Style Living Self Celebrity Geeky News and Views
In the Paper BrandedUp Hello! Create with us Privacy Policy

Here's what to do to prevent your social media accounts from getting hacked

By NICK GARCIA Published Jun 16, 2024 5:23 pm

You may see a social media friend writing suspicious posts and private messages. You may also see a public service announcement that they or their friend got hacked.

While hackers are liable for the crime, social media users are responsible for protecting their accounts in the first place.

In this first article of our series, cybersecurity experts spoke with PhilSTAR L!fe and shared tips on how to guard against hacking.

Don't reuse passwords

Jonathan Mantua, chief executive officer of Reyes Tacandong Cybersecurity, told L!fe that while there's no silver bullet to kill hacking, one of the best ways to get protected is to never reuse passwords.

"The number one problem we're seeing is users typically use the same passwords across sites," Mantua said. "If one application gets hacked, the hacker may use that same password in other (social media) accounts."

Dominic Ligot, founder of Data Ethics PH, told L!fe that though there is a "natural tendency" for people to use the same identity for convenience, they must learn to use different credentials for social media use and financial transactions.

"You'll never know," he said. "'Yung Philhealth, for example, they have emails, cellphones, and birthplace. Malamang, those are the same identifiers you use in different accounts. Try to break your identities."

Use two-factor authentication

Mantua urged the public to use two-factor authentication, in which a user would be required to either provide a one-time password sent via email or SMS after typing the account's password. There are even authenticator apps like Google Authenticator or Microsoft Authenticator for added security.

Avoid clicking suspicious, 'tempting' links

Does the link look suspicious? Better not click it. Mantua noted that there are "tempting" links that contain pornographic material, raffle prizes, or unclaimed parcels.

"If you don't trust the link, don't click it at all," he said, adding that users must also avoid supplying personal information on gambling sites which are common nowadays.

For Ligot, apps that rely on linking one's Facebook or Google account should be assessed thoroughly. On a personal level, he said he would not link any account involving sensitive apps like banking.

"That would be a bad idea," he said.

Create a burner account

Though it may be a "hassle," Mantua also advised creating a "burner account" with a separate email.

The account shouldn't be connected to one's personal accounts like social media or banking.

Citing personal practices, Mantua said he uses a burner account to check out a new app or game and if ever it was malicious, it won't affect his personal accounts.

"There would be times that it may be too much of a hassle for users, but really, if you're willing to explore, it won't be too much of a hassle in the first place," he said. "It's just one another account. It's not that hard."

Don't be liberal in spreading personal information

Be careful with what you share online. Mantua warned users against being liberal in spreading information like birthdays or anniversaries, especially indicating the month, date, and year.

He noted that while it's ok to celebrate milestones, chances are that one does not truly know all of his social media friends. Some of these friends, in fact, are probably bot accounts farming for information.

"Typically, the passwords of people are the number part involving those significant dates," Mantua said, adding one must consider purging their friends list and limiting their posts' privacy settings.

Ligot said hackers normally target the victim's social media accounts first, getting details about their life. He cited an incident abroad in which a hacker was able to reconstruct an identity based on the details the victim shared on Instagram posts, i.e., birthday, parents' birthdays, address, location of their new house, and the school where they graduated.

"Over time, na-fill out ng hacker 'yung isang credit card application form gamit ang necessary information," he said. "That’s scary kasi if people put their entire lives online, that can be a basis to impersonate you." 

Have a consistent character online

If one can't help but become active on social media, Mantua said the person might as well have a consistent character in their posts so that if hacking happens, others would quickly realize something's wrong with their account.

"Come up with a personal brand so people may know if you're acting in a different way if you're breached," he said. They'd know that kind of posting or messaging is off-brand and have second thoughts that it's really you."

He also warned users against the rise of artificial intelligence-generated deepfake photos and videos, which may be used for identity theft.

"We reached a point that (deepfake) is so good that it's difficult for people to spot even with trained eyes," he said. "But if they know how you behave (on social media), it's easier for other people to think twice. They might even message you on other platforms."

Don't post real-time

Mantua said users must avoid sharing their activities online in real time. This includes a vacation, where one isn't working in their office.

"If hackers are monitoring you, they'd know that you don't have access to your workstation or office environment. Maybe they can launch attacks while you're gone," he said. "Parang budol gang, hihintayin nilang umalis ka."

For Ligot, one may also opt for being low-key online. Not posting much, especially one's photos, lessens the risk, especially for deepfakes.

"But that defeats the purpose of being on social media if you’re always on private. There’s a trade-off," he said. "More importantly, kahit na private ka, if your data is compromised from another source, you can still be infiltrated by hackers."

Make sure your recovery information is updated

Mantua said that before anything else, one must ensure that they have updated recovery information in case anything happens.

For instance, if one's social media account is connected to their mobile number, that number must be active.

Mantua cited a case in which his relative could not recover his account because it was connected to an old mobile number he no longer uses.

Ligot, meanwhile, said that when changing an email, users must check whether their old email isn't linked anymore.

"Hackers can guess your old email and use 'Forgot password.' A lot of Facebook accounts are compromised this way because their account and email and cellphone number were found in one breach," he said.

What to do if you get hacked

Despite several precautionary measures, no matter how careful a user is, there are still instances in which hacking happens. They gave the following advice in case someone gets hacked.

  • Sign out of all devices
  • Change your password immediately
  • File a ticket with the social media (Facebook, X, Instagram)
  • Ask a relative to post on your behalf that you got hacked

Ligot pointed out that coordinating with the concerned platform is important, specifically through hotlines.

"Sometimes they respond quickly, sometimes they don’t," he said, "kaya prevention is really better. Make your access more robust to prevent these incidents from happening."

"The best way is to respond (to the situation) immediately," Mantua said, "so malicious communication would be prevented."