Even the most innocuous data posted to a social media feed can be married up with other publicly available information to provide online criminals the tools they need to exploit members of the military or general public, an Army special agent said.
Special Agent Deric Palmer, program manager for the Digital Personal Protection Program, part of the Major Cybercrime Unit at the U.S. Army Criminal Investigation Command, explained how those who aren't careful or aren't paying attention can unwittingly provide scammers and other online criminals all the information they need to exploit them.
Social media accounts, Palmer said, serve as fertile ground for digging up the kinds of information that can be used to impersonate someone, steal identities or break into other online accounts, such as banking or insurance.
A Facebook page, for example, might contain current and past physical addresses where a person has lived, phone numbers, email addresses, names of pets, significant events such as birthdays and anniversaries, hobbies and other interests. Just browsing a Facebook page, Palmer said, he can figure out your favorite music, books, TV shows, political and religious leanings.
All that, he said, serves as "an attack vector" that an unscrupulous person can use to communicate with users further and gain their trust. Additional communications can bring out even more details that might later be used to break into online accounts or exploit users in other ways. Some social media users, Palmer added, even volunteer critical information that could be used to access their online financial accounts that they'd never divulge if they were asked by a stranger.
Some online memes, he noted, pose as games that get users to volunteer information that, coupled with other easily obtainable information, can be used to exploit them. A quick search online reveals a simple graphic meme that purportedly allows users to choose "your new cat name" and then post the results, along with the meme itself, on their own social media feed.
For the "cat name" meme, users would use the last digit of their phone number as a selector for any of nine name prefixes, their zodiac sign to choose from a list of 12 middle names, and their favorite color to choose from a list of eight potential last names.
A user might end up with "Count Sassy Pants" as a silly name for their cat. When they post that on their social media feed, along with the meme image itself, would-be criminals will know their phone number ends in 8, they were born in either August or September, and that their favorite color is yellow. Coupled with data already on their social media feed, and with data that can be obtained from data brokers, the information makes it easier to exploit users, Palmer explained.
Military personnel also are candidates to be impersonated online — malicious users might opt to use imagery of real-world service members available online to exploit other users. The U.S. military is one of the most trusted institutions in the nation, and online criminals, Palmer said, take advantage of that.
"The U.S. military is viewed as a prestigious club. ... It's an indicator of prestige," Palmer said. "It's instant respect. If I can pretend to be a U.S. general, unwitting people will respect me immediately."
With that respect, he said, a criminal can exploit other users while pretending to be a member of the U.S. military. Palmer's advice to service members: don't post your picture in uniform with the name tape visible. "It immediately makes you a target," the special agent said.
Palmer offered some tips to avoid being scammed:
- Immediate red flag! Be suspicious if you are asked for money or a wire transfer to pay for a purported service member's transportation, medical bills, communication fees or marriage-processing charges.
- Be suspicious if the person with whom you are corresponding wants you to mail anything to a foreign country. Be aware that military members at any duty location or in a combat zone have access to mail, cyber cafes, Skype and other means of communicating with their families, and they have access to medical and dental treatment. The military will ensure that family members are notified should a service member is injured.
- Insist on a "proof of life." The scammers will not video chat with you, because they know you will catch them in their lie.
- Trust your instincts! If it seems too good to be true, it probably is.
The special agent also provided eight points for better security online, and to make users less likely to be victimized by online criminals:
Permanently close old, unused accounts.
Enable two-factor authentication on any platform that allows it.
Use strong passwords, and use different passwords for every account.
On social media, accept friend requests selectively.
Configure the strongest privacy settings for each social media account.
Think before you post.
Limit use of third-part applications on social media applications, read the license agreement, and be sure exactly what those applications want to be able to access.
Change answers to security questions, and use false answers so that online criminals can't use information they gather online to gain access to your accounts.
Editor’s Note: U.S. Sailors and Marines can report suspicious online activity to the Naval Criminal Investigative Service; NCIS also offers tips about staying safe online: https://www.ncis.navy.mil/