Wednesday, 17 June 2026

Social Media Threats & Security

 

Social Media Threats & Security

Social media offers an outlet for people to connect, share life experiences, pictures and video. But too much sharing or a lack of attention to impostors can lead to a compromise of business and personal accounts.

Attackers often use social media accounts during the reconnaissance phase of a social engineering or phishing attack. Social media can give attackers a platform to impersonate trusted people and brands or the information they need carry out additional attacks, including social engineering and phishing.

Bottom of Form

How Social Media Threats Happen

The methods used by an attacker depend on the social media platform targeted. Facebook allows users to keep their images and comments private, so an attacker will often friend a targeted user’s friends or directly send a friend request to a targeted user to access their posts. If an attacker can connect to several of the targeted user’s friends, then it’s more likely that the targeted user will accept the friend request based on the number of connected friends.

LinkedIn is another common social media target. LinkedIn is known for business networking, and users’ networks are typically filled with colleagues and other employees within the same organization. If an attacker targets a business, LinkedIn is an excellent social media site to collect business emails for a phishing attack. A large enterprise could have several networked employees who list their employer and their titles. An attacker can use this public information to find several employees who have access to financial information, private customer data or high-privilege network access.

Collecting information to steal data isn’t the only reason to use social media for reconnaissance. The information posted on social media could be used to obtain passwords or impersonate business users. Many online accounts allow users to reset passwords if they enter a security question. With enough information from social media posts, an attacker could guess the answer to these security questions based on the private information posted by a targeted user.

Brand impersonation is another social media threat. With enough gathered information, an attacker can impersonate a business brand to trick users into sending money, divulging private information or provide an attacker with account credentials. Attackers also use this threat to perform cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks. These attacks can lead to more massive data breaches and business infrastructure compromise.

What a Social Media Threat Looks Like

Because Many social media platforms publicly display user posts, attackers can silently collect data without a user’s knowledge. Some attackers will take further steps into gaining access to user information by contacting targeted users or their friends.

The way a social media threat is carried out by an attacker depends on their goals.

If an attacker is looking for a high-stakes reward, the best way to quickly earn monetary rewards for their efforts is to target businesses. An attacker might first review LinkedIn for a list of possible targets. Targets can be a mix of high-level corporate employees and low-privilege users who could be tricked into sending additional corporate data or fall for a phishing attack that gives the attacker access to account credentials.

With a list of targets, an attacker could then review social media accounts for personal information. Personal information can help the attacker gain the target’s trust in a social engineering attack. It can also be used to guess answers to security questions for an account takeover or used to get closer to a user with higher privileges. The names of pets, favorite sports teams and education history are all potential password clues or answers to questions used to verify the user’s identity to reset a password.

After the attacker collects all the data needed, the next step is to launch the attack. An attacker can use any of the following methods:

  • Social engineering. An attacker might call employees to trick them into sending private data, proving credentials or wiring the attacker money. In a complex attack, the attacker can pretend to be a high-level executive to trick the targeted user into transferring money to the attacker’s account.
  • Phishing. An attacker may use collected social media information to spoof the sender of an email message and trick users into clicking links or sending the attacker private data. A high-level employee’s email address could be spoofed with a message instructing the recipient to send money, click a malicious link or reply with sensitive data.
  • Brand impersonation. Using brand employee names, the attacker can trick customers into thinking requests are from the legitimate brand. This could be used to trick users into divulging personal information or account credentials.
  • Site compromise and data theft. With enough information from social media, an attacker could write malware explicitly targeting the business or perform an attack that would provide internal network access where the attacker can then exfiltrate data.
  • Spread malware. Like brand impersonation, an attacker could create domains and websites that claim to be the legitimate business and trick users into downloading malware or providing credentials.
  • Data breach. If an attacker gains access to account credentials, it could lead to a significant data breach targeting an organization.

Because there are several social media platforms on the internet, an attacker can perform social engineering and phishing using a variety of threat methods. There is no “one size fits all” social media threat for an attacker. But basic reconnaissance and research using social media are the same. Any public information on private and business social media accounts could be used in further attacks.

Ways to Prevent Social Media Threats

Most social media threats stem from employees disclosing too much private and business information publicly. These accounts are personal, so businesses can’t stop users from having a social media presence. But they can educate users on the best ways to protect data and their credentials.

Education is key to stopping social media threats. Individuals can educate themselves. But businesses must conduct training programs for every employee so that they can detect and prevent social engineering and phishing. The first step is educating users on the dangers of disclosing too much information online to the public. Even social media accounts set to private could be used in an attack should the attacker gain access to private feeds. Users should never post private corporate information on their social media accounts or information that could be used in an account takeover.

Some organizations hand out mobile devices and allow users to install social media apps. These companies should provide an acceptable usage policy that determines what users can post using company devices. It’s also critical to protect these devices from malware to avoid company social media accounts from being hacked. Remote wiping software should be installed should an employee physically lose their device or it gets stolen.

Some other educational points for employees include:

  • Use ad blockers on corporate devices. If ad blockers are not feasible, instruct employees to avoid clicking ads, especially on popups that instruct users to download software to view content.
  • Employees should not share passwords—even if it’s within the same department.
  • Attackers use fear and urgency in their engagements, and employees should recognize this tactic as suspicious. Any messages or social media posts that urge employees to act quickly should be ignored.
  • Don’t accept friend requests from unknown people even if the user has several friends in common.
  • Avoid using social media sites on public Wi-Fi hotspots. Public Wi-Fi is a common location for attackers to snoop on data using man-in-the-middle (MitM) attacks.
  • User account passwords should change regularly. But users should also be encouraged to change their own private social media account passwords.

IT staff should have cybersecurity defences in place to help users avoid being victims of an attack. Email servers can use artificial intelligence applications to catch suspicious emails with malicious links and attachments.

Suspicious messages can be quarantined and reviewed by administrators to determine if the organization is the target of an attack. Browser isolation is also an option for organizations that let users browse the internet. This technology allows users to freely browse the internet, but confines personal web activity to a protected container that prevents downloads, uploads and form fills to keep threats out of the environment.

 

Posted by at No comments:

Smartphone Security Guidelines & Mobile Phone Basics

 

 

Smartphone Security Guidelines & Mobile Phone Basics

 Introduction to Mobile Phones

Mobile phones are portable electronic communication devices that enable users to make calls, send messages, and access digital services. Over time, mobile phones have evolved into smartphones, which combine communication with computing capabilities.

Features of Smartphones

  • Internet connectivity (4G/5G, Wi-Fi)
  • Multimedia capabilities (camera, audio, video)
  • Application support (apps for education, banking, social media)
  • Operating systems like Android and iOS
  • Sensors (GPS, fingerprint, face recognition)

Uses in Education and Society

  • E-learning platforms and digital classrooms
  • Communication (emails, messaging apps)
  • Access to information and research
  • Online banking and e-governance

Smartphone Security

Smartphone security refers to the protection of mobile devices from unauthorized access, malware, data theft, and cyber threats.

Common Security Threats

  • Malware and viruses
  • Phishing attacks (fake emails/SMS)
  • Data leakage and identity theft
  • Unauthorized app permissions
  • Public Wi-Fi risks

General Smartphone Security Guidelines

  • Use strong passwords or biometric authentication
  • Install apps only from trusted sources
  • Keep software and apps updated
  • Enable device encryption
  • Avoid using unsecured public Wi-Fi
  • Use antivirus/security apps
  • Backup data regularly
  • Turn off Bluetooth/NFC when not in use
  • Be cautious with links and attachment

Android Security

Android is an open-source mobile operating system developed by Google. Its flexibility makes it widely used but also more exposed to threats.

Key Security Features in Android

  • Google Play Protect: Scans apps for malware
  • App Sandbox: Isolates apps to prevent data sharing
  • Permission Control: Users control app access to data
  • Biometric Authentication: Fingerprint, face unlock
  • Encryption: Protects stored data

Security Risks in Android

  • Installation of apps from unknown sources
  • Fragmentation (not all devices receive timely updates)
  • Malware from third-party app stores

Android Security Guidelines

  • Download apps only from Google Play Store
  • Disable installation from unknown sources
  • Regularly update OS and apps
  • Review app permissions carefully
  • Use screen lock and encryption
  • Install mobile security software

iOS Security: It is a mobile operating system developed by Apple Inc., known for its strong security and controlled ecosystem.

Key Security Features in iOS

  • App Store Review Process: Strict app screening
  • Sandboxing: Apps cannot access others' data
  • Secure Enclave: Protects biometric data
  • Regular Updates: Timely security patches
  • End-to-End Encryption: For messages and calls

Security Advantages of iOS

  • Closed ecosystem reduces malware risks
  • Faster updates across devices
  • Strong privacy controls

 

iOS Security Guidelines

  • Install apps only from the App Store
  • Keep iOS updated
  • Enable Face ID/Touch ID and passcode
  • Use “Find My iPhone” for tracking/loss protection
  • Avoid jailbreaking (reduces security)
  • Enable automatic updates and backups

 

Posted by at No comments:

RBI guidelines on digital payments and customer protection in unauthorized banking transactions & Payment and Settlement Systems Act, 2007

 

RBI guidelines on digital payments and customer protection in unauthorized banking transactions & Payment and Settlement Systems Act, 2007

RBI has established comprehensive guidelines to enhance the security of digital payments and protect customers from unauthorized electronic banking transactions.

Digital Payment Security Controls:

In February 2021, the RBI issued the "Master Direction on Digital Payment Security Controls," applicable to Scheduled Commercial Banks, Small Finance Banks, Payment Banks, and Credit Card-issuing Non-Banking Financial Companies (NBFCs). These guidelines mandate the implementation of robust security measures across various digital payment channels, including internet banking, mobile payments, and card transactions. Key areas covered include:

  • Governance and Management of Security Risks: Establishing a structured approach to identify and manage security risks associated with digital payments.
  • Application Security Life Cycle (ASLC): Ensuring security is integrated throughout the development and deployment of payment applications.
  • Authentication Framework: Implementing strong authentication mechanisms to verify user identities.
  • Fraud Risk Management: Developing strategies to detect and mitigate fraudulent activities.
  • Customer Protection and Awareness: Educating customers about security practices and providing mechanisms for grievance redressal.

Customer Protection in Unauthorized Transactions:

Zero Liability: Customers bear no liability if the unauthorized transaction results from:

Ø Fraud or negligence by the bank.

Ø Third-party breaches where the customer notifies the bank within three working days of receiving communication about the unauthorized transaction.

Limited Liability: If the unauthorized transaction occurs due to customer negligence like: sharing payment credentials, the customer is liable until the bank is notified. For delays in reporting (four to seven working days), customer liability is limited based on the type of account, with specific caps defined by the RBI. For instance, for savings accounts, the maximum liability is ₹10,000.

Reporting and Resolution: Customers should promptly report unauthorized transactions. Upon notification, banks are required to credit the disputed amount to the customer's account within 10 working days, pending investigation. The entire grievance redressal process should not exceed 90 days.

Payment and Settlement Systems Act, 2007

The Payment and Settlement Systems Act, 2007 (PSS Act) was enacted to regulate and supervise payment systems in India. It ensures the integrity and reliability of India's payment systems, protecting both customers and providers, and promoting a stable digital payment ecosystem.

1.    Regulatory Authority (Section 3)

The Reserve Bank of India (RBI) is authorized to regulate and oversee payment and settlement systems in India, ensuring their security and efficiency.

2.    Authorization of Payment Systems (Section 4)

All entities operating payment systems in India must obtain authorization from the RBI. The RBI assesses factors like the operator's financial status, experience, and the need for such a payment system before granting authorization.

3.    Revocation of Authorization (Section 8)

RBI may revoke an entity’s authorization if it fails to comply with the Act or the terms of authorization, or if its operations are deemed harmful to the public interest or the security of the payment system.

4.    Oversight and Inspection (Sections 6 and 7)

RBI has the authority to inspect any authorized payment system, ensuring compliance with safety, security, and operational standards.

5.    Rights and Duties of System Participants (Section 23)

This section provides that payment system participants must follow all regulatory directions from the RBI, and the system should ensure prompt, secure settlement of transactions.

6.    Settlement Finality (Section 23A)

Ensures that once a payment instruction is settled, it is final and irrevocable. This protects participants from risks due to reversals after settlement, especially in cases of insolvency.

7.    Protection for System Providers (Section 26) : Grants immunity to system providers from liability if they act in good faith within the scope of their authorization, thus protecting them from litigation in case of unintended errors.

 

Posted by at No comments:

Cyber Security Regulations in India: The Information Technology (IT) Act, 2000

 

Cyber Security Regulations in India: The Information Technology (IT) Act, 2000

Cyber law, known as cybercrime law or Internet law, refers to the legal framework that governs activities and transactions in the digital world. It encompasses a wide range of legal principles, regulations, and statutes that address issues related to the Internet, computers, networks, and electronic information.

General Assembly of the United Nations by resolution A/RES/51/162, dated the 30th January, 1997 has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law.

The Information Technology Act, 2000 ( IT Act) is an Act of the Indian Parliament (No 21 of 2000) notified on 17 October 2000.

·      It is the primary law in India dealing with cybercrime and electronic commerce.

·      The laws apply to the whole of India. If a crime involves a computer or network located in India, persons of other nationalities can also be indicted under the law.

·      The original Act contained 94 sections, divided into 13 chapters and 4 schedules.

Chapter of Information Technology Act, 2000

 

·      Chapter 1: It deals with the applicability of the Act and definitions of various terminologies used in the Act.

·      Chapter 2: It talks about digital and electronic signatures.

·      Chapters 3: It deals with electronic governance

·      Chapter 4  : It deals with electronic records

·      Chapter 5 : It is related to the security of these records

·      Chapter 6: It deals with regulations of certifying authorities.

·      Chapter 7 : It  gives the certificates needed to issue an electronic  signature.

·      Chapter 8 : It gives the duties of subscribers.

·      Chapter 9 : It describes various penalties.

·      Chapter 10: It provides sections related to the Appellate Tribunal.

·      Chapter 11: It describes various offences related to breach of data and

                    their punishments.

·      Chapter 12 : It provides the circumstances where the intermediaries are

                    not liable for any offence or breach of data privacy.

·      Chapter 13: It is the miscellaneous chapter.

Power of police officer and other officers to enter, search, etc, Offences by companies, etc.

Objectives:

 • The Act seeks to protect all transactions done through electronic means.

• E-commerce has reduced paperwork used for communication purposes. It also gives legal protection to communication and the exchange of information through electronic means.

• It protects the digital signatures that are used for any mode of legal authentication.

• It regulates the activities of intermediaries by keeping a check on their powers.

• It defines various offences related to data privacy of citizens and hence protects their data.

 • It also regulates and protects the sensitive data stored by social media and other electronic intermediaries.

 • It provides recognition to books of accounts kept in electronic form regulated by the Reserve Bank of India Act, 1934.

 

Salient Features

 

 

 • The Act provided legal sanction to digital signatures

 • It also gave electronic documents admissibility in court of law by amendment to Indian Evidence Act 1872.

 • One of the objectives of the Act was to legalize Electronic Commerce.

 • The Act provides a legal framework for electronic governance by giving recognition to electronic records and digital signatures. It also defines cybercrimes and prescribes penalties for them.

 • The Act directed the formation of a Controller of Certifying Authorities to regulate the issuance of digital signatures. It also established a Cyber Appellate Tribunal to resolve disputes rising from this new law.

 • The Act also amended various sections of the Indian Penal Code, 1860, the Indian Evidence Act, 1872, the Banker's Book Evidence Act, 1891, and the Reserve Bank of India Act, 1934 to make them compliant with new technologies.

Offences and their punishments under IT Act, 2000

 


Posted by at No comments:
Subscribe to: Posts (Atom)