Having covered the risks related to on-line social networking on several occasions, I'd like to outline my tips for using these services securely. In compiling this list, I tried to stay away from impractical recommendations, and did my best to base advice on actual occurrences, rather than theoretical threats:
- Ignore any links embedded in email messages that appear to come from a social networking service. Instead, connect to the site directly by typing its URL or using a bookmark. This will help avoid phishing-style incidents.
- Use HTTPS for as many interactions with the social networking site as possible. Many popular social networking sites, such as Twitter, Facebook and LinkedIn now use HTTPS by default. Other sites might require you to enable HTTPS in the settings/profile area. Alternatively, install a "force HTTPS" type browser extension.
- Review the list of apps and sites that you granted access to your social networking accounts. Deauthorize the services you no longer use; it is usually easy to authorize them again when the need arises.
- Don't include in your social networking communications potentially sensitive information about other people. For instance, some parents don't like revealing the names of their kids online. Understand and respect your friends’ privacy preferences.
- Be skeptical of job postings on social networking sites until you confirm that you're interacting with an official representative of the company where you'd be applying. Avoid responding to offers that sound too good to be true, such as high-paying work-from-home gigs.
- If a friend asks you for money using chat or messaging functionality of a social networking site, confirm that you're interacting with the person you know, rather than an impostor or a bot that compromised the account. This could be a variation of the stuck-in-London scam.
- Be careful clicking on links that use unusual URL-shortening services or those that promise to display shocking or embarrassing videos. If such links bring you to a site that doesn't feel right, close the browser tab without clicking any buttons on the page to avoid clickjacking attacks and other scams.
- Don't download any tools or software updates when prompted to do so after clicking a link you obtained from a social networking site. This could be an attempt to propagate malware.
- Don't use public social networking sites to discuss sensitive company matters, even if you believe you’re interacting with people working for the same company. You might be communicating with impostors or potentially broadcasting to the whole world.
- When sending private messages using a social networking site, assume that some day they may become public. The data might be revealed due to your own error or because the service provider may end up leaking the information inadvertently or through dubious practices.
- Use social networking services in a manner consistent with your employer's policies. When encountering a suspicious situation on a social networking site that may involve your employer’s data or computer systems, let your IT or security staff know.
While the tips above were focused on social networking services, standard Internet safety recommendations apply: Limit the reuse of passwords across sites; keep up with security practices; disable risky browser plugins that you rarely use (e.g., Java).
Like any of our actions that involve interacting with others, using social networking sites exposes us to risks of being scammed, infected or otherwise attacked. My hope is that the tips above provide practical recommendations that allow people and organizations to derive benefits from these communication mechanisms while keeping the risks at a manageable level.