While the top 10 FTSE 100 companies have a similar number of social media accounts as the top 10 Fortune 100 US companies, UK brands have twice as many unauthorised accounts on Facebook and Twitter.
The largest UK brands have an average of 325 accounts, compared to an average of 340 accounts for the top US brands.
According to the report, which covers some of the largest UK media, finance, retail and pharmaceutical firms, 80% of Facebook accounts and 40% of Twitter accounts are unauthorised.
The unauthorised accounts include fraudulent accounts that impersonate the brand with the intent of defrauding consumers, protest accounts that attack the brand, partners using the brand without approval, and third parties trying to use the brand to attract an audience to their message.
Unauthorised accounts are not always visibly hostile to the brand they are copying, said the report, citing as an example an unauthorised Rolls-Royce Facebook page that claims to be its official account. The page is very similar to the legitimate Rolls-Royce Facebook page and could lure an unsuspecting audience.
Threat of spam and malicious content on social media
Proofpoint Nexgate researchers revealed that while UK brands are 20% more active on social media than their US counterparts, UK content had 60% more spam.
This higher proportion of spam could mean there are fewer protective measures in place, the report said.
The study showed about 70% of the spam content includes work-from-home schemes that claim the user can make “easy money” working from the comfort of their home. Typically this spam content is inserted into legitimate social media pages as user-generated content, such as comments.
Read more about social media threats and security
- In October 2014, social media guidelines for civil servants were released by the Cabinet Office
- Social media is being used with more regularity as a door for entering networks because social media users tend to have a misplaced sense of trust about social networking
- Account hijacking, unauthorised accounts and content-based threats, such as malicious links and phishing lures, are the main types of social media threats
- In January 2014, hacktivists hijacked the blog and twitter accounts of Microsoft’s Skype internet voice and video calling service
If unchecked, the report said spammers are able to use legitimate social media pages to reach tens of thousands of members of social media communities built by top brands.
“Messages like these distract the user and pollute the messages that the brand is trying to send, but also highlight the efficiency of social media spam compared to its email-based counterpart. While it might take tens of thousands of unsolicited emails to reach a single user, a single spam social media post can reach tens of thousands of users,” the report said.
The researchers said that within the authorised social media accounts analysed, the highest engagement activity for a particular account reached up to 14 million followers. This means up to that number of people can potentially see a post from the brand whose comments include scams and malicious content, the report said.
Looking beyond spam to more malicious content, researchers discovered 161 instances of real security risks, which include content that leads to malware, phishing and other malicious activity.
“Since the average number of 'likes' on a particular post is about 1,000, malware and phishing attacks are reaching 161,000 people,” the report said.
A typical example of malware detected on a Facebook page features a malicious link to an app that claims to show Facebook users who has viewed their profile, but installs malware if it is clicked.
Researchers even found content that appeared to be a warning about phishing and fraud, but in fact contained a link to malware.
Phishing and spam content were not the only inappropriate or sensitive content detected in legitimate social media accounts. Proofpoint Nexgate analysis found 1,500 incidents of regulated data, which includes personally identifiable information such as phone numbers, emails, username and passwords, and even bank account numbers, posted in the social media accounts of the top 10 UK brands.
Brands suffering from social media process challenges
In addition to the posts containing phishing, spam, and inappropriate or sensitive content, the social media accounts of the 10 UK brands showed they suffer from the same process challenges as the Fortune 100 social media accounts.
The researchers found 35% of social publishing done by the UK brands is through a professional tool, consistent with the Fortune 100 firms. Social media best practices dictate a workflow for posting that includes the use of specialised tools such as Hootsuite or Sprinklr for posting to corporate accounts.
The researchers found that for each of the top 10 UK brands, there are on average nine different apps being used to post or tweet content, which means there are nine apps that brands must account and monitor. The equivalent figure for the US-based Fortune 100 brands was 14 apps, which means the difference between the US and UK social media practices is one of degree, the report said.
A profusion of tools undermines the ability of organisations to monitor and control the content of their authorised social media accounts
“A profusion of tools undermines the ability of organisations to monitor and control the content of their authorised social media accounts, leading to material that can be at best a distraction, and at worst a liability for the brand and its followers.
“It also increases the risk of account hacks – the more apps, devices and people that have access, the larger the potential attack surface for bad actors. There are more doors into the account whose locks can be picked, and this is confirmed by the recent numerous social account hacks,” the report said.
The report concludes that while the pervasiveness of social media use by and for UK enterprise brands is equivalent to that of the US Fortune 100 companies, the risks and threat activity for UK enterprise brands are higher due to the lack of visibility and focus on social media threats and risks.
Poofpoint Nexgate researchers recommended companies using social media should ensure they understand their social media infrastructure and take action to deal with the bad actors looking to defraud them, distribute malware on their accounts, perpetrate scams and attack their brands’ assets.
The report underlines the importance of brands taking action to protect their investments, their audiences, and to close social media backdoors into the rest of their communication infrastructure.
To do this, the report said enterprises need to find and track their social media account infrastructure, create security policies for those accounts, create security processes around those accounts, and use technology to drive visibility, enforcement, and measure effectiveness of those social media security practices.