Facebook, WhatsApp, X (formerly Twitter), Snapchat, Instagram: They’re not just places to idle away discretionary bits of time; they’re important platforms businesses can use to reach and engage with consumers and investors.
But interactions on social media networks also provide fertile ground for fraudulent schemes to take root, said Keith Elliott, president and CEO of Canada-based Reed Research Investigations Limited, which conducts global investigations, surveillance, due diligence, and research for corporate, legal, and insurance industry clients.
Haven’t thought about this? You should, said Elliott, who is also a private investigator with more than three decades of experience. In an interview he talked about the risks social media poses to finance departments.
“If you’re not concerned, then you need to sit up and take notice,” Elliott said. Social media is “like a train ripping down the tracks uncontrolled, and we don’t know what we’re signing up for”.
Here is Elliott’s advice on how to try to impede that runaway train and prevent fraud from taking root through social media platforms.
Outline the rules
No corporate official wants to be notified that an employee used a company X or Facebook account to prematurely reveal a product launch or inadvertently clicked on a bit of malware that went on to infect corporate networks.
That’s why having strong and well-understood corporate policies that outline how a person should be handling corporate accounts can help, Elliott said. These should be part of a media policy that is developed and distributed to all employees, and training should be provided. Policies can include not divulging information about products that are being worked on or giving away specific details that could be used by hackers to infiltrate networks.
“If you put in proper procedures, policies, [and] educate and train, then your risks are nominal,” Elliott said. If you don’t, “then you choose how high of an appetite of risk you want to have, because the sky’s the limit”.
Don’t expect a policy alone to protect you, though. Make sure there is training and continual reinforcement about what is and isn’t appropriate to share and how to protect login information and other sensitive information.
Don’t give valuable business information away
Make sure you and the people in your company aren’t divulging too much information about the company’s inner workings.
That’s especially relevant for those who work in finance departments, given that sophisticated social engineering schemes can help hackers search for small pieces of information about individuals from various online forums — their family makeup, travel plans, even hobbies. That information can be used to impersonate the individual and use compromised emails to infiltrate networks or divert invoice payments to the accounts of cyberthieves.
“You do need to control what they’re saying about their work, their clients, the brand, their activities,” Elliott said. “There needs to be a clear message with respect to what is acceptable in those capacities.”
Also be aware of how your company’s information could be used by competitors or others doing market research or deep-level analytics. Posting information through official business channels, or through less official ones such as employees’ LinkedIn posts, could offer competitors blueprints of your company’s plans and challenges. Ensure that the policy distributed to staff is clear about what is and isn’t appropriate to share publicly.
There’s also no taking back information once it’s out there. This creates privacy concerns, especially when you’ve signed or authorised a terms-of-agreement contract. Whether you know it or not, that enables social media companies to use your data any way they’d like.
“Your privacy ends the second you use the product,” he said, meaning that once you send information out into the world, you lose control of it.
Educate and be aware
The best way to protect yourself and your company is to be aware of how you’re interacting online and to make sure your staff are likewise aware of the risks out there.
Send out messages and provide training that emphasises that clicking on links that come across social media can be dangerous. Train staff — especially those in key finance positions — to use discretion and judgement and to “think before you click”, Elliott said.
The risks include malware, with sophisticated hackers looking to trick unsuspecting employees into clicking on suspect links or downloading programs laden with files or coding that could in turn infect networks and give hackers an inside look at operations. Other schemes may be attempts to get staff to give out valuable financial information such as bank account numbers or even passwords to access sensitive information.
“We just click, click, click because we’re in a society of clickers,” Elliott said. “But you need to pause and wait a few seconds and hold that thought and not necessarily click.”
That pause, after all, is what can keep online fraud at bay.
Sarah Ovaska is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Oliver Rowe at Oliver.Rowe@aicpa-cima.com.
LEARNING RESOURCE
Learn key risk scenarios to help plan for various threats to organisational reputation and governance.
COURSE
