What to do when the world is watching:
A simple guide on cybersecurity practises after going viral
Tools and resources on staying safe online during a period of virality
You can't predict or plan on going viral so when it does happen, are you aware of the cyber implications that come along with it? This post will highlight things you should know and the ways businesses and individuals can protect themselves after going viral. Often, becoming viral means there’s now a much larger audience out of your control with a spotlight on you, for a business this can be positive, it means more engagement in content, potential sales and expansion into more digital spaces. But there’s a dark side to this viral rise, more attention isn’t always positive as this now means you’re on the radar of malicious attackers. In recent times, we have seen Black businesses who have gone viral, now also see a flurry of negative reviews to try ‘bring them down a peg or two.’ Do we all remember when The Honeypot founder Bea Dixon went viral and Trust Pilot had to stop reviews on their platform after people who had never used her products, took offence to Bea wanting to build a platform for black girls?
Doxing, is the Internet-based practice of researching and publicly broadcasting private or identifying information about an individual or organization. The methods employed to acquire this information include searching publicly available databases and social media websites, hacking, and social engineering.
Doxing can affect anyone. Nobody is outside the possibility of being doxed. Being able to control what information is out there can often be difficult but knowing what’s out there about you can help stop any damage.
Staying safe from doxing
- Make sure your profiles are private and do not reveal too much personal identifiable information (i.e your name, address, and email/mobile number)
- Maximize your social media privacy settings!
- Delete accounts you no longer use. There’s no reason to still have that Bebo account with the information you shared years ago before you were aware of cybersecurity
Do you know what Google says about you?
I recently wrote an article on Open Source Intelligence Gathering, the ‘art’ of finding out information using just search engines. Knowing what comes back when you search for your name is important as the first thing malicious actors will do, is search for your name. If you have a business and it’s listed on Companies House, unfortunately, this means potentially your business address (which may be your home address) and your D.O.B will be easily searchable. There are also websites which utilize the open Electoral Roll and openly publish addresses + names of people living at that address. Malicious actors aren’t always a creep hiding in a bush, unfortunately, journalists can prove to be problematic. Let’s take a look at Marcus Hutchins, the cybersecurity professional deemed to have saved the NHS from the Wannacry Ransomware attack. Well, British tabloids repaid him by camping outside his parents' house, attempting to bribe friends for ‘juicy stories’ about him and forced him to move due to the constant invasion of privacy. Understanding what is out there about you should be the first step in managing your online profile.
Should your personal email be the same as your business email?
Your email is often the key to the kingdom. Most services you have to sign up via email. With lockdown and the rise of e-commerce sites, people have been operating businesses via the likes of Instagram, Twitter and Facebook (and of course Shopify etc). A common mistake people make is to use their personal email as the source of contact for all their businesses, newsletter signups, service sign-ups and social media platforms. This is not to say you can’t safely run a business via an Outlook or Gmail account, but unfortunately in this day and age, your email will have most likely been leaked in a data breach. You can check on services like HaveIBeenPwned to see if such has happened.
If you are to go viral, attackers will be looking for this kind of data. So let’s say you have added your email to your Instagram using an innocent feature such as the Contact Us box. If you have used a personal email that has previously appeared in a breach. It’s not that difficult to find a paste bin of Leaked Information containing your username and password. Whilst you may have changed the password by then, it gives the attacker an insight on what they are dealing with. If your name is Gloria Nokthula Moyo, and your password is “Nokthula1234” chances are, you’ve most likely opted for another guessable password. And in fact, all the attacker now has to do is use the combination on various sites, and chances are, you may have missed one.
Don’t let the email to your Stripe be the same email to your Paypal where I can find it on Instagram and use it to log into your Shopify after finding a leaked password from a data breach you didn’t investigate 🙃
How can you protect yourself?
- Set up 2FA (Two Factor Authentication) where ever possible. You can either use 2FA by SMS, Google Authenticator or Microsoft Authenticator. This is an added layer of protection, plus if malicious actors are trying to log into your account, often you will get geo information from the login attempts.
- Set up business emails — This includes purchasing a domain for your business, if you’re trading via a Hotmail and don’t own a domain, with the added notion of going viral, what’s stopping someone from buying up your domain name and then cybersquatting?
- Password management — Utilize the suggested passwords by Apple/Chrome/Password managers like LastPass. Whilst it can seem like an inconvenience, losing access to your email because you had a weak password can be so damaging.
Know your traffic!
Companies have reported an increase in DDoS attacks during the lockdown. Distributed Denial of Service attacks is targetted traffic with the intention to bring down a website. It is a form of sabotage and often when people go viral, a mixture of genuine traffic and malicious traffic can be a cause of concern for website owners.
How do I stop this?
- DDoS Mitigation tools like Cloudflare ensure your website can manage traffic. By utilizing machine learning and blacklists of already known malicious actors, they are able to separate your traffic and ensure your website is always up. Platforms such as Wix, Squarespace and Shopify already utilize similar technologies in the background of your website, but sometimes this may not be enough.
And if I don’t have a business?
If you don’t have a business but would still like to monitor search traffic, tools such as Ahrefs exist to help you understand when traffic around a certain word (your name) increases.
Virality isn’t always a positive experience, and for the average person, they are not prepared. The invasion of privacy, be it digitally or physical means we need to do a lot more to protect our information. Practises such as doxing has unfortunately led to ‘swatting.’ This is where a malicious actor using your personal information, makes a hoax call to the emergency services in an attempt to bring about the dispatch of a large number of armed police officers to a particular address. Recently in America, there has been a rise in Neo-Nazi groups attempting to use this tactic to target Black churches and spaces. Our information online must be protected, as sadly, our lives can now depend on it. Virality goes beyond a tweet being popular, in this current climate, unfortunately, many activists in the Black Lives Matter movement have been identified by personal identifiable information available on the internet. Often throwing them into a spotlight where they have been targeted by neo-nazi groups.
I leave you with the story about the Philadelphia protestor who was identified via purchases on Etsy, tattoos on her massage business website and LinkedIn as a reminder that often when information is put together, it paints a bigger picture.