As an IT professional, you’ve got a sixth sense about scams that kicks in on social media. That’s why it’s probably frustrating to see your family and friends on social media posting funny memes with crazy questions. It’s all in fun, and we learn interesting things about each other from the seemingly innocuous questions.
However, you know that these questions or challenges are often developed and planted by hackers and bad actors who are trying to steal credentials and login information. Most people think they won’t fall prey to such scams. But there is something lulling about social media. You’re at home, relaxed, reading about your friends and submitting to peer pressure when you see people answering fun questions. You don’t care that the entity posting the question is anonymous, faceless, and strange. Answering those questions are sort of like hitting the buzzer on Family Feud—you just want to hit the button and blurt out an answer as fast as you can!
Some of the best questions are designed for:
- Stealing your identity
- Draining your bank account
- Compromising your credit card
- Borrowing money against your home
Because you care about your friends and family, you may want to share this article with them. Otherwise, no matter how many times you tell them not to answer these silly questions on social media, someone you know or care about is going to participate.
Don’t Play Along! Tips on Spotting Social Media Phishing
Here are a few examples of the questions or challenges that you should NEVER ANSWER on Facebook:
- What was your first car? Was it a cruiser or a loser?
- Your exotic dancer name is the last thing you ate plus your mother’s maiden name.
- Can you remember your first dog’s name?
- Teachers are the best! Did a certain teacher make a difference in your life?
- Do you remember your high school mascot?
- Some couples meet in strange places. Where did you meet your significant other?
- What was the first concert you attended?
Notice some of these questions challenge your memory skills. These are particularly attractive to people who love quizzes and memory games. People also like recognizing a loved one or sharing a bad experience with their first car. The questions are meant to be fun, engaging, and ripe for social sharing.
The hackers know what they are doing. These questions are social engineering attempts to gather and harvest answers to security questions that most online accounts require. Recall that when you forget your password, your security questions might be about your first car, your mother’s maiden name, the first concert you attended, etc. Hackers not only use this information to break into your accounts but they also buy and sell this information on the dark web, a place on the internet that’s like Google for the bad guys where they love taking advantage of people who like to talk about themselves.
Here are some ways to avoid revealing such sensitive information.
- If you set up security questions, create a set of fake answers. That way, when you do blurt something out on social media, it’s not connected to your online accounts. Store your answers securely so you don’t forget them.
- Use a password manager and multi-factor authentication (MFA). Password managers help you store all your passwords so that you never have to remember them (or click on “I forgot my password”), and MFA adds an extra layer of authentication such as a code sent to your phone to complete logging into your account. That way, even if a hacker knows your security questions and tries to reset your password, they will be stopped by the phone authentication step.
- Don’t answer personal questions on social media, no matter how tempting. Better to be safe than sorry.
- Don’t use the same user credentials at work (username and password) as you do on your personal devices. That way, if someone hacks into your personal accounts, they won’t also have access to your work accounts—and vice versa. As an employer, you can also implement credential monitoring that shows your employees which of their credentials are on the dark web. If related to your company domain, they will need to change these credentials immediately. Take advantage of dark web monitoring as a great teaching moment to instruct employees about the importance of creating totally different personal and company credentials.
Bad actors are seemingly always two steps ahead of everyone, but you can help employees protect themselves with the tips above. In the end, you’ll be doing them a great service while also helping protect your own organization.