The Eastern Cyber Resilience Centre (ECRC) is raising awareness among the region’s business community today (30 June) on World Social Media Day of the lengths cyber criminals are going to in order to sabotage and exploit victims through the likes of Instagram, Twitter and Facebook.
Figures from Action Fraud’s National Fraud Intelligence Bureau (NFIB) state between 1 Jun 2020 and 1 Jun 2021, more than 70 organisations across the East of England reported social media or email hacking incidents, suffering losses in excess of £3ook.
Detective Superintendent Paul Lopez, Director of The Eastern Cyber Resilience Centre, warns that while social media is a fantastic tool for businesses and organisations to connect with customers and wider audiences, it’s also a breeding ground for online intruders’ illicit methods of trickery.
“Data is the commodity of cyber criminals and social media carries this in abundance,” Paul explains. “This presents a vast number of opportunities for hackers to leverage publicly available information found on social accounts and using this to go as far as finding vulnerabilities in a company’s system and gaining illegal access to sensitive information.
“They will often send scam emails perpetrating to be a person in a trusted position and known to the recipient, such as the head of their organisation, with a request to send money to a client using a fake bank account. This is called social engineering and is more widely known as phishing - this type of crime is rife and affects individuals too.”
Social networking platforms are visual places and an innocent photo of the team’s return to the office could reveal much more. A document left on the table with details of a new contract is the kind of inadvertent compromise that can lead to a security breach.
Social platforms are also being used to lure people into traps using bogus accounts with no connection to legitimate businesses, where criminals post convincing offers such as half-price getaways, as way to extorting money. Something Bridget Keevil, owner and managing director, of Suffolk-based holiday booking agency Travel Stop, knows all too well.
“Last summer when lockdown restrictions were relaxed for the first time, we received a booking at each of our four shops across Suffolk in a very short space of time on the same day.” Bridget recalls.
“One of our team members instantly felt something was amiss and noticed the address details given were all within a mile of each store. With suspicions raised, my colleague went to one of the addresses and soon discovered the homeowner hadn’t made the bookings and there was nobody matching the name given living at the property. The holidays had been booked using fraudulent and stolen credit cards.”
Quick-thinking actions enabled Bridget and her team to cancel all the transactions and get in touch with the holiday resorts where the bookings had been made and all four credit cards were refunded in full. However, one holidaymaker was already in Dubai and had to pay again when checking out. It’s not known who the other victims were or what happened subsequently.
Shortly afterwards, a chance phone call from the head of security at Travel Stop’s partner tour operator alerted Bridget to holiday scams on Instagram. “We believe an account had been created claiming to be a travel agency with half-price deals.” She continued.
“Unsuspecting people were then paying for a holiday and to make it seem legitimate, the criminal made bookings with us using the stolen and false card details. I’m so grateful that my colleague acted on her intuition – we would have lost £11,000 that day and with the travel industry already severely impacted by the pandemic, it would have been an utterly devastating blow.”
Paul recommends taking the following into consideration before engaging in social media activity:
Use strong and different passwords on all email and social media accounts and enable two-factor authentication (2FA). A verification code can be sent via an authenticator app to stop anyone else from gaining access
Be wary of any emails asking you to send money urgently or to click a link. If unsure about the legitimacy of it, ask the sender to confirm they sent it without giving away details of the content
Whether it’s for a work account or personal one, double check the contents of images you’re posting do not contain sensitive information in the background – such as a letter with your address or a bank card
If your personal account is open, consider setting it to private to reduce the risk of unwanted and undetected intrusion
Free core membership with the ECRC provides regular cyber threat news and updates, toolkits and hint and tips to keep business operations running as smoothly as possible.