Social Media Security#

Securing social media accounts is crucial to protect personal information, prevent unauthorized access, and safeguard against potential cyber threats. For election officials and their staffs, enhancing the security of social media accounts is not just a matter of personal privacy but also a critical component of safeguarding the integrity of your election systems. Election officials are increasingly targeted by malicious actors aimed at undermining election infrastructure and public trust in the democratic process. Election offices can significantly reduce risk by encouraging, or, where appropriate, requiring, these best practices by all who work in election administration can.

These recommendations are valid for personal accounts as well as official election office accounts.

Social Media Security

Enable Two-Factor Authentication (2FA)#

Two-factor Authentication (2FA), or Multi-Factor Authentication (MxFA), enhances the security of your social media accounts by requiring two or more authentication factors to log in, which significantly reduces the risk of unauthorized access. Multiple authentication factors mean at least two of the following: (1) a password, (2) something you have like a hardware device, and (3) something you are like facial recognition or a fingerprint. While all types of MFA have vulnerabilities, any types is better than using a password alone.

Common Types of MFA#

  • SMS-Based Verification: This method sends a text message with a unique code to a mobile phone, which you must enter in addition to your password when logging in. Despite its convenience, SMS-based verification can be vulnerable to phishing and SIM swapping attacks.

  • Authenticator Apps: Authenticator apps such as Google Authenticator or Okta generate a temporary code that refreshes periodically. You enter this code along with your password when logging in. This is sometimes implemented as a push notification on your phone asking you to confirm you are trying to log in. This method is more secure than SMS because it is tied to your device and not just the cellular carrier’s records of your SIM card.

  • Hardware Security Keys: These are physical devices that communicate with the device you’re using to log in (usually a phone or laptop) either by plugging it in or through NFC (the same technology behind tap-to-pay for credit cards). They are considered a highly secure form of MFA as the key must be physically present to gain access.

Implementing MFA on Social Media Platforms#

Set up MFA: Facebook | X (formerly Twitter) | Instagram | TikTok | LinkedIn

Use Strong Unique Passwords#

Old recommendations for passphrases required complexity and composition rules like using uppercase and lowercase letters, numbers, and symbols. More recent research has found that longer passwords are more secure and easier to remember than complex ones. Reusing passwords across accounts creates the risk that if one is compromised, all your accounts could be compromised. So, use long passphrases and make passwords unique, especially for the accounts that are most important to you.

  • Memorability and Length Over Complexity: A longer password that consists of simple, easy-to-remember words or phrases (often referred to as a passphrase) can be more secure than a shorter, complex password. For example, a passphrase like “3 blue jays sing morning chatter” is both easier to remember and harder to crack than a complex shorter password like “B$1uC@f3!”. (Use spaces between words when permissible.) Older systems sometimes still require complexity—and might even limit how long a password can be—but wherever possible, use passphrases instead.

  • Avoid Personal or Commonly Used Phrases: When creating a passphrase, pick a string of words that are not a common phrase or easily associated with you. Avoid using personal and easily guessed information such as birthdays, names, sports teams, pets’ and children’s names, hobbies, song lyrics, or famous quotes. Do not use easily guessable passwords like “password”, “123456”, or “qwerty”. Visualization is often the easiest way to do this. Try choosing a handful of items from your living room or office (e.g., Yellow Note Pad Blue Pen Apple Laptop). It’ll be easy to remember but effectively impossible for someone to guess.

  • Consider Using a Password Manager: Keeping strong, unique passphrases for each of your accounts presents a real challenge. A password manager solves this problem by securely storing all your passwords in an encrypted format and allowing you to access them in a secure way such as with facial recognition on your phone. Password managers will create strong passwords for you and keep you from reusing passwords across multiple sites. They also protect against phishing because they will only present a password to the same site on which you created it. For added convenience, many password managers allow you to securely sync your passwords across devices. If you don’t use a password manager in your office, work with your IT team to implement this best practice—it’s a lot better than keeping them on a sticky note!

Be Wary of Social Media Phishing Attempts#

Social media platforms are prime targets for phishing attacks due to the vast amount of personal information available and the high level of trust users place in their connections. Easily accessible personal information can aid bad actors in generating spear-phishing attacks against you or your contacts. Below are several concepts to keep in mind when defending against social media phishing attacks.

  • Beware of Suspicious Messages: The most critical step in protecting your social media accounts is to be wary of suspicious messages and direct messages, including friend requests. Cybercriminals often create fake profiles or use a previously hacked account to extract personal information, payment information, or login credentials. Always verify the authenticity of messages that ask for personal information or direct you to log in to another site, even if they seem to come from a friend.

  • Be Cautious of Urgency: Phishing attempts on social media often use urgent and manipulative language to trick users into acting hastily. Be skeptical of messages that create a sense of urgency, such as warnings that your account will be closed unless you take immediate action or offers that seem too good to be true. This tactic is designed to prey on emotions and should be a red flag.

  • Examine the Sender’s Profile for Authenticity: Before interacting with a user, one you haven’t interacted with before, examine the sender’s profile for signs of authenticity. A new account with minimal activity, few friends, or missing profile details can be a sign of a fake account created for phishing purposes. Also, be cautious of duplicate friend requests from people you are already connected with; this could indicate that the second account is an imposter.

  • Threats from Generative AI: Generative AI enables the creation of highly realistic fake images, videos, and profiles that can easily deceive users to do a more convincing job of all the threats above. Stay informed about the capabilities of generative AI and be extra cautious with content that seems unusually sophisticated or too personalized. AI-generated phishing will still use many of the same techniques as traditional phishing, including urgency of action, offers that are too good to be true, and suspicious or slightly altered account names. Use the same tools you would use in avoiding traditional phishing attacks: be suspicious and cautious and verify the authenticity of messages, links, and attachments before interacting with them.

Secure Your Email Account#

Securing your email account is a fundamental step in protecting your online identity given its interconnectedness with various social media platforms. The recommendations listed elsewhere in this document, such as using passphrases and implementing 2FA, are also effective for securing your email account.

The security of your email account is integral to your online safety. By following the steps in this document, you can reduce the risk of account compromise and protect your personal information.

Regularly (or Automatically) Update Your Software#

Update the apps you’ve installed, as well as the underlying operating systems and browsers for your devices. Most devices allow for automatic updates.

How to Set Automatic Updates on iOS#

  1. Open Settings: Start by tapping the Settings icon on your iOS device.

  2. Navigate to General: Scroll down and select the “General” option.

  3. Software Update: Tap on “Software Update” to enter the update settings.

  4. Automatic Updates: Here you will see an option for “Automatic Updates”. Tap into it.

  5. Enable Updates: You will find two options—“Download iOS Updates” and “Install iOS Updates”. Toggle both to the ON position. This will allow your device to automatically download and install updates when they are available.

How to Set Automatic Updates on Android#

  1. Open the Google Play Store: Start by opening the Google Play Store app on your Android device.

  2. Access the Menu: Tap on the menu icon (three horizontal lines), then select “Settings”.

  3. Tap on Auto-update apps: Under the “General” section, find and tap on “Auto-update apps”.

  4. Select an Option: You can choose to auto-update apps at any time or only over Wi-Fi to avoid using data. This ensures that not only your apps but also the operating system receives updates as they are rolled out by app developers and Google.

By following these steps, you can ensure your apps on both iOS and Android devices are always up to date, keeping your device secure and enjoying the latest features and improvements.

Use Secure Networks#

Avoid logging into your social media accounts on public Wi-Fi networks.

Understand the Risks of Public Wi-Fi#

  • Unencrypted Networks: Many public Wi-Fi networks do not encrypt the data being transmitted over them. This means that anyone else on the network could potentially intercept the data you send and receive, including your social media passwords and personal messages.

  • Man-in-the-Middle Attacks: Attackers can position themselves between you and the connection point. Instead of communicating directly with the hotspot, you’re sending your information to the attacker, who then relays it on to your intended destination—but not before they make a copy for themselves.

  • Malicious Hotspots: Some attackers set up Wi-Fi connections with legitimate-sounding names to trick users into connecting. Once connected, the attacker can attempt to infect your device with malware or monitor your internet activity.

Use VPNs for Enhanced Security#

  • Encryption: A VPN encrypts your internet traffic, which means that even if someone were able to intercept your data, they would not be able to easily read it. This encryption helps protect your personal information and login credentials.

  • Choosing a VPN: It’s important to choose a reputable VPN service. Look for VPNs that have a strong privacy policy, do not keep logs of your activity, and offer high-speed connections. Some well-regarded VPN providers include options that are paid as well as some limited free services.

Best Practices for Using Secure Networks#

  • Use Mobile Data When in Doubt: If a secure Wi-Fi network is not available and you must access sensitive accounts, consider using your mobile data instead. Mobile data connections are generally more secure than public Wi-Fi. You may need to change your cellular plan to use your phone as a hotspot.

  • Avoid Public Wi-Fi for Sensitive Transactions: Always avoid using public Wi-Fi for accessing email or conducting any sensitive transactions.

  • HTTPS: Ensure the websites you visit are using HTTPS, which indicates the data sent and received is encrypted. Many browsers have a lock icon to signify an encrypted connection.

Monitor Account Activity#

Regularly monitor your login history and account activity. Many social media platforms provide tools that let you see where and when your account has been accessed.

View your activity logs: Facebook | X | Instagram | TikTok | LinkedIn

You can also determine if your passwords, email, or personal data has been revealed in various data breaches. HaveIBeenPwned.com collects and analyzes hundreds of database dumps and posts containing information about billions of leaked accounts. You can also set up a notification service to be informed about future breaches.