Are Your “Company Culture” Social Posts Weakening Corporate Security?
How Too-Detailed Posts on Social Media Can Give Attackers an Easy Win
Your company has likely shared team and culture updates on social media – it’s a great way to show your “human” side and connect with customers. But if one of those photos accidentally captures private or sensitive information, you’re giving attackers an easy way to breach your corporate security.
Social Media Has Always Been a Cybersecurity Risk
Using social media to showcase company culture and connect with customers is standard-issue. Statistics from various sources report about 94% of all businesses are using social media for marketing and driving revenue, with the most-used platforms being Facebook, Instagram, X, YouTube, Pinterest, and LinkedIn.
But it’s not just customers and brand evangelists who are engaging with companies on their social channels. Help Net Security has reported multiple times since 2024 that social media is growing in popularity among threat actors as a tool for social engineering and other cyber attacks.
Corporations are generally aware of the risks of using social media, and many provide employee training to help instill smart habits. Even so, attackers are savvy – and in some cases, they don’t have to work too hard to find information on social media that opens a figurative – or literal – door to company data.
Threat actors use social media for numerous common types of attacks, which include:
Social Engineering:
Through impersonation or emotional manipulation, attackers trick employees into compromising security or revealing sensitive information.
Phishing Attacks:
Attackers trick employees into clicking on fake links or attachments on social media and revealing sensitive information like passwords or financial details.
Malware:
Malicious software can be deployed via social media, infecting devices and systems and enabling attackers to breach data.
Data Breaches:
By hacking social media accounts, attackers can gain access to sensitive company information or user data, leading to identity theft and reputational damage.
Supply Chain Attacks:
Attackers can use social media to target corporate supply chains and exploit vulnerabilities in third-party vendors.
Brand Impersonation:
By creating fake social profiles that impersonate legitimate businesses, attackers can scam followers or steal information.
Inside Risks:
Employees can be negligent or have malicious intent, using social media to cause data leaks or breaches.
However, it’s not always that hard for an attacker to get what they need from a company’s social media presence.
In this article, we’re going to focus on a pretty simple way attackers can use social media to gain access to private company information – photos.
Be Careful What You’re Capturing
It’s nice to snap a photo of your team in the office, at an event, or engaged with a customer and post it to your social channels so people can see what you’re up to and who’s behind the business.
But posting these photos to the public is a double-edged sword. Take this example from a recent engagement we had with a client.
Stay Updated with Cybersecurity Insights
Case Study:
The $2 Million Social Media Heist That Exposed a Water Utility’s Weakest Link
As part of a physical security assessment for one of our water utility clients, we conducted reconnaissance that involved reviewing the company’s social media platforms. We typically look into social media for readily-available information about personnel or the physical premises that we can leverage for a red team attack; for example, an update that an employee is on vacation for a week.
In this case, we quickly identified a team photo posted to the company’s LinkedIn page in which security badges were clearly visible. Our team created a fraudulent badge using the photo and successfully gained access to multiple buildings, including an operations and maintenance lot that held a fleet of vehicles collectively worth more than $2 million – with the keys left inside.
This engagement proved two important points about the vulnerabilities social media presents:
- Attackers can use something as seemingly benign as a team photo to gain physical access to a company, putting potentially millions of dollars in resources and infrastructure at risk.
- Without proper physical or cyber security, any exploited weaknesses on social media can be successfully carried out either on-premise or on a company’s network, leading to much larger issues beyond a social media vulnerability.
There is a growing risk of social engineering in security breaches, and social media presents prime opportunities for attackers to get what they’re looking for.
Social Media is Fueling Social Engineering in Security Breaches
Phishing and other social engineering tactics prey on deep-rooted human emotions like anxiety, fear, a sense of urgency, and even familiarity or a desire to please. Because of the emotional hook, these tactics typically require very little effort to convince someone to take an action.
Read more: The Psychology of Social Engineering
Social media in particular makes social engineering more of an “easy win” for attackers because of how readily-available most information is through various posts on employee and corporate social accounts.
The list of ways attackers can get information without doing much more than giving your company a follow isn’t a short one.
Sharing personal and professional updates: Companies and employees frequently post personal news and updates like their vacations, favorite hobbies, new job roles, promotions, and team projects. This type of voluntary information clues attackers into:
- Names of colleagues and reporting structures
- Timing of travel or out-of-office windows
- Insider language to mimic legitimate internal communication
Posts about organizational structure: LinkedIn profiles, team bios, and company pages are often specific about who serves in what role at a company; i.e. “Thanks to our Account Manager Deborah for bringing in donuts today!” Attackers can use this information to:
- Impersonate senior staff in phishing or pretexting attacks
- Create convincing email spoofing campaigns
- Identify low-level employees to manipulate as entry points
Event announcements: Sharing your company’s attendance at conferences, trainings, or other events gives attackers information about:
- When employees will be out of the office (and depending on the post, exactly which employees)
- Relevant topics or causes to reference for fake event schedules or follow-up emails that seem legitimate because they are directly tied to a recent event
- Specific tools or platforms your company uses
Tech stack and vendor mentions: Often, companies or employees will share updates about new technology or partnerships; i.e. “Just launched Salesforce!” or “So excited to roll out Microsoft Edge!” But this information reveals:
- Your company’s tech stack, giving threat actors a potential attack vector to try
- Targets for credential harvesting (e.g., fake Microsoft login pages)
- Your third-party vendors, which can have their own vulnerabilities that allow access to your network
Office culture content: Birthday celebrations, team-building events, pet photos, or memes can seem harmless, but they can:
- Offer password clues (pet names, favorite sports teams, etc.)
- Lower employee defenses when interacting with a presumed “fan” of the company
- Reveal building layouts or badge access areas in photos – or the badges themselves!
Job postings and role descriptions: Using social media as a recruitment tool can be a great way to reach more people, but how and what you post can give attackers too many specifics, such as:
- Tools or security protocols your company is using
- Security gaps in your organization; i.e. “We’re hiring our first SOC analyst!” (e.g., “Hiring our first SOC analyst!” could signal immature security posture)
- Which individuals to target for internal access
Impersonation opportunities: Open profiles for your company’s employees allow attackers to:
- Clone or spoof employee profiles
- Create fake accounts that appear trustworthy
- Pose as a fake colleague, partner, or vendor to initiate contact with real employees
We know you’re probably thinking, “well it sounds like we can’t even have a company social media profile or allow our employees to post anything, either!”
Don’t worry – you don’t have to go off the grid and tank all of that hard-earned brand equity you’ve been building up on Instagram. Social media and company culture have been and always will be intertwined – the key is how you use it.
PROTECT YOUR ORGANIZATION AGAINST RISING VULNERABILITIES
Secure Social Media Use is All About Awareness
Protecting your company’s sensitive information from attackers is important, but tricky. Any cybersecurity training you conduct can feel like driving a new car off the lot – it loses value quickly as attackers grow more sophisticated.
Employee training is crucial – but it has to go hand-in-hand with some other social media best practices for security.
- Establish and enforce a clearly-defined social media use policy.
When companies don’t delineate what can and cannot be shared on social media, they run the risk of employees inadvertently leaking sensitive or exploitable information. And if there is no policy, leadership will have a hard time training or enforcing corrective behavior. Overall, a lack of usage policies gives attackers a wider door to step through.
- Ensure your company has a strong cybersecurity posture and response strategy.
If you do get breached via a social media vulnerability, ideally your strong internal and external cybersecurity program will detect abnormal behavior and stop an attacker in their tracks. Breaching your network or your physical premises through a successful social engineering scam on LinkedIn is one thing, but if you see it and stop it, you can keep posting your company updates – lesson learned.
- Deploy cybersecurity training to all employees – and test it often.
Employee cybersecurity education and training is critical, but there is an important followup – it needs to be put into action. If employees aren’t tested regularly on what they know, they’ll forget. People get busy and the rules of security awareness can fade into the background, making it easy for someone to absentmindedly click a link from an email that at first glance looks like it’s from their manager.
Keep cybersecurity education and training – especially for social engineering tactics – top-of-mind:
- Run fake phishing campaigns. Send out phishing emails to employees and monitor who takes the bait.
- Test identity validation. Call employees pretending to be a specific employee asking to change an account password and monitor who asks for a second form of identity validation, such as a video call or MFA.
- Focus on emotions. When conducting education and training, discuss the emotional manipulation inherent in social engineering scams so employees understand what it is and how to recognize it.
- Establish a review process for photos being posted to your company social media or by employees that are specific to your company’s activities. Make sure whoever is monitoring understands the parameters for what’s allowed and what is not.
Virtually everyone who uses social media – or connects to wifi, for that matter – understands there is inherent risk of compromise and attack. What matters most is how you choose to react to that understanding.
Our advice is, of course, not to wait until something happens. Be proactive – especially when your company’s data sensitive and private data is on the line, along with your reputation.
Talk to us about a managed security solution to help you respond to any security breach from a social media-generated attack. An MSSP can provide expert guidance on even the most complex aspects of your cybersecurity program.