This week, techies and non-techies alike scrambled to learn the ins and outs of what transpired between Facebook and Cambridge Analytica, a political firm hired by the Trump campaign that acquired access to private data on millions of Facebook users. The discovery sparked significant questioning about how Facebook protects the information of its more than two billion users. And while most of the outrage has been targeted at consumer privacy, this breach of trust also poses a longer-term threat to any business whose employees or customers use Facebook and other social media sites – or to put it more concisely, almost every business.
Facebook and other social networks allow us the freedom to share everything we want about ourselves, with whomever we want, for free. They do this for free not out of the kindness of their hearts, but so they can have access to all the data that we share. They can profitably sell that data to organizations and brands who want to deliver highly targeted marketing to those most likely to buy their products. If a vendor wants to market Alabama Crimson Tide 2018 National Football Championship memorabilia, it’s far more cost effective to only show ads to “Alabama alumni” who have shown an interest in “sports” or “football”, and live in the “Southeast United States”, than it is to run a banner ad campaign across multiple sites, hoping to hit those same fans. The data collected by social media sites makes this type of directed, efficient marketing possible.
Facebook may easily be the most powerful tool available to effectively target users in the cyber-world, and is available to anyone willing to pay. This is great news for marketers, but, unfortunately, even better news for fraudsters. So, what exactly happens when this tool is put in the hands of criminals?
Highly Targeted Advertising - for Criminals
Say a fraudster is looking for an employee of Company X, in order to target them with a spear phishing campaign. As bait, the criminal can create an ad to run on a social media platform for what appears to be a perfectly legitimate product or service. But instead, the ad will lead to a website that infects the target’s system with malware, most likely without the target realizing that they have visited a malicious site.
But how is the specific target located? To start, the criminal knows where Company X is headquartered, and therefore will set the ad to run only within a 10-mile radius of their offices. Further, the criminal knows that Company X works within a very specific industry, and therefore sets the ad to target only users whose interests overlap with the company’s product line. Finally, the fraudster wants to hit an employee in some position of seniority within the company, and so will aim the ad at working men and women over the age of 25, but under 65. From there the granularity continues.
All of this can be done at a very low cost. So, with an investment of a few hundred dollars on this ad campaign, even if the criminal only gets one hit, he or she will have infected a computer that allows for access to the entire organization of Company X. The hacker gets a great ROI, Company X faces a plethora of digital security threats. This kind of highly specific, granular targeting is being enabled by all the data we willingly provide on social media, and it’s becoming apparent that allowing the platforms to police it themselves isn’t working.
Data in the Wrong Hands
In addition, what happens when criminals can not only advertise on the platform, but can also access that entire database of information about a subset of people? The latest turn in the Facebook saga suggests that the same data accessed by Cambridge Analytica is now being bought and sold on the deep web, making it more likely that criminals can now target those users not just through social media platforms, but in other ways as well. Imagine how detailed a phishing campaign can get when fraudsters know the name of the company you work for, the names and titles of 20 of your closest colleagues, the conference you’re all attending this week, and your favorite brand of alcohol. Suddenly, a phishing email looks a lot more like a trusted email from a close friend or colleague. A user is much more likely to forgive little typos or strange wording, and trust a seemingly known sender when they ask for what seems like a reasonable business request - transfer this money, register for this webinar, click here to see your expense report, and so on. These requests can lead to either an immediate loss of dollars (such as the case of a BEC scam in which money transfers are requested), or to a potentially much larger breach for an organization, which now has more employees falling victim to phishing attacks. The same profile data that was used to so successfully target employees of Company X with advertisements can now be turned into something much riskier for the companies they work for.
We expect much of the consumer uproar over the recent Facebook breach to die down shortly. For enterprises and other organizations, the threat of these mega data platforms, and what criminals can do with that highly targeted data, is only going to grow over time.
For more unique perspectives on today’s fraud landscape, take a look at this video.