The greatest threats to the enterprise are often those that use social engineering to extract information or data from employees. For threat actors, this tactic rarely requires any technical know-how, so the barrier to entry is low.

To make matters worse, the rapid rise in social media use lowers this barrier even further. Regardless of whether your enterprise has rules in place to limit social media use, you can’t stop employees from using social media 24/7. As threat actors continue to leverage social media attacks as a launchpad to infiltrate enterprise networks, what are some defensive tactics organizations should be aware of?

Before we get into specifics, it’s critical for the enterprise to recognize that as social media use increases, the threat of attacks carried out via social media escalates as well.

Understanding Attackers’ Social Media Tactics

The first thing organizations should be concerned about is the ease with which a bad actor can target employees through social media.

“It’s not that difficult with a little bit of information going in,” said Paul Bischoff, privacy advocate at According to Bischoff, a threat actor only needs to know the name of one person who lists a target employer in his or her profile.

If it’s a big company, the attacker may not even need to know a specific person’s name — they can simply take a guess at common names. Now that the threat actor has their target, they have several options. One is to try hacking the account, possibly by using passwords leaked in data breaches at other companies. Or, they can attempt to establish contact with the target and use a phishing attack to get the information they need, such as getting access to a business email account. They could even try to add the mark as a friend or hack an existing friend’s account to impersonate them and communicate with the original target.

Using social media can help threat actors evaluate their targets both inside and outside of the workplace. People share a lot of personal information on social media, which often includes valuable nuggets of data about their work life. While the ubiquity of social media is relatively new on the technology timeline, social engineering is a scheme as old as time.

In our hypothetical hacking situation, if access to the employee’s accounts is compromised, the next step for the attacker can be to infiltrate the target’s corporate network. Depending on the network, the starting point is often getting access to business email, according to Bischoff.

“If a hacker manages to break into someone’s email, they can wreak havoc,” Bischoff added. “Not only are they privy to existing emails, but they can write new ones. Furthermore, an email account is often where two-factor authentication PINs, password reset links and other sensitive account information is sent for all sorts of online accounts.”

Once the threat actor logs in to a victim’s email account, they can buy themselves time by taking steps to lock the target out by changing the password and/or recovery email address. Because these problems can take a while to resolve, attackers typically have some leeway to work their way up the food chain, impersonating victims and sending convincing phishing emails to others in the company.

Exploring Some Simple Prevention Techniques

One prolific method that threat actors use as a stepping stone to access sensitive corporate data is profile cloning, in which fake Facebook (or Instagram or another social network) profiles are created by using duplicate photos and relevant data stolen from a targeted user’s real social media profile.

“Facebook cloning can be used to establish contact with the target by impersonating an acquaintance,” said Bischoff. “The hacker might even clone an existing friend’s profile — would you notice if someone who didn’t post much on Facebook added you as a friend a second time? Facebook mitigates this by showing how many mutual friends you have with anyone who sends you a friend request, but not everyone pays attention or cares.”

To thwart these types of attacks, Bischoff advised employees to not post an employer on their social media profiles. If they must, instead of selecting from the drop-down list of existing employers that appears when you start typing, they can “create” a new employer. This prevents the employee from showing up on the threat actor’s list when they target that specific company.

Additionally, as security experts have mentioned repeatedly, it’s critical to educate employees on common phishing tactics and even consider testing this in real-time with practice phishing emails. With 27 percent of users failing a phishing test, according to a 2018 study, we must continue educating and testing teams across the organization and providing role-based education and awareness sessions. Finally, Bischoff suggested establishing rules that require a second form of identity verification to share certain information.

“For example, if someone requests a password to use the office VPN, that person should also verify the request in person or by phone, and be sure not to use a phone number listed in the email,” Bischoff said.

Stand United to Fend Off Emerging Social Media Attacks

I’m not suggesting that you dictate how and when your employees use social media — a fool’s errand if there ever was one. Especially in this bring-your-own-device (BYOD) era, social media use, even at work, is only going to keep rising. I distinctly recall the arduous task of trying to monitor social media use in the early days of Facebook, and can’t imagine how difficult it would be for IT decision-makers today.

The lure of social media is too much to fight against. Instead of pushing back, we need to work with what we’ve got and do our best to educate employees about potential social media attacks. Make employees part of the process instead of restricting their online behaviors, and arm them with knowledge that can help them become a layer in the organization’s security shield.

“A chain is only as strong as its weakest link,” said Bischoff. It’s all about strengthening the links.

More from Data Protection

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…

The Digital World is Changing Fast: Data Discovery Can Help

The rise in digital technology is creating opportunities for individuals and organizations to achieve unprecedented success. It’s also creating new challenges, particularly in protecting sensitive personal and financial information. Personally identifiable information (PII) is trivial to manage. It’s often spread across multiple locations and formats and can be challenging to find and classify. Organizations need a modern data discovery and classification solution to identify sensitive data across physical, virtual and public clouds. The Current State of Sensitive Data Discovery and…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…