Social media security might not be the most exciting part of your social marketing strategy. But it could be the part that saves your business from a critical security breach or major business loss.
Whether you’re a one-person shop or an organization with a large social team, you need to understand the best ways to mitigate the risks of social media so you can better focus on reaping the rewards.
Bonus: Get a free, customizable social media policy template to quickly and easily create guidelines for your company and employees.
Social media security refers to strategies businesses and individuals can use to protect their social accounts from threats like hacking, phishing, and malware.
In this section, we cover:
- Phishing attacks and scams
- Imposter accounts
- Malware attacks and hacks
- Vulnerable third-party apps
- Password theft
- Privacy settings and data security
- Unsecured mobile devices
Phishing scams are some of the most common social media cyber security risks. In a phishing scam, the goal is to get you or your employees to hand over passwords, banking details, or other sensitive information.
One common phishing scam involves fake coupons for big-name brands like Costco, Starbucks, and Bath & Body Works. This is especially popular on Facebook. To claim the coupon, you have to hand over personal information like your address and birth date.
Some scammers are bolder, asking for banking information and passwords for a coupon processing fee.
Romance scams are another common social media security problem: 40% of those who fall victim to this type of scam say it started on social media. The FTC reports that for users aged 18-29, sextortion scams originating on Instagram and Snapchat were of particular concern in 2022.
For Americans aged 20 to 39, social media is the most common contact method for scammers.
Source: Federal Trade Commission
It’s relatively easy for an imposter to create a social media account that looks like it belongs to your company. This is one reason why it’s so valuable to get verified on social networks.
LinkedIn’s latest transparency report notes that they took action on 21.9 million fake accounts in just six months. The majority of those accounts (95.3%) were blocked automatically at registration. But more than 190,000 fake accounts were only addressed once members reported them.
Source: LinkedIn Community Report
Meanwhile, Facebook took action on 1.3 billion fake accounts between October and December 2022. The social media platform estimates that 4-5% of monthly active users are fake accounts.
Source: Meta Community Standards Enforcement Report
Impostor accounts can target your customers, employees, or prospective hires. When your connections are tricked into handing over confidential information, it’s your reputation that suffers. Imposter accounts may also try to con employees into handing over login credentials for corporate systems.
Another type of imposter scam targets brands hoping to work with influencers. In this scam, someone impersonating a social media personality with a high following reaches out and asks for free product.
Working with real influencers can be a valuable marketing strategy. But it’s important to verify that you’re dealing with the real person.
In one of the more embarrassing recent social media cyber security incidents, the personal Twitter account of the U.S. Ambassador at Large for Cyberspace & Digital Policy was hacked in February:
My account has been hacked. Perils of the job…
— Nate Fick (@ncfick) February 5, 2023
If hackers gain access to your social media accounts, they can cause enormous brand reputation damage. If they manage to install malware, there is even greater risk.
In 2022, the “Ducktail” campaign was found to target employees on LinkedIn, then convince them to open an attachment containing malware. The malware used browser cookies to hijack the target’s Facebook Business accounts.
Locking down your own social accounts is great. But hackers may still be able to gain access to your secure social media through vulnerabilities in connected third-party apps
Instagram specifically warns about third-party apps that claim to provide likes or followers:
“If you give these apps your login information, whether with an access token or by giving them your username and password, they can gain complete access to your account. They can see your personal messages, find information about your friends, and potentially post spam or other harmful content on your profile. This puts your security, and the security of your friends, at risk.”
Those social media quizzes that ask about your first car might seem like harmless fun. But online social media challenges and quizzes are a common method for gathering password information or gaining personal details that are often used as forgotten password clues.
By completing them, employees can accidentally create social media security issues.
Don’t answer another online quiz question until you read this: https://t.co/AWI9p5UqcJ
— FTC (@FTC) February 6, 2023
People seem to be well aware of the potential privacy risks of using social media. Overall trust in social networks’ ability to protect privacy and data has been shrinking in recent years. In particular, TikTok has recently been in the news as governments around the world restrict access to the platform on official equipment based on data security concerns.
Those concerns, of course, don’t stop people from using their favorite social channels. The number of active social media users grew 4.2% in 2022 to 4.74 billion people.
Make sure you – and your team – understand the privacy policies and settings for both your personal and business accounts. You should provide privacy guidelines for employees who use their personal social accounts at work.
Mobile devices account for more than half the time we spend online. Social media apps make it easy to access your social media accounts with just one tap.
That’s great as long as your phone stays in your own hands. But if your phone, or an employee’s phone, is lost or stolen, one-tap access makes it easy for a thief to access social accounts. Then they can post to your account, or even message your connections with phishing or malware attacks.
Protecting the device with a password, fingerprint, or face verification helps, but a surprising number of mobile users still leave their phones unlocked.
Source: iProov Digital Identity Report
A social media policy is a set of guidelines that outline how your business and your employees should use social media responsibly.
This will help protect you not only from social media and cyber security threats, but from bad PR or legal trouble as well.
At minimum, the security section of your social media policy should include:
- Rules related to personal social media use on business equipment
- Social media activities to avoid, like quizzes that ask for personal information
- Which departments or team members are responsible for each social media account
- Guidelines on how to create an effective password and how often to change passwords
- Expectations for keeping software and devices updated
- How to identify and avoid scams, attacks, and other security threats
- Who to notify and how to respond if a social media security concern arises
For more details, check out our step-by-step guide to creating a social media policy. It includes loads of examples from different industries.
Two-factor authentication is not foolproof, but it does provide a powerful extra layer of security for your social media accounts. You don’t have to take our word for how important this is – Instagram head Adam Mosseri reminds his followers every month.
Phone? Account? You get it… 😄
🔒 Profile → Settings → Security → Two-factor authentication 🔒 pic.twitter.com/DEaIClhYIb
— Adam Mosseri (@mosseri) March 1, 2023
Even the best social media policy won’t protect your organization if your employees don’t follow it. Of course, your policy should be easy to understand. But training will give employees the chance to engage, ask questions, and get a sense of how important it is to follow.
These training sessions are also an opportunity to review the latest threats on social. You can talk about whether there are any sections of the policy that need updating.
It’s not all doom and gloom. Social media training also equips your team to use social tools effectively. When employees understand best practices, they feel confident using social media for their work. They’re then well-equipped to use social media safely for both personal and professional purposes.
Limiting access to your social accounts is the best way to keep them secure. You might be focused on threats coming from outside your organization. But employees are a significant source of data breaches.
You may have whole teams of people working on social media messaging, post creation, or customer service. But that certainly doesn’t mean that everyone needs to know the passwords to your social accounts.
It’s critical to have a system in place that allows you to revoke access to accounts when someone leaves your organization or changes roles. Learn more about how this works in the Tools section below.
Not everyone who works on your social accounts needs the ability to post. It’s an important defensive strategy to limit the number of people who can post on your accounts. Think carefully about who needs posting ability and why.
You can use Hootsuite to give employees or contractors the ability to draft messages. Then, they’re all set to post at the press of a button. Leave that last button press to a trusted person on your team.
Assigning a key person as the eyes and ears of your social presence can go a long way towards mitigating risks. This person should:
- own your social media policy
- monitor your brand’s social presence
- determine who has publishing access
- be a key player in the development of your social media marketing strategy
This person will likely be a senior player on your marketing team. But they should maintain a good relationship with your company’s IT department to ensure marketing and IT work together to mitigate risk.
This is the person team members should turn to if they ever make a mistake on social that might expose the company to risk of any kind. This way the company can initiate the appropriate response.
Keep an eye on all of your social channels. That includes the ones you use every day as well as the ones you’ve registered but never used at all.
Assign someone to check that all the posts on your accounts are legitimate. Cross-referencing your posts against your content calendar is a great place to start.
Follow up on anything unexpected. Even if a post seems legitimate, it’s worth digging into if it strays from your content plan. It may be simple human error. Or, it may be a sign that someone has gained access to your accounts and is testing the water before posting something more malicious.
Use your social media monitoring plan to watch for:
- imposter accounts
- inappropriate mentions of your brand by employees
- inappropriate mentions of your brand by anyone else associated with the company
- negative conversations about your brand
You can learn how to monitor all the conversations and accounts relevant to your brand in our complete guide to social media listening. And check out the Tools section below for information on resources that can help.
Social media security threats are constantly changing. Hackers are always coming up with new strategies, and new scams and viruses can emerge at any time.
Regular audits of your social media security measures will help keep you ahead of the bad actors.
At least once a quarter, be sure to review:
- Social network privacy settings. Social media companies routinely update their privacy settings. This can impact your account. For example, a social network might update its privacy settings to give you more precise control over how your data is used.
- Access and publishing privileges. Check who has access to your social media management platform and social accounts. Update as needed. Make sure all former employees have had their access revoked. Check for anyone who’s changed roles and no longer needs the same level of access.
- Recent social media security threats. Maintain a good relationship with your company’s IT team to improve your social media security awareness. They can keep you informed of any new social media security risks. And keep an eye on the news—big hacks and major new threats will be reported in mainstream news outlets.
- Your social media policy. This policy should evolve over time. As new networks gain popularity, security best practices change and new threats emerge. A quarterly review will make sure this document remains useful and helps to keep your social accounts safe.
No matter how close an eye you keep on your social channels, you can’t monitor them 24 hours a day—but software can. Here are some of our favorite social media security tools.
With a social media management platform like Hootsuite, team members never need to know the login information for any social network account. You can control access and permission, so each person gets only the access they need.
If someone leaves the company, you can disable their account without having to change all your social media passwords.
Hootsuite is also an effective social monitoring tool that keeps you ahead of threats. By monitoring social networks for mentions of your brand and keywords, you’ll know right away when suspicious conversations about your brand emerge.
Say people are sharing phony coupons, or an imposter account starts tweeting in your name. You’ll see that activity in your streams and can take action before your customers get scammed.
Hootsuite is also FedRamp authorized and Cyber Essentials compliant. Learn more about our risk management program and information security policies.
ZeroFOX is a cybersecurity platform that provides automated alerts of:
- dangerous, threatening, or offensive social content targeting your brand
- malicious links posted on your social accounts
- scams targeting your business and customers
- fraudulent accounts impersonating your brand
It also helps protect against hacking and phishing attacks.
Why are spam comments a security risk? They’re visible on your profiles and may entice legitimate followers or employees to click through to scam sites. You’ll have to deal with the fallout, even though you did not directly share the spam.
BrandFort can detect spam comments in multiple languages and hide them automatically.
The top 5 social media security threats are:
- Phishing attacks and scams
- Imposter accounts
- Malware attacks and hacks
- Vulnerable third-party apps
- Password theft
The best ways to improve security on social media are to limit account access and use two-factor authentication.
Hootsuite’s permissions, security, and archiving tools will ensure the safety of all your social profiles—from a single dashboard. See it in action today.