5 Essential Cybersecurity & Privacy Tips for Building Your Personal Brand
The Internet is growing up. So are you. And you’re ready to get out there and break it. You’re going to be an influencer, a digital brand expert, a social media marketing guru. The first brand you’re going to build, you’ve decided, is yours.
Welcome to the fray.
Sowing Your Oats
You’re diving into an $8B market, chock full of people just like you who have decided to make being themselves (or whoever their sponsors pay them to be) their full-time gig. You’re voluntarily (and ambitiously) exposing yourself — or at least what the marketeers deem your most valuable parts to be — to the world (and perhaps the highest bidder?). There are over 1 billion users (potential fans!) on Instagram alone.
What could go wrong?
The opportunities are endless — both for you, and for social engineers (like me) that hack humans as targets of interest (and opportunity). Luckily for you, I’m one of the good guys, and I’m here to help you.
First, a story.
But Everyone’s Doing It…
A friend of mine — let’s call him Bob — decided to build his personal brand as an interior designer. He had spent years honing his skills as an enthusiast, decorating homes for his friends and family as a part-time hobby.
Feedback was very positive, and his work became all the rage amongst his circle, and their connections.
Bob was elated — and so were the peeps who got free decorating.
With much excitement, Bob announced that he would harness his gift, along with the power of social media and the Interwebs, to turn his hobby into a career and bring his designs to the (well-paying) masses.
Bob opened a GoDaddy account, bought a domain, created his Instagram, Twitter, and Snapchat profiles, and set to work. And he worked hard.
60 days into his adventure, Bob had 10 paying clients — more than he needed to earn gown-up money — and several thousand followers on his social channels.
Bob was elated — and so were the peeps who eventually hacked him and shut him down.
90 days into his adventure, Bob was out of business — or at least out of commission.
Bob was devastated. So were his clients. How could this have happened?
Bob’s downfall was due to a nasty combination of (not so skillful, but persistent) social engineering, and poor cybersecurity hygiene.
Let’s Get to Know Each Other First
Bob’s first Instagram posts were pictures of his most intimate design work — his own downtown apartment — and he blasted them out across all of his channels.
Among the likes, comments, and accolades — there was a “woman” who we’ll call Alice, who stated she and her husband were moving to Bob’s home city, and wanted to know what building he lived in to get such a killer view of the skyline she saw in the pictures.
Bob told Alice the name of the building and told her how great it was to live there. Among the continued small talk (online), she even convinced Bob to tell her the floor he lived on.
Bob’s online admirer asked if the building accepted pets. He told her it did, which was lucky for his cat, Morpheus.
And that’s how it started.
Bob’s new friend was able to keep the conversation going by bringing in small details that only a friend or colleague would know — in this case, she was asking about a design contest entry from an industry fair in Los Angeles that Bob had attended.
Alice obviously wasn’t there but found a photo online and used it to describe Bob’s work and how amazing it was — as if she had seen it in person and was in awe of such amazing talent. Certainly, he deserved better than an honorable mention.
Alice mentioned she’d be willing to have a chat with some of her connections in L.A. and possibly get Bob some meetings with higher profile clients.
She asked for a personal email address so she could send Bob some ideas, and said she’d connect with him on his other social accounts as well. She even mentioned meeting up for coffee when she and her husband got to town.
Bob was elated. And so was Alice, who now had everything she needed to launch her attack.
Your Tests Came Back Positive…
Bob was being doxed, a technique where a bad actor works a target to compile pieces of open source (publicly available) information, along with verification information from the targeted individual, to build a profile and do something bad (as bad actors often do).
In this instance, the bad actor (Alice) was verifying information she was able to find on Bob — and then she went to work.
Alice had the building, even the floor, where Bob lived. Bob told her himself. She easily searched online to reverse-engineer the address. Strike one.
Alice had Bob’s personal email address, which he gave her and she verified with a quick note and an even quicker reply. As you’ve probably already deduced, email addresses are also typically usernames — for almost everything. Strike two.
Morpheus, Bob’s cat? It’s a response for Bob’s “secret” security question — “What’s your favorite pet’s name?” — on his web hosting account (and a ton of other things). Strike three.
Bob’s not tech-savvy. Alice guessed that. She also guessed (cracked) the password for his email account using an online tool. Game over.
While Alice didn’t inflict direct financial damage — thankfully she didn’t get to Bob’s bank accounts or credit cards — she was able to take control of two of his social media accounts and his primary email.
Those thousands of followers? Gone (including Alice). Hours of work in selecting and posting photos and stories and comments? Trashed.
Rather than growing his budding business, Bob spent the next four months cleaning up and becoming hacker-free. But that’s for another article.
Sadly, this is a true (and all too common) story. But happily, Bob learned his lesson, and we can all learn from his mistakes.
Let’s Have the Talk.
Here are five essential steps to consider in securing your personal brand on social media. Don’t be like Bob.
#1. Go Hack Yourself.
Before you launch your world-changing online persona, conduct an audit of your current online footprint. It’s easy to get started — Google yourself and see what’s out there.
Sites like Spokeo, Manta, and others routinely post sensitive information including addresses, phone numbers, and in some cases even spouses, relatives, and business associates. In the security world, we call this OSINT — open source intelligence — and there’s plenty of it available.
Marriage and divorce records, census data and birth certificates, and in some cases more sensitive documents like tax returns, vehicle registration, and credit information are out there online for the picking.
Not only is this information useful for a potential bad actor, it can also be considered by people who are getting to know your brand. You don’t want your first impression to be your DUI arrest from 2001.
In subsequent articles, I’ll teach you how to get your information removed from these databases and lock down your publicly available persona.
#2. Now Clean Yourself Up.
Now it’s time to disinfect your online presence. Your entire digital footprint is in scope here.
In addition to restricting access to sensitive data, you should be reviewing what information is out there that you did intend for people to see. Those revealing spring break pics from Cabo? Take ’em down.
The mildly inappropriate meme about needing a beer before work that your best friend tagged you in? Consider removing the tag.
The nasty Yelp review you left for that nasty taco joint on 3rd Avenue? Delete it.
You see the trend here. Anything that could be used to compromise your brand is fair game for a bad actor, a competitor, or an investigator.
As mentioned in my previous article on social media privacy — be intentional with what you post, even if you think others will never see it.
#3. Be Discreet, and Always Use Protection.
This is where the good security hygiene comes in.
Don’t pass account numbers, financial information, personal data — or anything else that you’d consider sensitive — through email, text, or DM, even with people you trust. There are ways to exchange all of this information securely.
Don’t use weak or common passwords for your online social media accounts. Moreover, don’t use the same passwords between all of your platforms. If one password is compromised, a (proficient) bad actor will try all the sites with that same password.
Put a password or PIN on your phone/tablet, or even better, enable biometrics. Where possible, enable two-factor authentication on your individual social apps (Instagram, Facebook, Snapchat, etc.) to prevent unauthorized activity, particularly in a scenario where you ignored the first part of this recommendation and then lost your phone.
These are the big three. I could easily write a whole guide on this portion of the process. In fact, I think I will!
#4. Don’t Get Emotional.
As illustrated in our example, it’s very easy to build rapport, and even friendships, with connections you make online as you’re building your brand. It’s exciting to see these relationships develop as you get closer and increase interaction with your fans and admirers — and your haters. Don’t let emotion take over in these scenarios.
If an interaction seems overly friendly, makes you uncomfortable, or seems slightly suspicious, it probably is. A good social engineer who’s marked you as a target of opportunity will intentionally extend the building period of your online connection in order to divert that suspicion — so you should always do some recon of your own.
Who’s this person connected to that you know? Do they have other followers, or follow others in your market? Do they have profiles on other platforms? These are basic but effective verification steps that you can perform fairly easily.
This is another area where I could, and probably will, write a separate guide to help folks stay safe.
#5. Get Checked Regularly.
Monitor all of your platform profiles for strange activity or unauthorized access. Always review posts where you’re mentioned, tagged, or shared. You can usually control this particular feature in the social application’s settings.
Make it a habit to conduct a periodic review of your online footprint, to include public and private information on your social accounts — and stay consistent with your grooming.
Stay smart on how to get support on your various social various platforms if something goes bad. Technical support is usually just a live chat away and these teams will always prioritize potential security issues.
