Is Your CEO’s Social Media Presence Putting Your Company at Risk?

Social media is often a threat actor’s first stop, and no account is at more risk than a CEOs. Here’s how CEOs can protect their social media accounts and companies from cyber attacks.

Written by Gavin Quinn
Published on May. 29, 2024
hacker on a laptop browsing social media with social media icons overlay
Image: Shutterstock / Built In
Brand Studio Logo

Threat actors are increasingly pursuing social engineering and spear phishing attacks against executive team members and employees. To effectively exploit these individuals, their first stop is social media.

Put yourself in the shoes of a criminal. If you wanted to rob a bank, you wouldn’t start with the combination for the safe. You’d have to figure out who works at the bank, what kind of doors they have, what the floor plan looks like and so on. All of these things need to be mapped out to conduct a bank heist, and cybercriminals follow a similar process. Who are the soft targets, whose information is the most exposed and where can you gather the most intel on that target?

7 Social Media Cybersecurity Tips for CEOs

  1. Don’t share your geolocation. 
  2. Save vacation or travel posts for after you return. 
  3. Don’t share who you are with in real time.
  4. Don’t post images that contain potentially sensitive information, like a home address.
  5. Don’t overload personal bios with family member names, detailed history like high school attended or graduation date, especially when that information is listed on corporate leadership pages or company Wikipedia pages. 
  6. Ensure social media accounts are set to private in all categories, or as many as possible if you’re a public figure. 
  7. Check that Facebook, X (Twitter) and LinkedIn are set to be viewable by “Friends Only” and opt out of any data gathering sources.

 From the perspective of a cyber threat actor, you’d start by looking at the entirety of the social media landscape. What leadership is listed on the company homepage, what information is given on their LinkedIn, Facebook and X (Twitter) accounts? Executives need to be trained to be extremely conscious of what information about them is being shared online, because threat actors will uncover every ounce of intel they can to exploit them and their organization. 

 

How Hackers Take Advantage of Executive Social Media Accounts

The first phase in any hacker’s strategy is information gathering. Seemingly harmless information that many users share regularly, including birthdate, family member and pet names, recent activities and locations (check-ins, travel plans), professional connections and colleagues and company information (recent projects, services) can all be used against a target executive. 

Using this personal information, hackers can craft hyper-focused tactics to exploit the executive and the organization at large. A few examples of the types of attacks and vulnerabilities that can result include: 

  • Personal information exposure: Personal details can be leveraged in security questions for password resets, or pretexting in social engineering attacks
  • Reputational damage: Controversial or negative posts can damage a founder’s, and by extension the company’s, reputation. Competitors, disgruntled employees and malicious actors can use the information to tarnish the brand
  • Targeting: News of a large series B investment round can queue a targeted attack because there is likely money on the table to be stolen.
  • Physical security risks: Revealing location and travel plans, or daily routines, can all expose a founder and their family to stalking and physical attacks or harassment

Here is a brief scenario of how a threat actor created a successful attack from information gathered from an executive’s social media page:

Step 1: Information Gathering 

A hacker begins by researching the founder’s social media profiles. They gather the following information:

  • Personal details: Birthdate, family members and pets’ names.
  • Recent activities and locations: Check-ins and travel plans.
  • Professional connections and colleagues
  • Company information: Products, services and recent projects.

Step 2: Crafting a Phishing Email 

Using the gathered information, the hacker crafts a highly personalized phishing email. Here’s an example:

  • The founder recently posted about attending a conference in New York and mentioned meeting an important client named Jane.
  • The hacker creates a fake email from “Jane” using a fake email address similar to the client’s company domain.
  • The email includes an attachment labeled “Proposals.docx,” which actually contains malware designed to compromise the founder’s computer and gain access to sensitive company data.

Step 3: Exploitation

The founder, recognizing Jane’s name and recalling the recent meeting, opens the attachment without suspicion. The malware is executed, giving the hacker remote access to the founder’s device. The hacker now has access to sensitive information, including company emails, documents and possibly credentials for other systems.

Step 4: Further Exploitation

With access to the founder’s device, the hacker can further infiltrate the company’s network, potentially installing ransomware, stealing intellectual property or compromising other key systems. The hacker can also use the founder’s email account to send additional phishing emails to other employees or business contacts, spreading the attack.

More on CybersecurityUnpatched Software Is a Huge Cybersecurity Risk. Here’s How to Address It.

 

Social Media Best Practices for CEOs 

Learning when and how to post things, as well as considering who has access to those posts, is critical for the entire executive team and their families to understand. For instance, it’s fine to post a picture of your car; just be sure to blur out the license plate. If you’re on vacation, post those scenic images after you get home.

Learning how to manage privacy settings for each social account is equally important. Are executives’ social accounts set to “private” mode? Or do they have a completely public, open one? This setting depends on what kind of company they are in and what kind of brand management they’re trying to go after. Public figures are bound to offer more widespread access to their profiles, but the CEO of a local oil and gas company probably doesn’t need a big public presence on open social media. 

Executives must work with their security teams to learn safe social media practices and train their support system, too. Safe social media posting practices include: 

  1. Don’t share your geolocation. 
  2. Save vacation or travel posts for after you return. 
  3. Don’t share who you are with in real time.
  4. Don’t post images that contain potentially sensitive information, like a home address.
  5. Don’t overload personal bios with family member names, detailed history like high school attended or graduation date – especially when that information is listed on corporate leadership pages or company Wikipedia pages. 
  6. Ensure social media accounts are set to private in all categories, or as many as possible if you’re a public figure. 
  7. Check that Facebook, X (Twitter) and LinkedIn are set to be viewable by “Friends Only” and opt out of any data gathering sources.

Take advantage of resources already at your organization’s disposal. Most companies have tools that can be key in finding out what information is readily available online that an individual may not be aware of. Internal public relations or marketing teams often use media monitoring software, so use this to your advantage. This can be a great way to get a sense of what personal identifiable information might be sitting out in the open. You don’t need a multi-million-dollar platform to start tackling the issue. There are also many free tools to try. 

Finally, don’t make cybercriminals’ jobs easier. There is no silver bullet to combat threat actors, but a great place to start is making their lives harder if they’re trying to dig up any useful information. By reducing the digital footprints of executive members and their families, you’re making it harder for criminals to gather the intel they need to exploit the company. Every best practice and security measure adds another layer to your coverage. 

More on CybersecurityWhy Cybersecurity Needs to Be a Priority in SaaS Product Design

CEO Family Members Are Also a Cybersecurity Risk

One of the biggest challenges for security team members tasked with securing executive digital presence is their families’ online activities. It can be easy to track and monitor your primary executive and provide training on Do’s and Don’ts in the workplace. But if their teenage child is constantly posting pictures of their location, addresses, phone numbers and more, then the executive may as well have posted it themselves.

Seemingly innocent information is far from safe. It may be obvious to most people not to share the “biggies” of personally identifiable information (PII), like Social Security numbers, but seemingly innocent information that most of us don’t blink twice at sharing, like a phone number, email, vacation spot or address, can be equally detrimental. 

Cybercriminals are like most other people in this respect: They don’t intentionally make more work for themselves. So, if they have the choice between targeting a CEO whose whole life is on display and one who carefully restricts what they post and who can see their posts, they’ll pick the former. CEOs and other executives often don’t know the subtleties of staying safe online, so give them the training and support they need to do so. Sharing the above information is a good place to start.

Explore Job Matches.