Social Media Crime Is A Threat To Business

According to a report by the University of Surrey, commissioned by IT security firm Bromium, cyber criminals are currently generating at least $3.25bn in revenue every year through their aggressive exploitation of social media. 

The sheer number of social media users around the world means that platforms such as Facebook, Twitter and LinkedIn are proving to be golden opportunities for cyber criminals. In the US alone, there was a 300-fold increase in the number of reports of social media-related cyber-crime during the 2015-17 period, while the UK has seen similar crimes quadruple between 2013-18.

The University of Surrey report, entitled Social Media Platforms and the Cybercrime Economy, revealed that four of the five top websites hosting the most cryptocurrency mining code are social media platforms, sites that are also known to contain up to 20% more methods for potential malware transfer than ecommerce, media or culture-focused websites.

These stats make for some very somber reading, and it's no surprise that, over the last five years, 1.3 billion social media users have had their data compromised. Yet this isn't simply an issue for individuals scrolling through Facebook at home - social media-related cyber-crime is having a big effect on businesses both large and small.

The Effect on Business
"One in eight enterprises have been breached through social media, so it's certainly something businesses should be taking seriously," says Dr Mike McGuire, senior lecturer in Criminology at University of Surrey, and author of the report. One of the main weak spots is employees themselves. Research has shown that staff can spend more than three hours a week browsing social media channels at work, and almost 80% of employees will use social media in the office without any regard for company policy.

Staff using social media at work, or on company devices, are unwittingly introducing risk to the business, creating backdoors into corporate networks for savvy cyber criminals. This can lead to a draining of IT resources, accelerating the deterioration of critical assets and theft of customer data or company IP, which in turn can cause a drop in reputation and revenue, as well as opening businesses up to regulatory fines.

In addition, companies themselves are becoming more reliant on social media, with many using them as an important marketing tool, if not their sole business platform.

"Think about how impacted business is by the use of social media. Over 70% of businesses now have Facebook accounts and almost as many are on Twitter," McGuire points out.

Methods of Attack
Cyber criminals are using a variety of approaches to exploit social media platforms, including social media phishing, where cyber criminals create fake pages to harvest user data. Malware can be delivered via updates or shares, adverts, plug-ins and apps, messages and videos, many of which are powering the spread of crypto-jacking software, code which can force a machine to use its processing power to mine for crypto-currency.

"Facebook Messenger has been instrumental in spreading crypto-mining strains like Digimine, but another example we found was on YouTube, where users clicked on ads, unwittingly enabling crypto-mining malware to execute on their devices. For businesses, this type of malware can be very costly," McGuire notes.

Cyber criminals also simply take advantage of the information users freely share on their social media channels, as Professor Kevin Curran, a senior member of the IEEE and a professor of cyber security at Ulster University explains to IT Pro.

"Doxing is the most common way cyber criminals exploit social media platforms," he says. "This is the hacking term for the Internet-based practice of researching identifiable information about an individual or organisation. It can be conducted on public databases and increasingly on social media websites. 

It's with this information that hackers can potentially embarrass, harass, or even blackmail employees in an attempt to retrieve information relating to a company.

"There are some specialised search tools for this technique but the most popular method is to simply conduct searches on search engines such as Google or Bing. The other popular method is to trawl through social media sites like Facebook, Twitter and LinkedIn, which can offer quite detailed private information such as photos, family connections, place of employment, email address and phone numbers."

Another example of a method cyber criminals have also found to be very successful is the exploitation of LinkedIn's 'confirm that you know this person' feature. Fake emails, almost indistinguishable from the real thing, redirect users to sites where malware is automatically downloaded onto their machine. McGuire's report noted that up to 68% of LinkedIn users who receive such emails have clicked on these links.

Recent research by Proofpoint found that hackers are also exploiting the LinkedIn's job search tool, which hackers masquerade as employees from a staffing company equipped with offers of employment. These fake offers are often highly sophisticated in their design and come with fake websites and campaign material, all of which will contain malware.

"Psychological research has found that social media users are a little more open to suggestion and have a greater sense of trust, following leads perhaps a more cynical person might not," says McGuire. "This means they're much more open to phishing attacks; clicking on links and doing the things we all know are bad in terms of malware hygiene."

Safeguarding against Social Media Cyber Crime
It's important to note that banning social media sites from the workplace isn't a sure way of dealing with the threat. An employee will find ways around such restrictions, an act which itself could create even further backdoors into a company's network and yet more headaches for an IT team. What's more, social media is a valuable tool for businesses, and so easy access is not only preferable, it can be essential to its day to day operations.

"Many companies need to have access to social media as this is where they're customers are. I think they're stuck between a rock and a hard place as social media is an important business tool, they can't just ban these networks."

Cyber security experts say that robust cyber security defences are key, and that companies should take advantage of everything from technology to training. Ensure two-factor authentication (2FA) is in place, for example, as passwords can be easily stolen and used in phishing scams.

"The simplest way of mitigating this is to create a company-wide policy to implement 2FA on every account and then implement this for everyone," suggests Jake Moore, cyber security specialist at ESET.

"Offering a password manager with a generator can also make employees update their personal security."

"One of the most effective ways of reducing the harm that social media-enabled attacks can cause is through the use of application isolation within layered defences," adds Ian Pratt, Bromium's president.

"Isolating social media pages within secure micro-VMs ensures that even if a user clicks on an infected app, or other malware, it is contained and the hacker has nowhere to go, nothing to steal and no way to persist - rendering it harmless. However, he adds that some attacks will appear genuine enough to persuade users to act, "so there is a need to educate users too, to ensure employees don't fall victim to such scams".

ITPro

You Might Also Read:

Facebook Is Hosting Multiple Cybercrime Marketplaces:

 

 

« Nasty Phishing Scam Targets Instagram
Easy Cyber Knowledge: Ch.1 Internet History »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TitanFile

TitanFile

TitanFile is an award-winning, easy and secure way for professionals to communicate without having to worry about security and privacy.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

Axis Capital

Axis Capital

AXIS Insurance’s Professional Lines Division is a leading underwriter of technology/cyber coverage and other specialty products around the globe.

MonsterCloud

MonsterCloud

MonsterCloud is a leader in managed cyber security services. Our cyber security team constantly monitors and protects businesses from cyber threats.

ThreatAware

ThreatAware

Total visibility of your business cybersecurity. Monitoring, management and compliance for your cybersecurity tools, people and processes from one easy to use dashboard.

IAR Systems

IAR Systems

IAR Systems are a frontrunner in a changing industry, and a future-proof software supplier enabling the IoT.

Snode Technologies

Snode Technologies

Snode's Guardian cybersecurity platform uses AI and machine learning to monitor, detect and proactively respond to all threats on every device within your network.

Appgate

Appgate

Appgate is the secure access company. We empower how people work and connect by providing solutions purpose-built on Zero Trust security principles.

Hudson Cybertec

Hudson Cybertec

Hudson Cybertec are an internationally recognized Subject Matter Expert for cyber security in the Industrial Automation & Control Systems (IACS) domain.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

Policy Monitor

Policy Monitor

Policy Monitor is a cyber security company founded by experts with extensive experience in operational and risk management.

Nexer

Nexer

Nexer is a modern tech company with expertise in strategy, technology and communication with a strong vision.

SydeLabs

SydeLabs

At SydeLabs, our mission is to ensure the comprehensive security of your AI systems.

PayPal Ventures

PayPal Ventures

PayPal Ventures invests in companies at the forefront of innovation in fintech, payments, commerce enablement, artificial intelligence, blockchain and cryptocurrency, regulatory and cyber technology.

Inroad Technologies

Inroad Technologies

Inroad Technologies provide IT services that help keep your business computers, servers and networks secure and trouble-free.

Umbrella Cyber

Umbrella Cyber

Umbrella Cyber specialises in Cyber Essentials and Cyber Essentials Plus Certification and penetration testing.