Cyber security: Social media and social engineering

Automated introduction: Welcome to the Australian Digital Health Agency podcast, supporting health professionals to realise a healthier future for Australians through connected healthcare.

Dr. Andrew Rochford (Facilitator): Hello and welcome to the Australian Digital Health Agency podcast. I'm Dr. Andrew Rochford and I will be your host for today. 
Before we begin, I'd like to acknowledge the traditional owners of the land on which we are broadcasting from and in which you are listening. I wish to acknowledge their continuing connection to land, sea and community and I pay my respects to them and to elders past, present, and emerging, and extend the respect to any Aboriginal and Torres Strait Islander peoples that are joining us today. 

Our podcast today continues in and around cyber security with a focus on social media and social engineering. My panel of experts joining us today to unpack this are: Donna Alexander, who is a cyber security professional with the Australian Digital Health Agency; Greg Gebhardt, who is the Senior Trainer for the eSafety Commissioner; and Shane Jackson, community pharmacist based in Tasmania, and the previous President of the Pharmaceutical Society of Australia. Thank you all for joining me. To kick things off I might go to you, Donna, to help us get started. How can social media be used by malicious actors?

Donna Alexander (Agency Cyber Security Professional): Thanks Andrew. Malicious actors use social media to find out as much about you as they can. They're particularly interested in people that work in healthcare because they're busy. They have access to really valuable information, information that cyber criminals could use to conduct a fraud or on-sell to other criminals to perhaps commit identity theft. Healthcare professionals may have access to someone's full name, date of birth, their address, along with their medical history. That can be sold on the dark web and for very high prices. One of the ways that we're seeing malicious actors use social media is a technique known as social engineering. And this is where they hop online, get as much information as they can about you, and then craft a message that they might send via email, or SMS, or they may even call the person. Hoping that they're a bit distracted and busy and mislead them into clicking on a link or providing information that seems benign but gives them intelligence which they could use to hack your account and then get into the system and get hold of that valuable personal information that you can access.

Dr. Andrew Rochford (Facilitator): Greg, can you help explain to me what spear phishing is, with a ‘PH’ not with an ‘F’, as a technique that's used in this area of social engineering?

Greg Gebhardt (Senior Trainer, eSafety Commission): Well, spear phishing is one of the social engineering techniques. It's quite sophisticated. Phishing is about getting information from people. When we hear the term phishing on the Internet, with again ‘PH’, what we're talking about is that people are being targeted generally in mass. Examples of that could be an email that comes out to maybe 1000 people pretending to be from a bank, but spear phishing seems to be targeted generally at an individual or a group, so there is a purpose to target that group. Now basically, when we talk about social engineering, we’ve used the word malicious actors before. It's really someone who may have a criminal intent to take the profile of someone else to commit a crime or to, in some cases, maybe even abuse or harass them.  And I think it’s important to understand when we talk about spear phishing and being targeted with social engineering is one, they could be using this technique to target you or your organisation. But they could also be getting your information or your organisation’s information and using that to target someone else. I think a lot of us have heard of some of the targeted scams around someone pretending to be from the NBN. Trying to sell you a product or upgrade your Internet access. While these people have selected people they are going to target, so the spear phishing is these people are in the areas where the NBN is about to come out, so they've been very carefully identified. And then the person will do a lot of research to take over the identity of someone from that organisation or they'll get into social media and try and get the information. And this can also be cases where someone is trying to get into a friendship group and target someone in that group with abuse or other issues that really cause concern for them. So very much about picking a victim, finding ways to get in and being very clever, so that you'll be successful in targeting that person.

Dr. Andrew Rochford (Facilitator): Shane, as a healthcare professional, how wary are you of the fact that obviously social media is a target point?

Shane Jackson (Director of the Australian Association of Consultant Pharmacy): Andrew, absolutely aware. Certainly, for myself and my staff, and especially over the last sort of 12 months, through the COVID-19 pandemic and an increase in electronic communications that are coming into any healthcare environment, including community pharmacy. You've got a heightened level of suspicion about any correspondence, and certainly the things that I tell my staff, are that if you can't absolutely satisfy yourself that the correspondence that's come into the pharmacy, whether it be email or whether it be communication via any other mechanism electronically. If you can't absolutely verify and satisfy yourself that that's a legitimate source of communication, then you should feed it up the chain in the context of the decision-making process. We've really tried to heighten the awareness and also explain the risks to the staff around those types of issues from an electronic communication perspective, the things that can go wrong, so that they understand the issues that might occur. And I think it's that understanding from a staff point of view, in any healthcare environment, that's really important. And that heightened suspicion level that people need to have. Because those individuals who are essentially trying to gain access to information are really relying on people to be less suspicious than we want them to be.

Dr. Andrew Rochford (Facilitator): Thanks Shane, so Donna there was a recent ASIO campaign known as “Think before your link”. Can you tell us more about that?

Donna Alexander (Agency Cyber Security Professional): Happy to talk about that, Andrew. The ASIO campaign is focused on Australians with access to sensitive information such as those working in healthcare, and what it does is it teaches people to think before they link with someone on social media. Malicious actors using professional networking sites to approach targets and mislead them into sharing sensitive information, unfortunately is becoming all too common. And very skilled cyber criminals are finding ways where they can leverage traits like being open on social media, such as on LinkedIn, about your professional work history and the different roles that you've had, the organisations you work for, give them clues about who to target to try and extract information that might be significant for essentially espionage purposes. Similar to other online scams, they might use a sense of urgency, an offer that seems maybe too good to be true, or even a little bit of flattery to get you to share sensitive information. Often these people claim to be from a recruitment agency, particularly if they're approaching you via LinkedIn. And they may say that they have a job, a role that may be of interest to you. It may be very highly paid and it's best to verify that, and one way that you can check that that actually may be a genuine offer that you don't want to miss out on is to ask them for other details or another way to contact them. Can you have a look at their website from the company that they're purporting to be from? Can you call them on a phone number, rather than chat to them via social media? This is what the campaign is about and if you hop online and have a look for it, you'll find that there is a range of information in there for organisations and for staff: guides, posters, wallet cards, brochures, already made, ready to go; and circulate around the organisation to raise awareness of this new threat.

Dr. Andrew Rochford (Facilitator): Thanks Donna. So now we have a better understanding of the fact that there's a connection between oversharing on social media and obviously the potential for it to be something that results in social engineering and a cyber-attack and one that sounds like it could potentially be very personal cyber-attack. I'd like each of you now to start offering some advice to our listeners on how to better protect themselves from these types of outcomes. Greg, do you mind starting?

Greg Gebhardt (Senior Trainer, eSafety Commission): I'm happy to start with that one and I think one of the key parts with social media is just understanding why you might get targeted in there. And again, the criminal activity that happens, as far as finding someone that you may be able to exploit, if you look at Facebook about 2.7 billion active monthly users, we look at WhatsApp 1.6 billion active users a month, Instagram 1 billion, Twitter 186 million. There's a lot of people in social media, so the reason why you're going to be targeting there is the pool of people that can be tricked or deceived is much, much greater. So, with that in mind, it's really important to think about your security and putting privacy in place and really encouraging people to think about having settings. So, it's friends only, not open to the public. When you do allow people to come in or you do invites knowing who they are and making good decisions about them. If you've got people in your social media accounts that you feel maybe they shouldn't be there or they're not serving any purpose, there's no communication, being comfortable about blocking or deleting them, and if something happens reporting them. All the social media companies have terms and conditions and community standards about behaviours online and they also have really clear instructions about how to block and delete in those areas, and I think it is about just making good decisions when you get online that you want to get the best out of social media, you want to be able to use it but you also want to safeguard yourself, your friends and family, and also your organisation that you're working in.

Dr. Andrew Rochford (Facilitator): Shane, do you have some advice that you could offer?

Shane Jackson (Director of the Australian Association of Consultant Pharmacy): Probably two parts. The 1st is reiterate Greg's comments around privacy settings. I think that's the first thing that people can do, is to make sure that they've got appropriate and adequate privacy settings for their personal information. Noting that without adequate privacy settings, then it's not just their friends that may be viewing what they're posting on their social media accounts, it might be extraordinarily broad. That's just to reiterate Greg's comments, the privacy settings. And I think the second point is, that when people are using social media in the context of their professional work environment and I'm thinking LinkedIn and Twitter here. That they really try and do that in the most professional way that they can. If they're sharing information from their workday or work life, that they're really critically evaluating how they do that. So, they're not exposing any patient information, work site information, those types of things. That they really say to themselves, is this necessary? Is it useful and have I done the right thing from a professional obligation point of view? In not only protecting themselves, but protecting the patients they care for and protecting the work site that they work in.

Dr. Andrew Rochford (Facilitator): Thanks, Shane. Donna?

Donna Alexander (Agency Cyber Security Professional): Thanks, Andrew. I think it's also important to make sure that when you're posting things online, you do a quick check before you let it go. Earlier I spoke about the ‘think before you link’ mantra. I'm going to give you another one that we use at the Agency all the time which is: think before you click. Think before you click post. So that you don't breach the privacy of your colleagues, your employer, or your patients. That means checking photos carefully as well as the content that you're posting to make sure that there's nothing sensitive in the background. There'd be nothing worse than putting up a photo and then discovering it's got some patient information or something about the organisation that you didn't intend to share. It's also important to make sure that you're not sharing anything that's defamatory in nature. There’ve actually been some recent cases where people making defamatory reviews of healthcare services have been taken to court and have been successful. And laws are changing around social media, both at the Commonwealth and at the state level, so it's good to be aware of that when you're using a social media platform as an individual or as a healthcare business. The other part of it is, there are some positives to using it for your business. And it is also something that could be prone to a cyber-attack. We recently saw that due to some of these laws changing, some of the platforms actually stopped people being able to see your social media presence. The same thing can happen in a cyber-attack. So, thinking about how that platform is part of your overarching incident management plan for cyber incidents as well as how you post things on it that protect your reputation and the reputation of the organisation you're representing, are all important parts of using social media in a safe way.

Dr. Andrew Rochford (Facilitator): Greg?

Greg Gebhardt (Senior Trainer, eSafety Commission): I just want to reinforce the point that Donna made around cyber abuse online and maybe someone being targeted. I'm pleased to say that currently, new legislation is going through, for the eSafety Commissioner to have stronger powers to be able to remove that content online. And certainly, we've got some really strong partnerships with the social media companies to help anyone in any organisation but especially at the health area, if you do have an issue online. But a couple of other things, I think is pretty important to be aware of what you put online. One thing is thinking about geolocation, so when you put photos or videos online, the default setting is often that they are geotagged, so someone would know the exact location where that photo or video was taken. And also thinking about two-factor authentication. I'm pleased to see that a lot of the social media companies now will send you a message if someone's trying to get into your account from a device that hasn't previously been used before. But that also comes with a bit of trust, because many of those two-factor authentications require you to give your personal phone number to a social media company. And I think one of the things that's important, is to think about how you're going to use the technology. How do you think that you're going to put your safety and safe measures in place? And are you comfortable putting that information sitting online? I know that there's a generation of young people that used the Myspace software before Facebook and probably have things left sitting online that they've forgotten the password to go and remove. So, it's not just what we put on now, it's the long-term impact of what we're putting onto the Internet.

Dr. Andrew Rochford (Facilitator): You all touched on it, but do you think it's important to reinforce that idea of, especially in the healthcare setting, how users separate professional and personal? Because it is a tricky world to navigate. Because, as Donna pointed out, there are the positives associated with it. There's also the negatives associated with it.

Do you think that's something, especially in the healthcare sector, that needs to be reinforced, really getting that that clear boundaries and understandings around those? Setting aside the personal information you're sharing, but just the nature of blurring those lines when you are working in the healthcare sector, Shane?

Shane Jackson (Director of the Australian Association of Consultant Pharmacy): Yeah, thanks for that question, Andrew. I think that’s really important. I think we all know that you if you're thinking about Facebook or any other sort of medium at the moment, there's a lot of groups that people might utilise to, I suppose, talk about their day or how their work life is. And I know for pharmacists, there's Facebook groups where a lot of people might post things that have they've had a struggle with in their day or they might have had an interaction with a difficult patient, so to speak or a difficult work colleague and I think it's those types of forums where people need to think about, as Donna was saying, think before you click. Sometimes those environments aren't the best place to post those issues. They can be quite a broad forum. Those individuals that might be being posted about might be members of those forums in fact. It may well have been better to address the issue in a non-digital world, than in the digital world. So, I think people have got to really think about what they're doing, how they're doing it, and how people who might be commented about might perceive that if they were aware of that. And in some cases, they might become aware of that. And I think people, especially healthcare professionals, need to act in a very professional way. In the context of posting difficult interactions and like I said, it may not be that the Facebook groups are the best way to do that. It may well be a 1 on 1 interaction with a with a colleague about advice about how to approach a difficult situation because we know those groups can sometimes have a life of their own and they can be shared outside of what some people might think are closed groups. It might be perceived very, very negatively and the intent was for it not to be negative, and I think people just need to think about that before they do it.

Dr. Andrew Rochford (Facilitator): Thanks, Shane. Donna, do you have any other key areas of advice that you could offer to people you know when navigating social media and other online platforms?

Donna Alexander (Agency Cyber Security Professional): Absolutely, I think that focusing on professional expectations and your reputation is really key to using these platforms to benefit from them. So, when they use positively, I mean they're a wonderful forum for people to educate and promote preventative health measures, to share ideas and knowledge with other professionals as well. And even perhaps attract other skilled healthcare workers to your organisation because they've had a positive interaction with you online. The flip side of course, I have actually seen an employee sacked because of a personal social media post they put on Facebook that was disparaging of the organisation. So, before you post anything you really want to think about who is likely to see it. And also, can you have a look at does your workplace have a policy? There are also some general high-level guidelines out there offered by the Australian Health Practitioner Regulation Agency. You can hop on their website and see ways that you can meet your professional obligations when using social media.

Dr. Andrew Rochford (Facilitator): Greg?

Greg Gebhardt (Senior Trainer, eSafety Commission): I want to reinforce the points that both Donna and Shane have made there about personal use of the technology. And what we're seeing is the blurring of the boundaries nowadays where the work situation or workplace comes into the home space, that we do get work information, we do training, we're constantly checking our devices because of work content in the home. And then it’s vice versa, we go to work, and we've got our social media and we may check that at lunchtime or a break or our family things are coming through. So, it is quite difficult in those areas, and I think it's important to put some really key thoughts into what you do put online. The point you made about things being opened up from private groups. People often say, well, it's a private group, there's no way possible for it to get onto the Internet. But you only have to have one person in that private group decide that it's interesting or maybe they think it might be something they can sensationalise and make a copy and put that into their own platform which may not be closed down, so it becomes public very quickly. And certainly, we know that you might see something one way, but someone might interpret that a completely different way, and that can cause issues in there. One thing also thinking about this is the use of the technology by staff and in the school situations in education and also university. eSafety has developed a toolkit which one of the resources in there is staff use of social media. Now that could quite easily be adapted to a health organisation. If you're looking for something to give you some guidelines to assist and to support your policies and procedures in those areas, so it is important to think about what is the practices or the best practices that we have in the organisation relating to your personal use of social media as well.

Dr. Andrew Rochford (Facilitator): I don't mind who helps out with this question but is there any good resources that people could access outside of the ones that have already been mentioned to help them learn more about managing social media and the risks of social engineering?

Donna Alexander (Agency Cyber Security Professional): Sure, Andrew. The Agency has a free Digital Health Security Awareness course. That covers some of the things we've been speaking about and more. It also has ‘Think before you click’ guidance materials and these are materials that you can use within your organisation, things like postcards to give people little reminders about the importance of this. You can look at ASIO’s ‘Think before you link’ campaign as well, as we mentioned earlier. And in terms of the privacy aspects of all of this, the Office of the Australian Information Commissioner has some excellent information on their website to help people out.

Greg Gebhardt (Senior Trainer, eSafety Commission): Well, the eSafety website is very much about safe use of our technology and has a fairly big focus on social media. So, we've got a lot of content that sits there and in a lot of areas that we haven't really discussed today. We have a platform around eSafety women, and we know that in domestic violence situations, technology is often being used to hack, control, monitor people, we've got a lot of resources in there to understand that part of the environment. We've got an eSafety Guide sitting on our website with about eighty of the most popular games and apps used by both young people and adults with how to put privacy settings in, how to report negative experiences. We're also running a whole lot of webinars that are all free on our website and we work with lots of different groups, from corporate to parenting and also youth support services, mental health and well-being that can really give you advice on what's happening in social media. The peer pressure that happens for people to be connected and their behaviours. And our commissioner is regularly putting out blog posts on the latest issues, especially around some of the new things that we're seeing like deep fake technology happening at the moment and others. It's a great place to visit, I really recommend people have a look at some of the resources sitting there. And as many of you may be aware, we work from one and two, three to four years of age with our early years program, right through to seniors and another part that's really important is we're now developing a lot of these resources in different languages, and I think that can be really valuable for lots of households.

Dr. Andrew Rochford (Facilitator): Absolutely, I would just like each of you now to offer some final advice that you would provide to other healthcare professionals about using social media safely. Shane, do you mind going first?

Shane Jackson (Director of the Australian Association of Consultant Pharmacy): Thanks Andrew. What I would say, my final comments would be that organisations and individuals should have a process for regular review of their social media accounts and usage. In the context of individuals, that's the comments we were making before about regular review, privacy settings and those aspects. From an organisation’s perspective, I think it's about looking at whether the expectations of the organisation are changing or have changed over time. In that context, it's making sure that those social media accounts are regularly monitored and somebody's actually responsible for them. It's easy for posts or different aspects of how you might use social media to go a bit viral sometimes. And I think in the context of having somebody who is responsible for managing those accounts, looking at the comments that are coming through, responding, so that consumers or people interacting with those social media accounts are getting the experience that they need as well and that it's a positive experience for the organisation and the individuals who are interacting with those accounts. I think managing a social media account on behalf of an organisation is not something that people should be doing off the side of their desk, so to speak. They need to have people dedicated to it and regularly reviewing the goals and the expectation of the organisation as well.

Dr. Andrew Rochford (Facilitator): Thanks, Shane. Greg, any final advice from you?

Greg Gebhardt (Senior Trainer, eSafety Commission): I think that policy and procedures part is very important in organisations around social media, especially with the blurring of the boundaries as I mentioned before. I think also not only just having policy and procedures, but maybe some best practice guidelines within organisations. The other thing I'd add to that is how do you ensure that all of your staff are aware of what those policies and procedures are? How do you ensure that they all understand the best practice guidelines and why they're put in place, and also knowing where to go within your organisation or externally if there's an issue. Where to get help and where to get support. And I think they're really key parts of the process of trying to ensure that all the technology used in your organisation is done in a positive way.

Dr. Andrew Rochford (Facilitator): And finally, to you, Donna.

Donna Alexander (Agency Cyber Security Professional): Thanks, Andrew. I think that social media is a fantastic tool for healthcare professionals and healthcare organisations to use when it's done in the right way. Some of the things we've discussed earlier, think before you click or link, are simple little mantras to keep top of mind as you use these tools. An extra word of caution though I would add is that there is a prevalence of little pop-up quizzes or requests for surveys or use your sign-in with your social media account. And I just ask people to be very careful with that. You really need to check when you're entering those quizzes or surveys or signing in who else is going to see that information. Where is it going to go? Because sometimes it can be handed on to third parties. And you may not realise. Sure, sometimes that may result in just a little extra spam, but in worse situations it can involve you allowing a malicious person to access your organisation’s or your own social media account and do all kinds of havoc. They might post something that you wouldn't want them to post about you or your organisation. But most importantly, I think that our listeners can find lots of great information online to help them navigate keeping their personal and their professional reputation intact and benefit from using social media.

Dr. Andrew Rochford (Facilitator): Thank you Donna, thank you Shane and thank you Greg, for joining me on this podcast today and all your valuable insights into how you can stay safe on social media. Thank you to everyone also for listening today and we hope that you will join us next month as we continue to explore cyber security in healthcare. You may also be interested in previous cyber security podcasts by the Australian Digital Health Agency covering the topics of phishing, ransomware, and password management. And we'll catch you next time.