Social networking risks: Connect with extreme caution

Social networking continues to grow as professionals across industries seek to connect with others in their field. However, not all connections are beneficial – and merely connecting may unknowingly cause business risk or lead to information-gathering requests that threaten financial institutions’ security.

Causes for suspicion

Over the last few months, I have seen an uptick in suspicious social networking connection requests, receiving over 170 in eight weeks from profiles with identical, or like-appearing images but similar names, companies, occupations, educational backgrounds and locations worldwide, which I have continued to reject. The profiles, and the people represented, are clearly bogus – with fabricated backgrounds, education, experience and more. Requests from these profiles come with a variety of information and network security risks, including intellectual property theft, industrial espionage, theft of trade secrets, proprietary data theft, customer data loss, compromised network credentials and a risk of reputational damage, financial losses and legal liabilities.

Recently, my feed included a post from a trusted government intelligence specialist acquaintance about the prevalence of these dubious profiles, and how social networking platforms are a “honeypot” for foreign government intelligence gathering. Bad actors from various countries troll social networking platforms to glean information or data for profit. Before dismissing this as the stuff of spy novels and believing “no foreign government would be interested in me or my financial institution,” note that both the FBI and numerous foreign intelligence agencies, like MI5, have warned about the prevalence of information and intelligence gathering practices on social networking sites such as LinkedIn.

Still skeptical? Consider the following news headlines:

• “LinkedIn is a ‘gold mine’ for foreign spies digging for corporate and government secrets.”
• “Fake LinkedIn profiles being used by foreign spies – MI5.”
• “MI5 warns of spies using LinkedIn to trick staff into spilling secrets.”

However, this practice is not limited to the activity of foreign governments and their intelligence agencies. Domestic competitive intelligence firms specialize in gathering proprietary business information, intellectual property, sensitive customer data, business methodologies, risk mitigation strategies, operational agendas, roadmaps and project information. They employ various open-source information-gathering techniques for clients interested in gaining a competitive advantage.

One of these data collection techniques involves using social networking tools to exploit people’s interest in personal and professional networking to advance their careers. The endgame is to gain inside information about them or their organizations, either voluntarily or for compensation. Many people underestimate the value of these little bits of information about them or their organizations. However, when combined with other details gathered by information professionals, the data collected tells a very compelling and substantive story.

Awareness and vigilance

To combat connection-related risks from external entities, financial institutions must establish specific employee social networking policies. Your overarching policy should include the dos and don’ts of social networking – delineating what employees should not share, including confidential data and proprietary organizational information. Beyond internal policies, educational initiatives will empower employees to identify, understand and defend against malicious connections and information-gathering requests on social networking platforms, along with the accompanying social engineering tactics.

Social media risk management should be part of your annual training and compliance programs delivered to all employees, requiring their yearly attestation. During these trainings, encourage employees to always pause before accepting an invitation to connect – taking a moment to scrutinize the profile and consider the sender’s motivations. Provide examples of fake profiles and the kinds of information they may pursue. Some telltale signs of suspicious profiles include:

• Newly established or incomplete profiles
• Errors, misspellings and typos
• Things that don’t make sense – I.e., cosmetic industry supervisor yesterday, VP Financial Services today
• Unclear job titles and limited role descriptions
• Profile pictures that appear to be stock photographs or used across multiple profiles
• No apparent relation to your field and occupation
• Absence of a personalized message (or a message which makes sense) accompanying the request
• Nonexistence of endorsements and group memberships

A proactive approach

As the old saying goes, “An ounce of prevention is worth a pound of cure.” Talk to your employees about why it’s important for them to consider who they are connecting with on professional social media platforms, what the potential risk ramifications to the business are, and why they should conduct a bit of due diligence on any connection requests before they simply hit the “accept” button. Things are very seldom what they appear.

It is also important to specify what business or proprietary information your employees are, or are not, allowed to share or discuss with external individuals with whom they may have connected via social networking platforms. Monitor emerging risks and provide ongoing employee education as foreign intelligence agencies and competitive intelligence firms’ tactics evolve. Adopting a proactive approach to networking threats’ risks is significantly better than trying to reactively address the damage caused by fraudulent activity.