Social Engineering Facebook

Social Engineering

NOTE: Since being published, this article has been updated with new information. 

If you’re on social media, specifically Facebook, you’ve seen the 21^stcentury version of chain letters. Here of late there’s been lots of  “challenges”, quizzes, and tagging of friends to encourage them to keep the challenge going. List every country you’ve been to, list every state you’ve been to, favorite movies, pictures of pets, pictures of your spouse and/or your parents, and the most current- your high school senior photo, under #Classof2020.

Who knows who starts these but they catch on as cute or fun ways to pass the time on Facebook. They are also ways for social engineers to find out more than you want strangers to know. Using the short list above, how many total strangers would you exchange that information? Probably not many. But most people don’t have very secure social media accounts. They are completely open to public view. Simple searches, most likely by the ones who started these challenges, can find the responses to hash tags and/or using bots mine the information. Then using social engineering the hacker can construct quite a profile on you.

As if your basic profile information isn’t enough, add that to answers from the above examples. Now in addition to your name, age and/or exact date of birth, high school, university, town, they can add photos and names of parents, spouses, pets, etc. For example. Viewing someone's Facebook page who completed some of the more popular quizzes, one could determine the following.
Jane Doe
Born January 1, 1973
Lives in Anywhere, Iowa
Went to Anywhere High School and Iowa State University, graduating in 1994
Not married
Christian 
Her parents are John and Jeanine (Pictures)
Loves dogs, especially her German Shepherd Rover (Picture)
Has visited 15 U.S. states and Paris, Rome, and London (Pictures)
Loves movies, specifically classic romances
Lots of pictures of Jane and Check-ins at her favorite places (with dates and times)

All of this information is more than enough to construct passwords, answers to security questions, or even more nefarious real word activities.

Users feel comfortable within the confines of Facebook. Like with other cons these are perpetuated because of the element of trust. Trust that it came from a friend, so it must be OK. Or it’s only a harmless quiz about my favorite TV shows. Also, trust in the complacency that only your friends can see the responses. Once your friends start sharing then your information is exposed.

In addition to the cut and paste challenges there are external links to quizzes. The links take you to a third party site that runs the quiz and posts back to Facebook. Most have learned not to click on links in emails. Why would you click on a link within a Facebook post? Back to trust. A friend shared the post it must be safe.

Use social media wisely. Check your privacy settings. If you haven’t done so in awhile, change your password. Think twice before participating in cut and paste challenges and quizzes. You don’t want to be the one making the familiar post-Don’t accept any friend requests from me. I’ve been hacked!!

April 27, 2020 The FBI issued a warning not to participate in social media quizzes. The quizzes are based on "something you know; something you have; and something you are" all of which can be used to social engineer passwords.
FBI bulletin-https://www.fbi.gov/contact-us/field-offices/pittsburgh/news/press-releases/fbi-pittsburgh-warns-popular-social-media-trends-can-lead-to-fraud

Read other posts about privacy

Juice Cleanse 

Cleaning Up Your Online Presence 

One Born Every Minute 

What did you just say? 

No Facebook?

On March 13, 2019, Facebook went down for over eight hours. Believe it or not, the world carried on. E-commerce didn’t crash and human social interaction continued. Facebook itself, however, could lose over 80 million dollars in lost revenue.

Facebook entered the scene in 2004. Since that time it has grown to be a company worth upwards of $500 billion with approximately 2.3 billion users worldwide. Along the way, it has either defeated or bought out rivals. Even the mighty Google is packing in its social media platform Google+. Even though Facebook has dominated the social media market something has to come along that’s better? Right? How long can one company continue to dominate the market?

Losing interest?

Interest in Facebook may be waning. Nearly 3 million users were loss in 2018, many using SnapChat, YouTube, or Instagram (Which is owned by FB). This is due in part to privacy issues that have been uncovered over the past several years. Early users of the platform were young adults. Facebook weathered a loss of users several years ago when “parents” starting using Facebook for personal reasons and to keep tabs on their kids. But over the years users returned or were replaced by new, younger users.

Tech investor Jason Calacanis launched a contest in 2018 called the Openbook Challenge. Calacanis is offering teams $100,000 to build a billion-user social network that would replace Facebook. You can get updates on the project here Open Book Challenge 

Will companies find another way?

Once Facebook exploded businesses realized they had to get in on the social media game. There are 80 million small and medium business pages on Facebook in addition to large corporations. Companies use Facebook like individual users, keeping followers up to date on the latest happenings. Once Facebook allowed advertising businesses could reach an even larger audience. When Facebook experiences outages, in addition to user dissatisfaction, it also causes revenue loss. Continued privacy issues and major outages will likely push personal and business users elsewhere.

Google and the other search engines offer myriad ways to highlight and advertise your business. If not taking advantage of these options now, companies would certainly gravitate in that direction. Whatever eventually does replace Facebook probably would allow advertising and business pages. Unless that replacement is truly a social media platform that disallows corporate infringement.

When Facebook does tank the world will continue. We’ve made it through when companies and media outlets that have been providing services for over a hundred years have packed it in. We’ll get through without Facebook.

The statistics used were found through general Internet searches and featured in the blog post 41 Facebook Stats That Matter to Marketers in 2019.

Please share. See the blog archive for more small business topics.

Should social media rants get you fired?

Should an employee be fired because of social media rants? Some business experts feel that employees that sound off should be fired because they don’t uphold the character and face of company. The National Labor Relations Board (NLRB) has heard these types of cases since 2010 and began issuing decisions in 2012. The NLRB usually sides with the employee, reasoning that the employee’s social media postings are protected activities under the National Labor Relations Act, specifically-Employee rights to organize and speak out against unfair labor conditions.

If the rants take place on company time, using company resources, the employee could be disciplined for infractions other than the actual posting. But when the postings occur outside of work, the line has been drawn between employee rights and violating policy.

Beyond firing someone for something you don’t like on social media is the policy prohibiting the rant. If the company doesn’t have a policy then little action can be taken. Many businesses, especially small business, have no policy regarding social media. Employee handbooks and company policy need to be  living documents. It seems like there is always a new topic to be covered. Social media policy is an extension of that organism. Although social media and employees going off on their employers are not new, the policies governing how businesses handle it are still evolving. And the NLRB helps draft those policies each time it offers a decision. Businesses have to stay abreast of the issues and the decisions being made.

Defending the honor of the company or getting rid of a bad employee, firing someone for his or her rants on social media can be a dicey situation. Opening up the company as well as the person responsible for the firing to court action.

See our blog archive for other posts relating to social media policy issues:

Enforcing company policy May 2015

What is your social media policy? March 2016

Social media checks July 2016

Social media checks

Background checks use to be associated with financial institutions during applications for loans. Now they are performed during job applications, college admissions, even dating sites. One of the most important parts of the background check is the character reference. References were historically performed by field investigators interviewing the person’s friends, neighbors, associates, coworkers, etc. This is still an integral part of checking someone’s references, but in today’s online all the time society, social media is fast becoming the standard.

Who’s looking?

Private employers are. Social media checks are now on the checklist during candidate research. HR hiring surveys estimate that more than half of employers search an applicant’s social media during the hiring process. The New York Post reported on January 29, 2016, that at least 40% of college admissions officers report they check applicants’ Facebook pages and other social media when weighing who should get accepted. A third say they Google applicants. Even professional sport franchises do their due diligence when deciding on draft picks. As part of the vetting process, social media of potential draftees are reviewed. With the media attention on football players gone wild in recent years, franchises are doing every thing they can to determine the character of the player they are drafting.

Now the federal government is getting into the game. Investigators will now be probing social media as part of background checks for security clearances. Seems far-fetched that federal investigators didn’t perform these checks in the past, but now it’s official. On May 13, 2016, Director of National Intelligence James Clapper signed a policy directive that allows investigators to collect publicly available social media information pertaining to the person whose background is being investigated. In a press release, Bill Evanina, Director of ODNI’s National Counterintelligence and Security Center stated, “We cannot afford to ignore this important open source in our effort to safeguard our secrets—and our nation’s security.” While federal investigators are prohibited from requiring or requesting applicants’ password information, they will be searching for publically accessible accounts.

Privacy concerns

States and the Federal government have responded in a challenging effort to protect citizens’ privacy and rights. Twenty-three states have enacted laws that prevent employers from requesting passwords to personal accounts to either apply for or keep a job. Maryland was the first state to enact such a law, which took effect on October 1, 2012. Maryland’s law states that employers may not require employees or applicants to disclose a user name, password or other means of accessing a private Internet site or electronic account.

The Equal Opportunity Employment Commission (EEOC) and National Labor Relations Board (NLRB) regulate, monitor, and enforce employer misuse of social media during the hiring process. Since 2010, the NLRB has heard dozens of cases regarding employers infringing on employee rights through social media. Both the EEOC and the NLRB have issued guidance to employers regarding social media rights of employees.

Does your mother see your posts?

Whether you’re currently looking for job or suddenly need a clearance, you never know when a situation will surface that requires a background check, which will now more than likely include social media checks. As we are seeing, the trend is spreading beyond dating sites to employers, college admissions, pretty much anyone who wants to know more about who you are. A picture truly is worth a thousand words.

Getting a lot of ambiguous rejections? Check your social media posts.

Even social media posts from years ago can haunt you. During the 2016 NFL draft, a potential first round pick had his Twitter account hacked.  A years old video showing him allegedly smoking marijuana with a bong hit the web. As this sorted out, draft round after round passed. He eventually was chosen in the thirteenth round, costing him millions.

Because of the anonymity of the Internet, the narcissist in us all, and the instantaneous culture we have, social media seems to be a window into our daily lives. Not only what cat videos we find hilarious or what we’re eating and where, but social media goes a long way in determining who we are, the character of the person doing the posts. Now one could argue that it’s not how they really are, that they use social media as an alter ego. But over time, patterns do develop and the onus appears to be on the account holder to justify the veracity of their posts and not the reviewer.

A good rule of thumb is-If you wouldn’t want your mother to see it, then don’t post it.

See our blog archive for other posts relating to social media:

What’s your social media policy? March 22, 2016

Enforcing company policy May 8, 2015

Convicted? Never convicted. October 17, 2014

What is your social media policy?

            

Hiring and maintaining quality employees is a difficult process, in addition there is the challenge of keeping up with the ever-changing landscape of employment issues. The last few years employers have had to navigate through several major adjustments, some changes are ongoing. For example, the EEOC has published new guidelines on the use of criminal background checks. The “Ban the box” movement is rapidly spreading through State and local governments. If you are not familiar with the term “Ban the box”, it is the phrase used to describe the movement to have the question, “Have you ever been convicted of a crime”, removed from employment applications. (Have you ever been convicted of a crime? February 3, 2013) Maryland passed such a law, which took effect October 2013. In addition to rule changes, Federal authorities are monitoring employer’s actions for FCRA violations and National Labor Relations Act violations.

           

Researching social media

As technology changes it affects the way we do business. Not only in our daily commerce but also in the hiring process. Employees have always talked around the water cooler and outside of work in the privacy of their cliques, outside the earshot of company officials. With social media, employees have a broader base to which their complaints are heard and also are more open to discovery. Bosses are taking to the Internet to see what their employees are doing on social media. Human resource professionals are also using social media as part of their screening process. Hiring surveys have found that nearly 60% of interviewed HR professionals use social media as part of the applicant’s screening process. This is almost double the percentage from surveys conducted in 2012. In 2013, Federal labor bodies began hearing social media related cases and applying existing laws to the new medium for worker dissent-social media.

            The Internet has made it very easy to check on employees, but whether you are hiring or checking on an employee you may want to resist the urge. If you are researching job applicants and decide to do some Internet research, you may learn details about the applicant that you don’t know from the application, this could affect your hiring decision. If you learn something such as race, sexual orientation, illness, or pregnancy, and use that knowledge in your hiring decision, you may be in violation of the Civil Rights Act of 1964 and have trouble with the EEOC. 

            If you’re searching to see what employees are up to around the virtual water cooler and learn some disparaging information you may be enticed to act. Some employers have retaliated against employees for social media postings, which brought the cases before the National Labor Relations Board (NLRB). As the result, the NLRB has ruled, in most cases, for the employee.

           

Federal law

Title 7 of the Civil Rights Act of 1964 prohibits employers from refusing to hire any individual, or otherwise to discriminate against any individual, with respect to compensation, terms, conditions, or privileges of employment, because of such individual’s race, color, religion, sex, or national origin

The National Labor Relations Act, Section 7 states, “Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, and shall also have the right to refrain from any or all such activities. Section 8(a)(1) forbids an employer “to interfere with, restrain, or coerce employees in the exercise of the rights guaranteed in section 7”.

When using social media searches, employers can easily let information they learn infiltrate the decision process. Even if they claim they haven’t used information illegally, it would be difficult to prove otherwise.

            The NLRB ruled in 2013 that employees could use social media to…well…complain. As you read above, the NLRA protects employees’ rights to engage in concerted activities for the purpose of collective bargaining or other mutual aid or protection. When an employee is complaining on social media about the boss, or conditions, or hours, they have that right. Additionally, the NLRB has ruled that employees can use confidential company information, company logos, or photographs of company property. The basis of the rulings are the employee’s Section 7 rights to act in concert and share company information regarding their working conditions in such ways as leaflets, picketing, etc. in an electronic medium.

One of the first rulings for employees came on April 27, 2013. The NLRB, Administrative Law judge, ruled in favor of three employees fired as the result of postings on Facebook about their employer and work conditions. The Board ruled that the employees were engaging in a protected concerted activity. As a result, the employer must offer full reinstatement to the fired employees, make the employees whole for any loss of earnings or benefits, and remove any mention of the firings from the employee’s records. Case 20-CA-035511, 359 NLRB No. 96

            In our blog post, Enforcing company policy May 8, 2015, a NLRB decision is highlighted in which a company claimed violation of obscenity rules as the reason for firing an employee for a Facebook rant.

Enacting policy

Companies have responded to the growing phenomenon that is social media by enacting policies that control what their employees can and/or cannot post. The NLRB has ruled that companies cannot have policies that restrict the use of social media by employees, nor can acts of retaliation be taken against employees as a result of social media postings. Furthermore, employers cannot ask employees for passwords or retaliate against employees for failure to provide passwords.

            Social media laws are also being enacted at the State level. In 2012, Maryland enacted the country’s first such law. The User Name and Password Privacy Protection and Exclusions law prohibits an employer from requesting or requiring an employee or applicant to disclose access information to their personal social media accounts.

So the question is- what is your social media policy? Is there one in place and does it address management’s use as well as workers? HR professionals can help draft your policy; always have any new policy or policy changes reviewed by an attorney.

Websites like Policy tool for Social Media can assist in drafting a policy. The site takes the user through a series of questions that results in a completed policy.

Enforcing company policy

The National Labor Relations Board ruled in favor of an employee fired because of a rant on Facebook against the employer. Perhaps more significantly, the company cited violation of its obscenity policies, which the NLRB disregarded because the policy was found to have been unenforced in past instances. Underscoring the importance to enforce policies regularly and fairly. Not just when it is convenient for management. 

The case

By a two-to-one vote, a three-member panel of the National Labor Relations Board upheld an administrative law judge’s findings that an employer unlawfully discharged an employee because of social media comments, including strong obscenities that were personally critical of a company manager. (Pier Sixty, LLC and Hernan Perez, et al, NLRB Cases No 02-CA-068612 and 02-CA-070797, March 31, 2015.) 

The company’s employees expressed interest in union representation, based in part because of concerns that management treated them “disrespectfully and in an undignified manner.” Those efforts resulted in a successful organizing campaign, after which the Union was certified as the exclusive collective bargaining representatives. Two days before that election a long-term employee was working as a server at an event. During the cocktail service a company manager allegedly approached and in a loud voice and in front of guests addressed the employee and two other employees, using an unnecessarily harsh tone, and waiving his arms. Upset with the manager’s treatment, the employee took a break and, outside of the banquet facility, posted from his phone a message to his personal Facebook page. The message referred to the manger as a “NASTY M***** F***er” and a “LOSER!!!!,” stated “f*** his mother and his entire f***ing family,” and ended with “Vote YES for the UNION!!!!!!!” After being made aware of that posting, the company fired the employee for violation of its obscenity policy. 

Decision

The panel determined the firing violated the NLRA because the Facebook post was deemed to be protected concerted activity. Although the company argued that the employee had violated company policy regarding obscene language, it was determined that since 2005, the company had issued only five written warnings to employees who had used obscene language, and had discharged no one on that basis. Further, it was found that the employee's use of obscene language in his posting was not “qualitatively different from profanity regularly tolerated by the company.” 

The NLRB first ruled on “Facebook firings” in October 2012. The NLRB has ruled that postings on social media regarding the way employees are treated or working conditions are protected concerted activities under the National Labor Relations Act. The company’s defense of policy violation in the aforementioned case did not stand up because the policy itself was overlooked.

Employee handbooks and rules are necessary for a safe and favorable workplace. However, when violations of policies are overlooked the workplace can become a dangerous and/or hostile environment. Additionally, employee morale tends to be low because of managerial indifference or inequitable enforcement of violations. When policies are enforced as a “CYA” measure, reviewing entities rarely rule for the company.

www.mazzellainvestigations.com/informationresources.html