C-suite executives are often highly visible on social media (especially if they have controversial opinions or are in the news). As such, they are likely to draw the attention of bad actors.
To protect your leadership team (and your company) from harm, you need to understand the different types of threats social media can pose, as well as the strategies your executives can use to reduce their physical and digital risks.
Here are the top threats executives face on each platform.
It’s easier for content to go viral on Twitter than on other social media platforms because a single tweet can reach tens of thousands of users, even if the original poster only has a few followers. This virality poses unique threats to executives.
Old tweets coming back to haunt you
Twitter is the platform where people are most likely to be denounced or “canceled” for what they tweet. This means that anyone who finds an executive’s old tweets offensive—even if he or she posted them as a teenager—can repost them in an attempt to ruin your executive’s reputation.
An example of old tweets coming back to haunt someone is:
- Away CEO Steph Korey—The Verge published an unflattering article about the luggage company’s cofounder and CEO, describing her as being an overly demanding boss. Within hours, the story went viral and made many Twitter users angry enough to start a campaign of online harassment against her. In response, Away’s board of directors quickly asked for her to step down and hired a replacement. Korey publicly apologized for her bad behavior as described in the Verge article and announced her resignation.
Another threat executives face on Twitter is doxing—the publishing of someone’s personal information with the goal of motivating other people to contact the individual and harass him or her. Even though doxxing violates Twitter’s policies, it remains a serious problem.
Here’s an example of someone doxxing an executive on Twitter:
- CCO Randall Forbes—In 2020, musician Kanye West tweeted out the phone number of Forbes Magazine’s chief content officer, calling him a white supremicist and urging his followers to contact him. Although the tweet was only up for half an hour before Twitter removed it, the post garnered more than 17,000 retweets.
Former Twitter CEO Dick Costolo has publicly admitted that the platform has a harassment problem. According to Mr. Costolo, “We suck at dealing with abuse and trolls on the platform and we’ve sucked at it for years.”
One example of executives being harassed on Twitter is:
- Ed Woodward—Angry fans criticized the Manchester United executive vice chairman on social media, calling him “cowardly” and “spineless.” This anger culminated in a mob attacking Woodward’s home with flares while chanting death threats. Twitter users captured the incident on video.
The biggest problem with Facebook is that the platform is designed to get people to share personal data, which thieves, scammers, and others can often leverage to harm your executives.
Fake friend invitations
According to Facebook, 16% of accounts on the platform are either duplicates or fakes. In some instances, bad actors create fake Facebook accounts and send friend requests to individuals to access the valuable, personal information that these people have limited to “friends only.” Cybercriminals then use this data to conduct a phishing attack or to scam the person who just friended them.
Here’s one example:
Family members inadvertently revealing your private info
According to Proofpoint’s 2020 State of the Phish (PDF) report, cybercriminals targeted executives at 88% of businesses in 2019. If your executives’ families post their personal information on Facebook, attackers can use these details to manipulate your leadership team into doing what they want. Often, these attacks can lead to reputation-damaging data breaches or serious financial loss for the company.
Here’s one example:
- CEO of a Texas energy company—Scammers were able to convince the CEO’s assistant to pay a $3.2 million fake invoice by impersonating the CEO via email. To guarantee their success, the hackers used information about the CEO’s family on Facebook to gain the assistant’s trust.
Vacation pics leading to home invasion
It’s easier to rob an empty house than an occupied one. Because of this, nearly 80% of thieves scan Facebook and other social media posts for clues as to when people will be away from their homes.
So, if one of your executives posts real-time pictures or the itinerary of his or her European vacation on Facebook, then criminals will know when the executive’s house will be vacant and how long they can take to pack up that person’s valuables.
Some examples of this happening are:
- California family—After seeing Stacey Grant’s Facebook post about her family’s vacation, three men rented a U-Haul, drove to the empty house, and stole the family’s furniture, televisions, and other electronics. Luckily, they were spotted by a routine police patrol before they could get away.
- New Hampshire homeowners—After checking Facebook to find out which houses would be empty at a specific time, three burglars broke into 50 New Hampshire homes. They were able to steal $200,000 worth of goods and cash before the police arrested them.
Because LinkedIn is designed for professionals, many users view it as being more trustworthy than other social media platforms. Thieves and scammers know this and look for ways to take advantage of LinkedIn users’ gullibility.
Social engineering, which leverages human nature to trick an individual into doing something dangerous (like revealing private information or downloading malware), is one of the most popular cybercrime techniques. It’s also one of the most effective. In fact, phishing emails (the most popular social engineering vector) account for over 90% of all successful cyberattacks.
On LinkedIn, cybercriminals create fake accounts to access your business page to scrape information about your employees to use in phishing scams. This strategy is so popular, that the platform has had to work overtime to delete the fake accounts. In the first half of 2019, for example, LinkedIn removed 21.6 million fake profiles.
Attackers also use these fake accounts to connect with your team members, in order to access even more detailed personal information.
One example of someone carrying out a phishing attack via LinkedIn is:
- Anthem Health—Cybercriminals scraped personal details of high-level Anthem employees on LinkedIn to carry out phishing attacks that led to a data breach that exposed 80 million private records.
LinkedIn contains the names, user IDs, email addresses, job titles, work history, connections, and other personal data of 8.2 million C-suite executives. This makes the platform a ripe target for hackers seeking to access your leadership team’s personal accounts. In fact, databases of LinkedIn members are frequently discovered for sale online.
Even the most tech-savvy executives are vulnerable to hacking.
- Mark Zuckerberg—The hacker group OurMine found the Facebook CEO’s social media account credentials in a database of LinkedIn member data for sale on the web. They used his password “dadada” to briefly take over his Instagram, Twitter, and Pinterest accounts and send out taunting messages: “Hey @finkd we got access to your Twitter & Instagram & Pinterest, we are just testing your security, please dm (direct message) us.”
Executives with large numbers of Instagram followers are prime targets for scammers and hackers looking to manipulate them via a variety of social engineering scams.
Verified badge phishing scam
In this popular scam, hackers send emails to high-profile Instagram users, like your C-level executives, telling them they are qualified to apply for a blue “verified” badge, which would add prestige and credibility to their account. All they have to do to become “verified” is fill out a form that asks for their account information.
However, the online form only looks like an official Instagram site. In reality, hackers created it to trick people into sharing their valuable account credentials. Once your executive enters his or her email, username, password, and phone number, hackers can take over that person’s account and use it to scam or spam other users, as well as hold the account hostage for ransom for money or nude pictures.
One example of this kind of attack is:
- The owner of a photoshoot equipment rental company—This person received a phishing email that included an “Apply Now” button that, when clicked, opened a series of forms on the instagramforbusiness[.]info domain. After the entrepreneur unwittingly filled out the forms, hackers permanently locked the individual out of his/her Instagram account.
Just like on Facebook, fake accounts are rife on Instagram. Often bad actors copy the account of someone with a large following and then use it to ask followers for money or for their banking information. This scam not only harms the followers, but it also destroys the reputation of the original account owner.
Here is one example:
- Emma Heathcote-James—The owner of the Little Soap Company discovered that her business’s Instagram account was cloned when the scammers accidentally tagged her in one of the fake company page’s pictures. In the span of a day, the scammers contacted hundreds of Little Soap Company followers, telling them they had won a company contest. To claim their prize, the customers had to send the scammers their PayPal account information.
It can be tricky for executives to safely navigate through the various threats on these platforms because new threats are constantly emerging as social media continues to evolve. Therefore, it makes sense to include your leadership team’s social media activity in your executive protection plan.
For more information about protecting your executives, see the following articles:
- Real-world examples of executives being targeted due to online personal information
- 6 best practices for digital executive protection
- Why online privacy is vital to executive protection
You can also give us a call. We are happy to offer advice regarding your team’s unique situation.