Don’t Accept Candy (or Social Media Connections) From Strangers

‍

‍

My regular readers know that I’m not just a career expert, but also a cybersecurity expert. Every so often those two worlds intersect because we need a little more safety and privacy in our careers.

I’ve long advocated not connecting to strangers on the internet. Your rolodex (those under forty can see what that is here) is not the same as your network; unfortunately, most people confuse the two. But here’s a stronger reason to be wary of online strangers: espionage.

Years ago, intelligence agencies would create dossiers for their target. While they would generally target high-profile government workers, agencies would sometimes select more pedestrian targets because they could be the first link in a chain to a higher profile end goal. For most of the twentieth century this was a time consuming and painstaking task. Social media opened the floodgates as everyone laid bare all sorts of information such agencies would want to know (not to mention what advertisers and corporations want to know). If you think I’m being hyperbolic, see how many people at the CIA or NSA have profiles on social media.

In the article referenced above the head of MI5 (the UK version of the FBI) warned, “More than 20,000 people in the UK have now been approached covertly online by Chinese spies.” They weren’t targeting James Bond and the Prime Minister, but you and me. China is engaging en masse in industrial espionage. (I know of additional attempts along these lines that I can’t get into detail about.)

You might be thinking, “surely my company doesn’t have anything they’d want.” You’d be surprised. Even if you’re right, maybe your spouse's company does (and remember that your spouse shares a network with you, if they can compromise your laptop, they can probably get to your spouse's). Maybe it's your friend who is the ultimate target. A common social engineering technique is to befriend the friend of the target. Online it can be easier since often if people see many friends in common with an online profile and then simply add the stranger.

Even if you are certain that neither you nor the people you know have any industrial secrets foreign operatives want, I can assure you there is something you have that other people want: money. The article above was about active spying by the Chinese government. It says nothing about all the online fraud and security breaches. It’s no longer Nigerian princes and lottery winners, but social engineering attacks to trick your company into paying for false invoices. Think you and your company won’t fall for it? Google, Facebook, and other big companies fell for it to the tune of $100M—and that was just from one guy ten years ago. Today’s cybercriminals are much more sophisticated.

Consider this line of attack. A stranger sends you a connection request online. You don’t know him but he’s in sales at some major corporation. Seems like it couldn’t hurt to know him. Maybe there’s an iinitial few messages, maybe the account has a few status posts. It’s all fake, but you can’t know that. A few years later he sends you a message asking you to look at something, maybe to get your feedback or he’s sending you an opportunity for your business. Oops, it’s an infected file using a zero-day bug (meaning one your computer isn’t yet protected from). Now he’s in your system and all your data are belong to him.

These are the simpler approaches, but they can and will get more sophisticated. AI is just going to turn the threat up to 11. The time it takes to generate fake profiles, create fake posts, and have chats with you will go down. There are already “sleeper profiles” online; these are fake profiles being aged. It’s easy for a social media company to spot a profile that started yesterday has no followers and no activity other than spamming others. These sleeper profiles have been around for years, have acquired followers and engaged in mock human-like activity so they are harder to detect. With AI this number will grow tenfold or more.

If a stranger tries to connect with you, run away and find a grownup. Sorry, wrong article. Don’t accept the request, run away and find an IT person. OK, that’s probably overkill but seriously, you certainly should not accept the connection request without doing a little more due diligence. Ask yourself, do you ever think you’re going to need to be connected to this person? If so, can you connect then? After all you can usually find a way to message someone even if they haven’t connected to you should you really need to get in touch with them but haven’t yet connected. And this person can always follow you without being connected to you on many platforms.

In the US we moved from small towns where everyone knew each other and kept their doors unlocked to a world with more danger and more safety protocols needed. The same is true online. The world is full of strangers and as the internet gets bigger (more people get on it) there are more dangerous people coming for you. AI and other tools will let bad actors target more people with less effort. Connections, in real life and online are useful, but the vanity of having lots of connections (not followers, but connections) is starting to be overshadowed by the risks of being connected to lots of strangers. Let’s be careful out there.