Why Your Facebook Account Is a Target for Hackers, and How to Protect It

Posted on Thursday, September 5, 2019

According to recent research from Hiscox, 55 per cent of UK firms reported a cyber-attack so far this year, which is an increase from 40 per cent in 2018. Despite the fact that the number of cyber-attack victims is increasing, close to three-quarters of the firms surveyed by Hiscox admitted being under-prepared for a cyber-attack.


It isn’t large companies being targeted either; it is small to mid-size companies, which are generally are less equipped to recognise and prevent cyber-attacks than large businesses. It is more worth a cyber-criminal’s time to target multiple small businesses with fewer defence mechanisms in an effort to gain to steal £5,000 from each than it is to target one large business for £50,000 considering that large business is likely more difficult to breach.


These days, the same window that helps businesses become more visible and gain more clients is the same window that cyber-criminals are trying to enter: Facebook. Read on to learn how to keep that window open just enough to earn a profit while keeping out unwanted visitors.


Why Facebook Is the Perfect Tool for Cyber-Criminals


When a cyber-criminal is scoping out businesses to target, Facebook is one of the first places they will look. It isn’t just the business page the hackers will target either; it is also the personal pages of you and your employees.


Think about it, unless your privacy settings are secure (and the settings of your employees), a cyber-criminal has access to a variety of information about who works at your business, what job titles they have there and, therefore, which employees may have access to sensitive information. The criminal then knows who to target and sometimes even their phone number or email address.


Unless your account is marked private and visible to friends only, anyone in the world could potentially view the information you provide on your profile. This includes your photos, your interests, the events you attend, who you’re friends with and even the names of your kids and pets.



How Cyber-Criminals Use Facebook to Get What They Want


Let’s say you’re a small business owner. A cyber-criminal can use Companies House to look up your most recent financial statement and determine whether you’d make a good target. If the criminal thinks it is worth their time, they can look up your directors and officers. They can then use your company website or other social media sources like LinkedIn to see who has access to your business’ finances or data, and then target those individuals.


Now let’s say the cyber-criminal has learned that your chief financial officer’s name is Robert. Robert and his wife Sonia play tennis at the local club every Saturday with another couple, Carl and Debra, and they sometimes post about it on Facebook. The cyber-criminal creates this email with an email address that looks like it could be from Carl. He sends it to Robert’s work email address.


Subject: Is this your racket?

Hi Robert, I think you forgot this at the club Saturday. Is it yours? (See picture in attachment.) I hope you and Sonia are well.


Carl Robert is using his work computer when he first opens his email on Monday and doesn’t think twice before clicking on the attachment, which isn’t a photo. Instead it is a type of malware that encrypts your business’ data, makes it unreadable, and demands a ransom so Robert (and you) can get the data back. In the meantime, it may also be monitoring your keystrokes for passwords and user names.


These types of attacks are called phishing, and they’re typically successful due to their personal nature. And companies that don’t train their employees on preventing cyber-attacks know this all too well.


Phishing Is Hard to Recognise Without Training


Many employees assume that a phishing email will be obvious and never think it could happen to them. Many are highly convincing and well-researched. For example, a hacker may find an email address of a business, employee or company that is likely to communicate with your employees regularly. They may then create an email address that only differs by one letter or an extra space. No one would realize it unless they scrutinised every email that was sent to them.


Although some cyber-criminals send only certain employees phishing emails with specific information and details (commonly found on Facebook) others are more general and sent to all employees in the company, just waiting for one of them to be naïve enough to click on it.


You May Not Know Who Your Friends and Followers Really Are


If you think that you’ve protected your personal information on Facebook as well as you can, and that only your true ‘friends’ can access your information, think again. Anyone can impersonate someone if they try hard enough.


For example, you may receive a friend request from an employee who you weren’t previously friends with and think nothing of hitting ‘Accept Friend Request’ because there is a picture of her and it seems legitimate. But behind that photo could be a cyber-criminal who simply did some research as to who you ‘might’ be friends with, and who you might be likely to accept a friend request from.


All they had to do was visit your company page on LinkedIn and see who your employees are. Then they can choose a person to impersonate, go to their Facebook page and use their current profile picture to make a fake account. You may even already be ‘friends’ with this person but may have forgotten. Before you realise it is a fake profile, the cyber-criminal at the other end has access to information they have no right to. And that’s commonly how those phishing emails mentioned earlier start.



Take 3 Simple Steps to a Facebook Privacy Check-Up


If you haven’t already recently, make sure you visit your business’ Facebook page (as well as your personal page) for a privacy check-up, and encourage your employees to do the same. Start by going to your privacy settings and looking for a button that shows you how to do a ‘privacy check-up’. It will then show you the three basic privacy settings that all users should be aware of.


The first basic part of the check-up involves your Facebook posts. If it says that your posts are ‘public’, change them to ‘friends only’ or create a group with those friends you’re closest with, or your immediate family members. That way, even your approved ‘friend’ list (which may have unexpected visitors) won’t even be able to access your personal posts.


The second part of the Facebook privacy check-up involves the apps that you may have connected to your account. If an app has access to your account, the developer of that app may have access to all of the information on your profile. Making it a habit of granting access to apps is a big mistake, because you never know how trustworthy those app creators really are. In addition, those apps (even the trustworthy ones) can be hacked by a cyber-criminal. If a cyber-criminal has access to your information, they may start posting on your behalf without your knowledge, putting your friends at risk as well.


The third part of the initial privacy check-up involves your profile. By checking this section of your settings, you can see and change who has access to information like your email address, phone number, city of residence and date of birth. Make sure this information is visible to only you, as the people closest to you likely know this information anyway, so there is no reason to make it public to the rest of the world.



Do a Deep Dive into Your Full Privacy Settings for Extra Protection


While doing the third step of the privacy check-up mentioned above, you may notice an ‘About’ section on your profile. This setting allows you to ‘see everything and check who you’re sharing it with’. It is smart to visit this occasionally so you can ensure it hasn’t inadvertently been made public. Here you can see where you’ve worked, where you went to uni, where you’ve lived, nicknames, life events, and other family members. If you’ve ever shared information like your favourite bands or quotes, it would be listed here too.


Remove or hide this information if you want to truly be secure. Not doing so can provide a plethora of useful information to a cyber-criminal who is trying to craft a phishing email with malware attached to it.


Below the ‘About’ section, you can do the same for other information, including your friends list. It is wise to make your friends list private so cyber-criminals can’t figure out who they should imitate in order to send you a phony friend request. After all, if they send you a phony friend request and you accept, you’ve then given them access to all the information you just made private. In order to make your friends list private, click on the pencil icon. It should say ‘Manage’ when you hover over it. If you click it again, ‘Edit privacy’ should appear, and you can change your friends list setting to private.


Determine Who Should Have Access to Your Photos


When it comes to editing the privacy of your photos, it can be cumbersome, unfortunately. It isn’t very easy to edit who can view your Facebook photos, including the photos that others have uploaded on their page and tagged you in. However, if you have changed your post visibility to ‘friends only’ or ‘only me’, that takes away half of the work. You still, however, have to worry about the photos uploaded by friends who have tagged you in them. Those photos need to be managed individually.


First, click the ‘Manage’ button. Then click ‘View Photos Hidden from Timeline’. You should then be taken to a page that shows all of your photos starting with the most recent. Look at the filters on the top of the page where you can then pull up all the photos that have been made visible. Just select ‘Shared with: See All’ and then ‘On Timeline: Hidden or Visible’ and you should be able to see all the photos of you that are out there on Facebook, whether on your account or someone else’s.


Next, you will need to go through every single one of those photos and change their visibility. If it was you who uploaded it, you can change who has access to it. But if someone else uploaded it, you’ll have to click on the photo and remove your tag. It is wise to also contact the poster to let them know to please not tag you in any photos due to privacy concerns.


The same process applies to ‘Check-ins’. If you don’t want the places you’ve check in to made public, you have to go to each ‘Check-in’ and delete it manually.


Lastly, you’ll want to consider removing access to any interests you’ve made public. To remove them from your Facebook profile, click on ‘Add TV Programmes/films/books’. Next, click the icon alongside the search feature that allows you to change the visibility to ‘Only Me’. Or simply remove them by clicking each one and simply selecting ‘Delete’.


No Amount of Security Matches Proper Training


Being aware of what you’ve made public and periodically checking your privacy settings is a vital way to avoid cyber-criminals. But even the best security settings can’t keep you safe.


Awareness is key, as you never know which of your friends may have been hacked, thus providing the hacker with any information you’ve made available to your friends list. That’s why it is so necessary to scrutinise any emails you’re not expecting, especially if they contain an attachment or ask you to click on a link.


If you’re a business owner, it is advisable to train your employees on these Facebook security practices as well. Then you can add additional help like DNS monitoring and cloud-based anti-virus monitoring. But in the end, security starts with you and your employees.


For an experienced, reliable and trustworthy IT security company that provides a broad spectrum of cyber security services, UK-based businesses can find everything they are looking for with Mustard IT. Contact us today to talk about what we can do for you.