Nearly two-thirds of the world’s population (59%, to be precise) uses social media. That’s 4.7 billion potential clients just clamoring for your specific product. Social media is the perfect vehicle for building a loyal following, spreading the word, and creating brand awareness—something you would once have had to dish out big bucks for to an advertising firm, which either did or (all too often) could not provide any linkage between dollars spent and heads produced.

Unfortunately, with that same ease you nowadays can access the public, they can access you. And not always in a nice way. As always, when you get more for less, you’re paying for it through some other channel, in this case: risk! The dangers of exposing ourselves unbridled means that we are more—well—exposed! And we have little control over who does what to whom.

If you can reach millions through Instagram with the best of intentions, they can reach you right back, and you have no control over their intentions. If you can hire your next content writer using LinkedIn, someone posing as you can publish a job posting whose entire aim is to phish someone’s credentials and steal their bank account.

And the motivations of these cybercriminals are varied and critical: financial gain, political hacktivism for PR and political gain, espionage (political and corporate), and more.

The Bountiful Social Terrain

It’s little surprise that such a high percentage of cyberattacks focus on social media. When LinkedIn was attacked in 2016, 117 million user accounts—some simple users, but also some major companies—were hacked; the 2020 Twitter bitcoin theft only pulled in $130,000 but the list of influential accounts hacked reads like a page out of Fortune500: Apple inc., Pres. Biden, former Pres. Obama, Tesla’s Elon Musk, Warren Buffett, Amazon’s Jeff Bezos, former NY Mayor Bloomberg, Kim Kardashian, Kanye West, and so on. And, many still assert Russia’s ability to hijack the US elections using fake social posts to embolden Donald Trump.

Facebook and Twitter admit that about 5% of their user accounts are fake—that’s 1 potential scammer for every 20 users or just under one billion potential criminals. Just to put that in perspective: throughout the entire world, there are about 10.3 million people incarcerated at any time. Now, even if you fervently believe that a full 11% of criminals get caught, we’re still talking about 100 million criminals worldwide (including petty thieves, tax evaders, and people unwittingly transporting their personal stash of amphetamines through Istanbul International).

Unfortunately, the tools to fight these must (by definition) play a game of constant catch-up where the criminal invents and the hunter responds. Adding to the impediments, cybercrime is much more amorphous than either a delicate hand in your pocketbook or a callous one with a stiletto at your throat. Even the scene of the crime is hard to define: for a cybercriminal, the web can be either the actual playing ground (an actual crime scene) or a mere tool (it usually isn’t illegal to merely snoop). As a tool, the scammer can weaponize social channels for data reconnaissance, which is not necessarily criminal, or data scraping, which more often is. Adding to the murkiness, the definition of criminal activity is encumbered by questions of (and fights over) jurisdiction and the inability of governments to come to a consensus over things as basic as ‘what constitutes a crime.’

Phish Swimming Phreely

It took less than a decade from the inception of the internet for governments to agree on regulatory protection of intellectual property over the internet. Strangely, it’s taking decades for them to agree on regulation and definitions of what constitutes a cyber crime… and they dawdle at the cost of $445B each year (according to old 2014 CSIS data), mostly to the detriment of the industrialized nations, including the US and including China!.

Dr. Muhammad Riaz defines four levels of cybercrime: ‘simple’ cyber crime, cyber espionage, cyber terrorism, and cyber war, the latter three of which often focus on the disruption and infiltration of critical infrastructures (information and communication, banking and finance, energy, physical distribution, and human services). Furthermore, the interdependence of infrastructures and the internet is increasing with the burgeoning of IoT devices, such as irrigation and hospital equipment, navigation devices, even the thermostats in our air conditioners and refrigerators. Modern household devices enable remote control through our smartphones; airport approach control can navigate a plane.

Whether a low-skilled hacker using over-the-counter tools, or organized criminal groups, such as Japan’s Yakuza, the objectives can be quite nefarious: everything from holding hospital lives to ransom to the recruitment and training of terrorists. Recently, we have seen military establishments weaponizing social media to sow mistrust, attack critical infrastructures in advance of more traditional attacks, and worse.

Too Little, Too Late

In the perpetual leapfrog of perpetrators and protectors, the technological toolkit is hardly the major problem. Because cybercrime is usually a decentralized activity, it’s difficult to pinpoint the perpetrators. Like many online businesses, a crime boss may reside in one country, his minions in an undeveloped other. Attribution can be easily disguised and accountability to specific policing regiment—impossible, adding yet another ‘encouraging’ perk to the job. Add to that, that for some nations, the hopefully taxed income of a comparatively high-paid hacker are difficult to forego, and you actually may have entire governments willing to protect an illegal activity that nothing short of an incursion by a less villainous nation can halt.

Oil might be seen by some as a reason to conquer a dictatorship; hacking is still insufficient cause to launch armies against the Kingdom of Grand Fenwick.

Even NATO and the European Union fear taking a stand on the attribution issue, since this may hinder diplomatic relations with too many questionable allies. Worse: DDoS attacks on critical infrastructures has not yet been defined by anyone as an actual act of war..

The Budapest Convention on Cybercrime was created in 2001. It took six years for the US to ratify it, and that was only after the introduction of provisions by Congress protecting the use of cyberspace for intelligence and other military activities. The convention has still not been signed by Brazil, Russia and India (3 of the 4 BRICS).

Given the lack of consensus in matters of state, therefore, something as trite as Instagram will probably continue to be a Wild West. And so, when surfing our social channels, it remains up to us to be vigilant and take responsibility for our actions, quite simply because nobody else will.

See also:
Part 1 – Small Business – Big Threat
Part 3 – The Social Pit