Protect Your Brand: 8 Social Media Security Awareness Tips to Combat Account Takeover Attacks

Social media has become an indispensable tool for organizations, providing a platform for engagement, marketing, and brand building. However, using social media drastically expands your organization’s attack surface. In fact, one survey found that organizations experience an average of 30 corporate social media account takeover attempts per year. Often overlooked by IT and security teams, social media accounts can provide cyber attackers with access to important company information as well as the ability to interact with your audience and damage your reputation.  Just look at the recent turmoil when the Securities and Exchange Commission’s (SEC) X/Twitter account was hacked. The criminals announced that the SEC had approved Bitcoin ETFs which caused a surge in bitcoin pricing—this was followed by a quick decline when the SEC announced the hack. But it’s not just government agencies that must worry. Also in January of 2024, the private security firm Mandiant had their X/Twitter account hacked, and the attack resulted in the theft of over $900,000 (we’ll share the details of how this happened later in this blog). As cyberattacks against corporate social media accounts increase in scale and severity, your organization must increase your social media security awareness and make it an integral part of your cybersecurity program. In this blog, we will discuss social media security as an emerging threat, its real-world impacts, and provide expert guidance on how to increase your organization’s social media security awareness.

Why Are Hackers Targeting Social Media Accounts?

From malicious advertising (“malvertising”) to SIM swapping and sophisticated phishing campaigns, unsecured social media accounts leave businesses vulnerable to data breaches, financial losses, and reputational damage. “It is extremely common for social media accounts to be left out of your organization’s cybersecurity program,” says Sherri Davidoff, CEO of LMG Security. IT and security teams often do not prioritize social media accounts as high-value cloud assets, resulting in a lack of essential security measures such as multifactor authentication (MFA), password hygiene, and consistent configuration reviews. These gaps in basic cybersecurity hygiene and oversight make social media accounts an easy target for cyber attackers.

Additionally, corporate social media accounts are valuable targets for threat actors. These accounts provide insight into your organization’s goals, employees, clients, and partners, which may be used in targeted phishing campaigns. Moreover, they provide access to a broad audience, making them an ideal platform to conduct malvertising campaigns, financial scams, and corporate espionage. It’s time for your organization to implement social media security awareness policies that include actions such as including your social media accounts in your cloud security programs and enforcing the basic principles of cybersecurity hygiene in your social media accounts.

Impacts and Challenges of Social Media Attacks

Recovering from a social media attack is rarely straightforward and almost always very costly to your reputation and data. Total account takeovers can result in prolonged downtime, as organizations may struggle to regain access to their accounts. Every day that your organization’s account is compromised, your audience is vulnerable to brand impersonation attacks, potentially damaging their reputation and customer relationships. Organizations must also consider their regulatory obligations, reporting requirements, associated fees, and penalties for noncompliance.

No organization is immune to social media attacks. To illustrate how these attacks work, let’s take a deeper dive into the January attack on cybersecurity firm Mandiant’s X account. Mandiant was hacked as part of a coordinated cryptocurrency scheme that generated at least $900,000 in stolen funds. Since Mandiant did not have MFA enabled, the attackers easily gained access to the account by way of a simple brute-force password attack. Once inside, the hackers used the account to promote a phishing website that promised cryptocurrency tokens through airdrop. The airdrop, however, was embedded with malware which drained victim wallets once connected. Mandiant stated that their failure to enforce MFA on the account was due to a change in X’s policy, which removed the option of SMS verification. This policy change, however, was published by X in February 2023, nearly a year before the incident. Had Mandiant conducted consistent configuration reviews, they almost certainly would have avoided this attack.

As more details were released on the SEC X/Twitter account attack, it was discovered that attackers used SIM swapping to compromise the account. SIM swapping involves fraudulently transferring a user’s phone number to a new SIM card that is controlled by an attacker, thereby giving them the ability to reset passwords and bypass a form of MFA involving text messages. The SEC has admitted that they did not have MFA enabled on their account at the time of the attack.

What can we learn from these attacks? Clearly, it’s time to add or revisit your social media security policies. Let’s look at the steps you should take to increase social media security awareness in your organization.

Social Media Security Awareness Policies Checklist

To mitigate the evolving threats posed by social media use, organizations should include social media security in their cybersecurity programs. Ensuring your social media security awareness training program and policies emphasize basic cybersecurity hygiene will reduce the risk of social media takeover attacks.

Here are some best practices to enhance your organization’s social media security:

• Enforce phishing-resistant multifactor authentication on all accounts.
• Ensure password strength and hygiene by using password managers.
• Prioritize social media accounts as high-value cloud assets, and schedule regular cloud and social media configuration reviews.
• Centrally manage all corporate social media accounts and regularly review who can access them.
• Prioritize employee cybersecurity awareness training and education and ensure that anyone connected with your social media takes social media security awareness training—this includes any third-party marketing agencies you may use.
• Regularly check the devices linked to your account and remove any devices that you don’t recognize.
• Limit the number of third-party apps that have access to your accounts, and frequently check and remove unnecessary access.
• Routinely review your account recovery information to ensure it is current and goes to a regularly monitored address.

As you can see, adding social media security awareness training and policies in your organization’s cybersecurity program can reduce your risk of an embarrassing incident. Applying basic cybersecurity best practices to social media accounts can prevent costly reputational, financial, and legal damages. For help developing effective cloud security programs, implementing high-impact cybersecurity solutions, and increasing your organization’s social media security awareness, please contact us.