.