There's no denying that in the 20 or so years since its inception, social media has rapidly evolved to become one of the most popular online activities. But how private is the information we share online, and how can it be used against us by threat actors looking to commit fraud?
The annual Global Insurance Fraud Summit has identified the use of social media as a key trend shaping the evolution of insur-ance fraud. Investigators must acknowledge the crucial role that social media channels present as a source of data intelligence, says Dennis Toomey, global director for counter-fraud analytics and insurance solutions at BAE Systems. Conversely, consumers must also be educated on the dangers of putting their personal information online.
“Exploitation of social media and elec-tronic communication has contributed to a fundamental shift in how fraudsters operate,” Toomey says. “It’s also rapidly evolving. Criminals are adapting their activ-ities incredibly quickly, often more quickly than defences can be updated to tackle them. And it’s being used on a massive global scale. In the US, for instance, social engineering is used in a third of cyber breaches, with email compromises accounting for more than $1.2bn in victim losses.
”Broadly speaking, social media is creating new opportunities for fraud, particularly for investment fraud, says Peter Hazlewood, group financial crime risk director at Aviva. When it comes to social media, the common line of thought is that if you’re not paying for a product, then you are the product, but many people still aren’t highly aware of the dangers involved with sharing private infor-mation on a public platform.
“For professionals, you need to assume that your social media activity may come into your work life,” Hazlewood says. “Certainly, I always assume that the two things are inter-linked, and the way I conduct myself on social media is with the assumption that our chairman or CEO might see it.”
An area where directors and officers need to be very careful, he adds, is with sensitive information. There have been numerous cases in the past where corporate profes-sionals have gotten into trouble for putting sensitive information online, whether that’s price-sensitive information, disinforma-tion, misleading information or potentially offensive posts.
Faced with the spectre of this threat, says anti-fraud teams are rising to the challenge and are harnessing social media themselves to combat fraud – albeit with caution, as this approach carries its own risks. Many carriers around the globe use social media and open-source intelligence (OSINT) to investigate insurance fraud, although processes, sites and guidelines vary across the industry.
“Carriers have to exercise extreme caution when using this to investigate suspicious claims,” Toomey says. “The good news is that most carriers do, and also have standard operating procedures in place to make sure the investigators stay well within the compliance guidelines.”
Anti-fraud organisations such as Skopenow are now being used not only for fraud investigations, Douglas says, but also to try to calculate how exposed someone is when online.
Meanwhile, Hazlewood says there are several actions professionals can take to protect themselves and their data from fraudsters. First and foremost, he says, directors and officers should always assume that what they put online will be read widely, both within and outside their organisation.
This is especially relevant right now, he says, as information-harvesting fraud syndi-cates are increasingly posing as members of a credible organisation to connect with members of an executive team on LinkedIn. Once they’re in that network, they have access to a lot more information, and they can see what an executive is doing behind the firewall of their privacy settings. This, in turn, enables fraudsters to reshape their methodology to make themselves appear even more credible.
“One of the things that we do internally, especially in respect of our senior exec-utives, is provide training and advice on how to use social media responsibly and how to stay secure,” Hazlewood says. “And that’s certainly something that is good practice for corporates.”