Keep yourself and your social media safe from hacking and learn about the dangers it poses to your guiding activities and community.
Whether you’re running a social media profile for your unit, district or division, or simply have your own personal account, you won’t want it to be hacked and used by scammers.
If you’re on a social media platform, such as Facebook, you may have witnessed a page, possibly of a local business, getting taken over a scammer or hacker. Often this is done to hijack the followers and direct them to scams and fake products.
The dangers
Once a hacker has taken over your page or personal profile, they have full access to all of the private messages, as well as the ability to change cover photos, profile pictures, names, and post content.
For pages and business profiles, one of the first things they will do is remove you and any other existing admins. This stops you from regaining control and at that point you are at their mercy. Whilst there is hope that the social media platform will hand the page back to you, this is a long and difficult process which rarely ends well.
The security of your fellow guiding members will be threatened. Your hacked account allows scammers to impersonate you and seek to obtain private information or encourage members to reveal passwords, addresses, other sensitive details or otherwise trick them.
If you use the same password on different sites and services, and particularly if hackers have gained access to your email, nothing is safe. For a Girlguiding leader, this would also include your access to GO and, depending on your role, that could open up the details of members in your unit, district, division, county or beyond.
There is a very high risk of reputational damage. Scammers may choose to post whilst your profile or page is still using it’s original name, as existing followers might take more notice if they believe the post is a recommendation for a product or service.
Hackers could choose to watch silently in the background, reading your private communications without your knowledge.
How do they get in?
The most common way that hackers gain access to your email or social media is by using a technique called a phishing attack.
They will send you 1 or more messages whilst impersonating an authority of some kind. They might claim to be Facebook, or Instagram, Linked In, your email provider, or even your employer in the case of large organisations, asking you to fill out a form to verify something.
Often these messages have spelling mistakes or poor grammar. They might speak generally, or refer to departments or organisations that don’t exist. Whilst these are common red flags, carefully crafted attacks can look very genuine.
Once you complete the form, you’ve basically handed over your password details. The keys to your social media, email or other online service. Hackers may target your email account or your social media accounts. And, with your password, they can just sign in as if they are legitimately you.
Another common technique is to encourage you to click or follow a link that results in malicious software being installed on your device. Once done, they hackers can watch your activity, recording your usage, passwords, private data and more.
Sometimes unscrupulous messages, by means of a pure coincidence, may be well timed or relate to something you have. If you’ve recently made a purchase, and the hackers message says ‘payment declined’, or if you are a subscriber of a popular service, for example. Always type websites in manually, or use your device’s favourites or bookmarks feature, to check payment or order statuses – never follow links in messages.
Staying safe
Device security
Keep your devices up to date with the latest fixes and software. Use the official update feature of your device to ensure it obtains and installs the latest releases of its operating system and apps.
Never install software which ultimately comes from an untrusted source. Particularly if this is at the request of someone over the phone or in a unsolicited message – even if it claims to be from someone you know. Your device may warn you if software or apps are unsigned or unverified because it could be malicious.
Avoid ignoring warnings from your device about unsafe links or websites that you have tried to access. Always decline downloads of files that you did not request.
Two-factor security
Enable two-factor security (2FA) for your accounts, when available. This means you will receive a text, or email, or a notification on another device, when a new sign-in attempt is made. This gives you an opportunity to prevent someone using your password.
Do not authorise a sign-in attempt that you did not make (or know to be genuine).
Never provide the code to a stranger, even if they ask for it.
Change your password immediately if you receive an unsolicited notification.
Never follow a link in an email or message claiming to be a 2FA notification. It could be fake. Type the website address in manually, or use your devices favourites or bookmarks feature.
Avoiding trickery
Never follow links in emails to sign-in to a website. Type the website in, or use your devices Favourites or Bookmarks feature to return to websites.
Stop and think! Often hackers and scammers will use urgency or try to panic you, so that you let your guard down. Always assume that the message or telephone call is a scam. Never reveal any personal, financial or password information, ever. It doesn’t matter how real it looks.
Often they will claim that you must verify yourself, your page, your email, otherwise it will be shut down. Never follow links.
Be careful what you reveal over the phone. Scammers will ask a lot of questions, potentially disguising these as security checks, but they will know nothing about you (or even the real answers to those questions). Don’t do all the talking.
Leave the message, end the call. Make it wait and speak to someone you truly know and trust.
No one is protecting you by asking for your password, or requesting you transfer money. Only scammers do this.
Limit your exposure
The more admins a page or group has, or users authorised with admin level access to something, the more opportunities for hackers to trick someone and break in.
Keep the number of admins you have to an absolute minimum. Remove admin access from individuals when it is not appropriate for their role or duties.
For a page or public profile, 2 admins are recommended to ensure access is not lost as a result of a volunteer leaving or no longer being available. For a group you may need 1 or more, depending on how many members you have, and the workload.
There is no need to give everyone in your leadership team full level admin access if they don’t need it.
Act in the interest of security first and foremost. Never award admin level access as an indicator of importance or appreciation. Move swiftly if you have reason to believe a fellow admin has been hacked. You can always reinstate the role once you are sure it is safe.
Abandoned profiles
Unused or old pages and profiles are still vulnerable to attack. There is also a risk that messages and enquiries are going unanswered.
Delete old Facebook groups that are no longer required. Remove the members, then you will be offered the option to delete it.
Monitor your mothballed public social media profiles for messages and to ensure they haven’t been hijacked. Consider deleting accounts for units and districts if they are not going to be used again.
If your division social media is not being maintained, within Girlguiding Kent East county please contact us to arrange for it to be placed into the care of county Marketing and Communication.