Protecting Bank and Credit Union Twitter Accounts from Hacking
As banks and credit unions begin to adopt Twitter, Facebook and other social media tools into their mainstream marketing and customer service channels, hackers are discovering ways to lure bank and credit union employees into becoming unwitting accomplices in launching successful phishing attacks. I'll show you how a typical attack occurs and offer suggestions to avoid becoming a hacker accomplice.
Most new Twitter users rely on the Twitter.com website to manage their Twitter activity. Hackers especially like targeting users who use the website method of managing Twitter dialogue as this simplifies their attack. The hacker's steps usually follow a pattern similar to this:
- Identify a bank or credit union using Twitter.com to manage feeds
- Send a tweet to the financial institution like, "It looks like this page on your site was hacked."
- Include a shortened URL in the tweet that's a link to a dummy Twitter login page that looks just like the normal Twitter login page
- When a bank or credit union employee enters his info into the fake login page, the hacker captures it
- Armed with the Twitter login, the hacker then logs into the account and tweets on behalf of the bank
- The malicious tweets include shortened URL links to malicious phishing or malware sites
- Followers of the bank & credit union click the link and the damage ensues
So what can you do to protect your account?
Use an API-based Application for Managing Social Media
First, I recommend managing your social media posts with an application that makes use of the social media sites' APIs, such as Tweetdeck. With these applications, you rarely need to login to the primary website so you are less likely to accidentally divulge your credentials on a phishing site. You'll also find these applications more user-friendly and faster for managing your social media interactions, especially if you're using multiple channels.
Change Your Password Regularly
The old rule still applies even on seemingly harmless sites like Facebook and Twitter. Change your password regularly (once every 30 days) and always use complex passwords or pass phrases.
Be Aware of Your Surroundings - Check URLs
Whenever you're entering credentials on a website, make sure that you check the URL in your address bar to ensure that you are on the website that you think you're on. Since most URLs are shortened in Twitter, and Facebook can obscure URLs through their own redirection utility, it can difficult to tell whether the link is legitimate before you click it. When clicking a shortened URL it becomes even more important to check the URL after the page finishes loading. If you're unsure even after the page loads, then don't rely on the link you clicked, especially if it is a logon page. Instead open a new browser tab and manually type in the URL to the social media site you want to log into.
A better solution is to check URLs before you click them. There are add-ons available for Internet Explorer, Chrome, and Firefox to preview shortened URLs before you click them. Search for 'URL expander add-on or plugin' to find a tool to use.
Have insiders follow & become fans
While this won't necessarily a hacker from stealing your credentials, it can help to mitigate the damage if your account is compromised. Encourage other bank and credit union employees to follow your Twitter feed. While customers will still see any unauthorized tweets, quickly reacting and stopping further account abuse will go a long way toward damage control.
My account has already been hacked. Now what do I do?
If you've found this post because your account has already been hacked, then Twitter offers these tips and Facebook offers this guide for users whose accounts have been compromised.
Make sure also to notify your members and customers immediately and also delete any Tweets or posts the hackers made using your credentials.
Other Recent Blog Posts
Find this useful?
Want to receive our monthly tip to make your website easier to use and safer? No spam, just good advice. Signup!