Another National Cyber Security Awareness Month is upon us, and although I have recently wished for its demise through better automated protections, there are some things that cannot be automated. One such area of manual interaction is all the social networks that we use. Unless you are a celebrity with a public relations team behind your every post, you are probably personally updating your social networks. A tip that I would share with folks is to be sensitive of the nexus between their personal and professional lives on social media. For example, a recent credential-theft scam was circulating on LinkedIn (the social engineer’s goldmine). The scam was sent under the auspices of a person’s most recent employment and contained a malicious link (which I have removed in the accompanying picture):
You are probably thinking, “No one would fall for such an obvious scam.” I would agree that in the context of a phishing e-mail, most folks would not be fooled, and in fact, most spam filters would probably catch this obvious fraud. However, when sent from your LinkedIn account to all your LinkedIn contacts along with your official LinkedIn photo and job title, the scam takes on an entirely fresh and convincing complexion. It has a ring of authority. One person who fell for this scam did not report it to anyone. When asked why, the response was a somewhat snarky “well, it is my personal account, so it’s no one else’s business.” Such a statement would be true for many social network sites. Many Tweeters include the statement “views are my own” or similar indemnifying statements on the bio section of their profile. In the case of LinkedIn, this is where the separation of one’s personal life collides with one’s professional life. LinkedIn’s mission is to be the “Professional” network, and as such, when you are communicating via that network whether intentionally or via a compromised account, you are indirectly representing your employer. It is not only a personal communication in the strict sense of the word. From a cybersecurity perspective, this means that if your LinkedIn account is compromised, you should notify your employer, as the damage may extend to the corporation’s reputation. Respect the nexus. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
