Socially Engineered Security Risks Series
For the next five weeks, we will move away from endpoint and pharmacy technology security and focus on methods attackers can use to access your pharmacy systems, banking, email, and social media accounts.
For this week’s post, our Head of Delivery and Cyber Security, David Carroll, has a story to share about a recent security incident that one of his friends experienced. He’s asked for permission to share this story the hope that it encourages you to look at your security settings for your personal and business social media services. Below, David will share some advice on how to protect your accounts so you can avoid the situation below.
Compromised While Watching the Footy
My good friend, let’s call her Astana, reached out to me for help; her Facebook account had been compromised and then suspended by Facebook. When she tried to log in, she was greeted with a message saying that her posts had violated the “Community Standards”. It appeared from the messages that someone had logged onto her account and posted child sexual exploitation images. She was horrified, scared, and panicked as not only was this her personal account, but her business and the local soccer club were also associated with her account and suspended.
Astana explained that she was at home on a Friday night watching her favourite football team on the TV. At the time, there were discussions about the rugby league having a “mental health week”, and thinking it was a great idea, she clicked on a Facebook post promoting support of the week by signing a change.org petition. She didn’t realise this was not an actual petition, and when prompted for her Facebook credentials, she typed them in. As it was late in the evening, it wasn’t until the next day she logged in and received the disturbing alerts.
The Motive For The Attack
The actual target of the scam was Astana’s business Facebook account. The threat actors used her access to the business account to purchase several hundred dollars’ worth of Facebook advertising. This allows the attackers to promote their products or services on Facebook.
Fortunately for Astana, she could reverse the transactions via her PayPal account once she reported the account breach to Facebook.
Also fortunate was that Astana used different passwords for her other social media accounts and email. There have been other reported circumstances with much more severe outcomes.
Threat Actors Don’t Care About How Their Actions Impact You
The incident has impacted Astana’s personal life, business, and community activities. Getting back into her account has been an ordeal. As with many services, you cannot speak directly to a human to explain the situation and resolve it on the spot. To get back into your accounts, you will need to log a complaint, provide evidence that you are the valid account holder and wait weeks for it to be reviewed.
Consider that your customers may observe your account compromise and see the posts made by the threat actors. Especially when your account is linked to your business and your professional reputation, the impact will be more significant than just getting back into your account.
How to Avoid These Types of Scams
Use a password manager
Using a password manager ensures that each of your online accounts has unique and long passwords. A password manager will help you create a long and complex password that it remembers for you.
You can install the password manager on your iPad or Android, and it will sync your passwords to a secure cloud, so you always have them when you need them. With newer devices, you can also use your face or thumbprint to log into your password manager. We recommend using Microsoft Autofill as a free option to cover passwords and MFA in a single application.
Use 2-factor (2FA)– Multifactor Authentication (MFA)
Once MFA is enabled on your Facebook, email, banking, and business systems, you can feel safer knowing that you have prevented everyone but the most determined threat actors from getting access to your accounts.
While it may be challenging to get set up and get used to, you should persist. Even if your username and password are stolen because you clicked on a phishing link, they will not be able to log in without your MFA token. We recently posted about this when we covered the Essential 8 controls.
Don’t click on suspicious links from Meta/Facebook/Instagram
If you get a suspicious email or message or see a post claiming to be from Facebook, don’t click any links or attachments. Sometimes it can be difficult to identify these links. We will cover Phishing, vishing, and other social media scams in the next few week’s posts.
If you are worried about the security of your pharmacy systems and want to know you can improve your pharmacy security, speak to your Corum Customer Success Manager or contact us on 1300 669 865
Links to help you get things set up
Setting up MFA on Instagram
Setting up MFA on Facebook
Get alerts about unrecognised logins to Facebook