Especially around the holidays, social networking is a fun way stay connected to friends and family and keep in touch with people you rarely see in person.  However, according to the FTC, reports of e-commerce fraud have skyrocketed. Nearly 25% of these reports include a social media hook and 94% of these reports mentioned Facebook or Instagram.  The message is clear: be careful while you are on social media platforms.

In a recent UC presentation, Rosa Smothers, Senior Vice President of
Cyber Operations at KnowBe4, explained that according to Robert Cialdini’s, Professor of Psychology and Marketing at the University of Arizona, “Within the context of Information Security, Social Engineering uses people’s natural sociability to conduct malicious attacks against them in the real world or in cyber space.”  He explains that people should look out for communications using the following tactics:

• Rapport/Physical Appearance: Pretending to be like you and/or have things in common with you. Don’t forget your information may be readily available on your social networking sites.
• Reciprocity: Sending you a gift knowing that most people will feel obligated to give something back. Beware free gifts!
• Commitment and Consistency: Getting you to perform a small task in the hope that you will perform it again without as much scrutiny.  Be very careful with “introductory offers.”
• Conformity: Making you think that everyone else has already taken the action. Don’t be a lemming!
• Authority: Pretending to be your boss or someone with extensive expertise. If an email from anyone, especially your boss, asking you to do something you wouldn’t normally do, question it!
• Scarcity: Pretending you will miss out on a wonderful opportunity if you don’t act quickly. Never act quickly! Slow down and scrutinize all communications.

As a healthcare organization, protecting patient privacy is paramount and there are rules that everyone must follow:

• Never share any patient information or patient photos on social networking sites
• Never post a personal opinion in a way where it might be confused with the official position of UCSF
• Never use the UCSF brand identity on any personal blog or social networking profile
• Never post any information that is proprietary to UCSF

You can further protect yourself and UCSF by adhering to the following practices:

• Don’t give to charities who ask for money on social networking sites. If you plan to give to charities during the holiday season, note that most reputable charities do not ask for money online or over the phone.
• Don’t post anything confidential or potentially embarrassing about yourself. Remember: once posted, always posted. Even if you immediately delete a post, it can still appear or be retrieved.
• Be selective with friend requests and make sure your friends respect your privacy. Criminals can piece together your personal information to guess your passwords, answer password-reset challenge questions, hijack your account, or try to steal your identity.
• Use high security settings on all social networking sites. Look for headings such as "Edit My Profile", "Settings", or "Account Details” and check drop-down menus for detailed privacy settings. If you’re not sure how to do this for a particular site, use a search engine to learn how.
• Use multi-factor authentication, if available. Even if your credentials are compromised, your data would still be safe. According to a recent FBI presentation for the University of California, currently 99.99% of compromised accounts did not have multi-factor authentication.
• Use and maintain anti-virus software and a firewall. Protect yourself against viruses and malware that may steal or modify the data on your own computer and leave you vulnerable to data breaches.
• Install apps and other software from trusted sites only. And keep the software updated once it’s installed.
• Use long and strong passwords or passphrases for your social media accounts. Use a short sentence that’s easy to remember but hard to guess. We recommend at least 12 characters from 3 of 4 categories (uppercase, lowercase, numbers, symbols).
• Use a separate password for each of your social media accounts. If the bad guys get your user ID and password for one of your accounts, they cannot also compromise your other accounts.
• Understand there are risks in using networks you don't control, like public wi-fi. Make sure the site you are accessing uses an encrypted connection by looking for https vs http and heed any warnings you get from your browser. Change advanced sharing settings and turn off file and printer sharing.
• Disable GPS and do not post information about your whereabouts. If the bad guys know you’re on vacation in Europe, they’re more likely to rob you.
• Review credit card and bank account statements to check for unauthorized charges. It’s best to do this as soon as you receive your statements. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
• Log in to your social networking sites frequently to make sure they have not been hacked. This is especially important if you use a particular site infrequently.
• Check to see if your email or phone number have been part of a data breach or your password is in common use. You can check this at the site Have I Been Pwned?.
• Get rid of accounts that are not in use. If an account is closed, it is much less likely to be hacked.

Take the Safe and Secure Social Networking Quiz. Everyone who passes the quiz wins one entry in a drawing for one of six $50 Amazon gift cards.

Additional Information

Rosa Summer’s 10/4/22 Social Engineering Webinar for UC

Manage Your UCSF Password

FBI: Internet Social Networking Risks

National Security Agency | Keeping Safe on Social Media

Cialdini’s 6 Principles of Persuasion: A Simple Summary

FTC: How to Recover Your Email or Social Media Account

Have I Been Pwned?