Another day and more requests to follow, friend, join, match, network, or connect with someone on any of the multitudes of social or professional apps. It is so nice to feel so wanted 😊, right? I will validate it for you, you are important, you are special, no doubt about it, and people rightly want to be associated with you [No sarcasm was used in the previous statement, I really believe what I’m saying]. Your family, friends, and work colleagues are all probably apart of one or more of your social/professional networks and those lists are growing as you continue to meet new people and get reacquainted to long lost friends and family – that is so awesome, it is the good in these social apps in my opinion. Now, I can hear that little voice in your head, it is saying:

“ok, this is strange, Rob never just writes an affirming message about what I do all the time, there has to be a catch… where is he going with this?“

I’m glad you are listening to that little voice in your head, it’s correct. While I am affirming all those positives I mentioned, I do want you to be aware of some of the pitfalls (personal and professional). First, personal, everything you share becomes available to anyone who has access to your posts, comments, etc.… [and depending on the setup, friends of friends can see too]. While that would seem ok, please think about the additional stuff you may really be telling people. For example, how many times have you seen a post with pictures of someone you know on a beach, “enjoying the surf with my family!” is the caption and tagging their location in the Bahama’s or somewhere else? A lot I’ll bet. You know what that tells me when I see them? 🤔Hmm, they are not home or at work. So, if I was a criminal, I would guess their home was a good target to rob, their work account is not being used so it could be a good target for a cyber-attack at their company, and their credit cards have been approved for charging international [and ones that I would look for, for purchase on the dark web].

There is more, as a professional, someone who works for a company who works with the US Government, I’ll bet you didn’t realize you are very important to a lot more people than you know. Bad actors of all kinds use the socials as an avenue to gain access to you, ISHPI, and ultimately the US Government. Using them to learn about you (things to connect with you on to start a conversation), your interests [… I love underwater basket weaving too, sure let’s connect!”], the people you know […hi, I see you know Barbara too, Barb and I go way back she speaks highly of you, let’s connect”], Where you work and what you do […Hi, I’m a finance manager for a government contractor too, would love to share experiences and help each other, let’s connect!”]. Using these tactics, each very likely to happen with someone who really just wants to connect for friendly reasons, bad actors use them to build information about you that they can exploit, even to an end where they use the information to try and recruit you to do something you thought you would never do. For example, and this is an example that I was told by our DCSA counterintelligence agent recently:
A BD person was targeted at a govcon company, bad actor had infiltrated their socials and were monitoring what was happening and what they were doing. Seems there was some issues that required a significant outlay of money (saw them complaining on socials of the issue, and how it was a bad time, funds were real short, don’t know how we can do X or Y), knowing where they worked, what they did, and an on-line relationship already started, they offered to meet up and “commiserate and brainstorm solutions” with them. Turned out they were one of many nation state bad actors who were looking for any kind of foothold and inside information on specific government agencies this persons company worked for. The bad actor ended up recruiting the person to provide desired information to them, (harmless “common knowledge” type stuff in the beginning they thought), for a significant amount of money that helped them out of their financial issue. Then the requests for more and more sensitive data came.
They were compromised, and it all started with the socials.

So, I leave you with this: I’m not telling you to not share and be yourself on socials, I’m just saying asking you to:

1. Please don’t connect with people you don’t know and can’t vouch for at least as being a real person (and not a bot there to just scrape your social data for analysis);
2. Think about what you are posting, and WHEN you post it. Don’t tell all your followers you’re going away for 2 weeks, tell only those closest to you, those who need to know, and post those vaca pics when you get home 😉;
3. As with most things, verify and validate statements being made. Because just because I tell you, your friend and I know each other well, doesn’t mean we do, I might have just seen their name in your following list. Ask your friend if they actually know me before blindly accepting my request to connect!

Newsletter by:  Rob Collings, ISHPI’s VP of Cybersecurity | CISO

September 1, 2023