This document provides a guide to wise social media habits with tips from A to Z. It warns that many social media users are unaware of vulnerabilities and risks like accepting friend requests from strangers, oversharing personal information that could help criminals or fraudsters, and using weak passwords. The summary cautions users to be aware of security and privacy issues and carefully consider what they post and share online.
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
A+to+z+of+safe+social+media
1. The A to Z of Safe Social Media
Our simple guide to wise Social Media habits
Not for resale
Written by Mark Johnson I Illustrated by Corinne Blandin I Foreword by Lord Toby Harris I Produced by The The Risk Management Group 2012
Produced by Risk Management Group, 2012
2. Foreword
Businesses and other organisations are increasingly
being encouraged to use social media both for
marketing purposes and for better internal
communications. At the same time, many
organisations worry about exactly what they are doing
on social media and whether they are posting
messages that might damage the brand. All this is
made more complicated as people increasingly use
their own devices for work purposes (whether this is
sanctioned/encouraged by their employers or not).
Yet social media are also used by those who are
malevolent to attack firms and individuals, not only by
planting malware but also through social engineering
to effect identity and data theft.
Most of us do not know enough about the risks or are
blind to the threats that may affect us: a recent Legal
& General survey found that a significant percentage Lord Toby Harris
of users are happy to "friend" total strangers online
without a second thought.
Awareness and common sense are the best and
simplest form of security and this "A to Z Guide" is an
excellent starting point for everyone - from senior
managers to the newest joiner.
i Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
3. Introduction
Early in 2012 we were asked to support the efforts of
UK financial services firm Legal & General in the
production of their Digital Criminal 2012: Cybersafety
Report. This report, which can be downloaded here,
focused on consumer risks arising from poor social
media habits. The results of the survey were alarming:
• 91% of the Facebook users surveyed had received
friend requests from strangers
• 51% of those users admitted having accepted such
requests
• 56% of users also discuss evening and holiday plans
‘wall-to-wall’
Our own tests, using a network of fake Facebook,
Mark Johnson Twitter and LinkedIn profiles, demonstrated that many
of our fake profiles were able to gather up to 150
friends within a few weeks. One fake profile amassed
a staggering 79 friends in under 12 hours, simply by
using a pretty picture. Many of these new ‘friends’
were willing to share personal data with our fake
personas.
The risks for business and consumers arising from poor
social media habits are very real, with fraud, identity
theft and the exposure of corporate data being only
the tip of the iceberg. The second in our series of free
A-to-Z Guides is designed to raise awareness and to
suggest commonsense security measures for social
media activities carried out by the average person in
the home and at places of work.
ii Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
4. Sanity Check Number One:
A is for…
Do you really know all of your online ‘friends’?
Awareness
Relatively few social media users are
aware of just how many vulnerabilities
these services can have.
The failure of some leading social media
sites to introduce effective validation of
users’ identities means that fake accounts
are very easy to setup and use.
Social media users sometimes have no
idea who they are really connected to
and this can lead to them giving out
information that could be used by
fraudsters, burglars and other criminals.
1
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
5. B is for…
Bragging ‘Face bragging’, or showing off online
about your material wealth, could make
Sanity Check Number Two: you a target for criminals.
Do you ever post comments online about your Reformed burglar Michael Fraser has
income or possessions, or photos displaying spoken frequently of the ways in which
them? today’s burglars, fraudsters and con artists
are using social media sites as a source of
target data. (See the Legal & General
report.)
Posting photos of your car, house or
jewellery, or comments about your
income, bonuses and other assets might
win you a few new ‘friends’, but it could
also win you some unwelcome visitors.
2
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
6. Sanity Check Number Three:
C is for…
Have you ever accepted a friend request
from a stranger just because you liked their
picture?
Checking
The average Facebook user has 140
Facebook friends and in one survey, 95%
of users admitted having accepted friend
requests from total strangers.
Often, a friend request is accepted
because the person making it appears
attractive to the user, or because they are
already a ‘friend of an online friend’.
Many of us fail to check before accepting
such requests, to establish whether the
friend who appears to link us would
actually recommend this new person, or
whether they even know them.
3
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
7. D is for…
Deleting What you post online could, in theory, stay
online forever. However, you do have
Sanity Check Number Four: some control and if you delete your old
social media posts there is a reasonable
Have you deleted any old posts that, in chance that they will be difficult or
retrospect, you probably should not have impossible for others to retrieve.
made?
It may be as simple as a former relationship
you’d rather hide from your new love, or a
silly comment that could affect you
professionally years later. Whatever it is, it’s
always a good idea to:
• have a trawl through your old posts
• do a bit of house cleaning
But your best bet is to avoid saying
anything silly in the first place!
4
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
8. Sanity Check Number Five:
E is for…
Is your email address shown in your public
profile?
Email
When you first sign up for many social
media sites, your email address is
requested of you and it may even be
displayed in your public profile.
Not only that, but your email address often
becomes your user name for the service
because many social media sites take
shortcuts around more sensible security
measures.
Having your email address in your public
profile exposes you to SPAM as well as
harassment. It will also give a fraudster the
first half of your logon information and thus
help them to take over your account.
5
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
9. F is for…
Fraud Online fraud is a growing problem. As
more and more services go online we can
Sanity Check Number Six: expect fraud levels to rise even further.
Have you ever disclosed information in an Many fraudsters who once searched
online profile that a fraudster could use, such as through rubbish bins for discarded bank
your date of birth? statements now browse social media sites
for personal data.
Most of us are oblivious to this risk and our
online posts and profiles often contain a
wealth of information that a clever
fraudster could use.
Always limit what you post and what your
profile discloses about you.
6
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
10. Sanity Check Number Seven:
G is for…
Do you ever post information about your
geographic locations, past, present or
future?
Geography
Some social media sites are moving users
towards a geographic paradigm. This can
involve putting your posts and images on a
timeline and inviting you to add more
information, such as the geographic
location you were in.
Why would you want to put that online?
Your real friends probably know where you
were anyway and you wouldn’t want to
tell strangers these facts about you, would
you?
After all, your movements in the past might
serve as clues to your likely movements in
the future.
7
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
11. H is for…
Home The Legal & General Digital Criminal report
also revealed that 4% of Facebook users
Sanity Check Number Eight: surveyed had included their home address
in their public profile.
Have you ever publicly posted your home
address online? This is not only a matter of concern for
those users, it also affects any partners and
children they may have.
Posting your home address next to your
real name in any online public forum is a
big no-no, as is posting someone else’s
address details.
Keep the real world and the online world
separate.
8
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
12. Sanity Check Number Nine:
I is for…
Are you careful about what types of image
you post?
Images
The posting of images online has become
commonplace, often without the consent
of those depicted. Several services are
driving this trend.
The problem is that even if you are careful
about what images you post, anyone else
can post images of you without your
knowledge. You should be particularly
wary about posting images of your
children.
One tool you can use is to setup
notifications anytime you are ‘tagged’ in a
post or image, if the social media service
you are using supports that.
9
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
13. J is for…
Joining You are likely to make most personal
security mistakes in social media on the
Sanity Check Number Ten: day you first join a site. After all, it’s
exciting to sign-up and you are looking
Do you only enter the minimum profile forward to connecting to old friends, loved
information required to get an account? ones or new found contacts.
Social media sites want to collect as much
information about you as they can – they
might use this for marketing purposes and
your data is often their main asset. They
will encourage you to complete your
profile, providing all manner of personal
data.
You should only provide the bare minimum
of data required to obtain service. Why
would you provide more?
10 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
14. Sanity Check Number Eleven:
K is for…
Do you blindly follow links suggested by
online friends?
Keystrokes
Did you know that there are forms of
Spyware out there (software that can
monitor your activities) that can capture
every one of your keystrokes?
The type of Spyware that records your
keystrokes is known as a ‘Key logger’. This
kind of Spyware may send a record of
each of your keystrokes to someone else.
Social media sites are one route used to
get Spyware onto your system. For
example, a ‘friend’ might suggest that you
click on a link. Then, while you watch a
video, Spyware may also be downloaded
and installed on your machine.
11 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
15. L is for…
Liking Clever online fraudsters and con-artists
make good use of the like button to
Sanity Check Number Twelve: attract prospective targets. It works like
this:
Have you ever ‘friended’ someone because
they ‘liked’ your posts or photos? • A fraudster will persuade someone to
accept their friend request, perhaps by
using an attractive photo.
• The fraudster will browse that person’s
pages and click the ‘Like’ button under
posts or images of their friends.
• Some of those friends will be curious
about the person who liked their post or
image. They might actually invite the
fraudster to be their friend.
The fraudster can thus attract ‘friends’ who
may never even realise that they have
been targeted.
12 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
16. Sanity Check Number Thirteen:
M is for…
Do you auto-update the anti-virus software
installed on ALL of your devices?
Malware
Malware is malicious software that can do
more than just steal data – it can harm
your system or turn your machine into part
of a ‘Botnet’:
• Botnets are networks of infected devices
• they are controlled remotely by a hacker
• the largest known contains 12 million PCs
• 25% of all PCs may be infected
Malware can be accidentally
downloaded by following links to infected
sites.
Other examples of Malware are Viruses,
Trojans and Worms. Any of these can
wreak havoc on your PC, laptop, mobile
smart phone or tablet.
13 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
17. N is for…
Names There are many instances in which using
our real names online is our only option.
Sanity Check Number Fourteen: Setting up a social media account for
professional networking is one example.
If you are a younger user, do you use a
nickname online? However, if you are going to link to social
contacts via a social media site then using
your full name might be more of a risk.
This is especially true for younger users and
until site providers fix their weak security
and identity verification systems, we
suggest never using your whole real name
if you are a young user.
14 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
18. Sanity Check Number Fifteen:
O is for…
Have you deactivated any old social media
and email accounts you no longer use?
Old accounts
Social media sites come and go and
today’s giants will most likely become
tomorrow’s forgotten dinosaurs. This has
happened in the past and many of us
have old social media accounts that we
haven’t used for years - we may even
have forgotten their existence.
Dormant social media accounts are a
gold mine for fraudsters because they can
take them over and use them without us
ever noticing.
A hacked account might:
• reveal information about you
• be used to fool your friends into disclosing
their data
15 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
19. P is for…
Password If your email address is the same as your
login name then a strong password is
Sanity Check Number Sixteen: essential as a hacker or fraudster may
already know 50% of your login
Are your passwords difficult to crack? information.
Having your account taken over, denying
you access and exposing you to fraud or
reputational harm, is an identity theft
experience you don’t want to have.
• Use strong passwords
• Use 7 or 9 characters
• Use a mix of letters, numbers and cases
• Avoid using real words, dates & places
Keep your password secret!
16 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
20. Sanity Check Number Seventeen:
Q is for…
Do you refuse to answer personal questions
from those ‘friends’ you are not 100% sure
of?
Questions
If you do stumble across a fake online
profile, you might become suspicious.
Fakers are generally out there to trawl for
personal data and the questions they ask
you are often a little unusual.
Examples we have seen include:
• “What’s your email address?”
• “When’s your birthday?”
• “Where are you now?”
• “Can you suggest me to your friends?”
You can see a video about what it’s like to
have your identity stolen here.
17 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
21. R is for…
Recommendations Social media fraudsters sometimes setup
one fake profile in order to recommend
Sanity Check Number Eighteen: other faked profiles to people.
Do you accept friend recommendations from The first profile is never used for fraud or to
online friends you don’t know well? collect data – only the recommended
profiles do that.
This approach allows the fraudster to
create the impression of an innocent
network of friends where, in fact, there is
only one person - the fraudster.
This may lead innocent users to trust the
recommended fake profiles on the basis
that they are ‘friends of a friend’.
18 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
22. Sanity Check Number Nineteen:
S is for…
Do you have links to social media ‘friends’
who never seem to be online?
Silence
A common sign of a faked online account
is silence.
As explained, a fraudster will have multiple
motives for connecting with people and
while some connections exist for the
purpose of targeting or harvesting data,
others are designed simply to build up a
convincing contact base.
Once you are a part of such a fake
network, the fraudster might not have a
reason to continue talking to you.
19 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
23. T is for…
Tetris Tetris is only one example of a popular
online game that can be very addictive.
Sanity Check Number Twenty: Game addiction is a growing problem
worldwide. Addiction clinics have even
Are you investing too much of your time and been setup in some countries.
money in online games?
Some online games also access your social
media profile and other data. This data
may be stored by the game provider.
It has been alleged that in some games
you may actually be competing against
automated ‘Bots’ and not against real
people as you might have assumed.
Many games demand payment from you
if you want to continue playing once you
have become hooked.
20 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
24. Sanity Check Number twenty-one:
U is for…
Do you ‘un-friend’ contacts you are unsure
about?
Un-friending
Did you know that you can often ‘un-
friend’ a social media contact at any
time?
If you are suspicious about any of your
online contacts, don’t be shy:
• ask questions to validate who they are
• check with your real life friends
• un-friend anyone you have doubts about
21 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
25. V is for…
Virus Some viruses have been specifically built
to target social media users.
Sanity Check Number Twenty-two:
The LilyJade Virus is the most recent (2012)
Is your anti-virus software set to automatically virus seen that specifically targets social
download and install updates? media users of sites like Facebook.
The first iteration of LilyJade used infected
PCs to send out Spam messages about
teen pop star Justin Bieber.
You can read more about LilyJade here.
22 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
26. Sanity Check Number twenty-three:
W is for…
Do you realise that anything you post in
public may have a worldwide audience?
Worldwide web
Unless you secure them, your pages can
be public places. Anything you post there
might be read by others, whether friends
or not.
Strangers can sometimes post on your
page as well, potentially saying anything
they choose about you or your friends.
There have been many cases of online
bullying that exploit this loophole. One of
the most serious involved a convicted
Internet Troll named Sean Duffy. He
posted offensive comments on the tribute
pages of teenagers who had committed
suicide. You can read about the Duffy
case here.
23 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
27. X is for…
Xtra careful The bottom line when it comes to using
any social media site safely is personal
Sanity Check Number Twenty-four: awareness of the risks as well as the
benefits.
Do you keep your personal and business
security in mind when using social media? We use several sites ourselves and we think
the positive aspects of the technology are
truly amazing.
However, because we work in the risk
arena, we also see numerous cases of
security breaches, personal data loss,
fraud and harassment via social media.
Be aware, be extra careful and stay safe
online.
24 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
28. Sanity Check Number twenty-five:
Y is for…
If you are responsible for children, are you
managing and monitoring their social media
and other online activities effectively?
Youngsters
Younger users often have a more
advanced understanding of how to
exploit the features of new technologies,
but without necessarily being able to
comprehend the risks.
As parents or simply as adults, we all share
a responsibility to inculcate safe practices
and to set a good example, whether for
our children, guardians, younger siblings or
other relatives.
Our A to Z of Safe Children Online provides
specific advice for keeping children safe
online. It can also be downloaded free of
charge here.
25 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
29. Z is for…
Zoning A simple but effective mechanism for
operating safely online is to ‘zone’ your
Sanity Check Number Twenty-six: activities. For example, you could use:
Do you use different social media tools to • Facebook for social friendships
create separate types of social media Zone? • LinkedIn for business relationships
• Twitter for general broadcasts to the
world
• Blogs for more considered opinion
• A website for corporate statements
• Email for official correspondence
• Instant messaging for team use
You should choose your own approach,
but having clearly defined zones can
really enhance your personal and
professional security.
26 Produced by The Risk Management Group 2012
Copyright Mark Johnson & Corinne Blandin, 2012
30. About the authors
The writer, Mark Johnson, is a prominent thinker and speaker on emerging communications security,
online and social media risks. He is the author of Demystifying Communications Risk, to be published by
Gower Publishing in late 2012, as well as numerous industry training guides and papers. Mark is currently
working on his second book which addresses the subjects of Cyber Security and Digital Intelligence.
The illustrator, Corinne Blandin (www.corinneblandin.com), is a teacher, demonstrator and artist, born in
France and now living in Cambridgeshire, England. She works extensively with children and has
produced illustrations for teaching materials now in use by a leading private school in Cambridge. This is
Corinne’s second set of illustrations in the A to Z series, her first being used in The A to Z Guide to Safe
Children Online.
Read, enjoy and stay safe online!
Cambridge, 2012
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
31. About The Risk Management Group
TRMG delivers consultancy, training and product design services in the area of high technology risks. Our main
areas of focus are financial fraud risks, telecoms fraud control, cyber security, digital intelligence, revenue
assurance, and the control of money laundering, cyber-laundering and terrorist financing online.
TRMG Services
• Risk assessments and business case reviews
• Business process design & re-engineering
• Software solution design, project management & acceptance testing
TRMG Training Courses
• Introduction to Cyber Security
• Communications Fraud Control (Introductory through to Advanced)
• Crime Investigations (Introductory through to Advanced)
• Digital Intelligence and Internet Investigations (Introductory through to Advanced)
• Telecom Revenue Assurance (Introductory through to Advanced)
• Social Media Risk Awareness (Workshop)
Contacting TRMG
Email: info@trmg.biz
Web: www.trmg.biz
Blog: http://theriskmanagementgroup.blogspot.com/
Phone: +44 1223 257 723
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012
32. About this work
This work has been sponsored and published online by The Risk Management Group (TRMG)
Compass House, Vision Park
Chivers Way, Histon
Cambridge CB24 9AD
United Kingdom
www.trmg.biz
All rights reserved. This Guideline is provided free of charge subject to the condition that it may be
reproduced and distributed freely and without restriction but that it may not be resold or used for any
commercial purpose without the written agreement of the publishers.
Disclaimer
In creating this Guideline every effort has been made to offer the most current, correct, and clearly
expressed information possible. Nevertheless, inadvertent errors in information may occur. In particular, the
authors and the Publisher all disclaim any responsibility for any errors contained within the Guideline or in any
related communications, web pages or other printed or online resources. The information and data included
in the Guideline have been gathered from a variety of sources and are subject to change without notice.
The authors make no warranties or representations whatsoever regarding the quality, content, completeness,
suitability, adequacy, sequence, accuracy, or timeliness of such information and data.
Copyright Mark Johnson & Corinne Blandin, 2012 Produced by The Risk Management Group 2012