Product Family

In 2017, online digital publications announced the latest threat to consumer safety: hackers using vulnerabilities inside WhatsApp to spread malicious code via files sent using the app. In March 2019, a security researcher announced that a bug in Facebook Messenger gave hackers an open door through the user’s web browser. The bug has since been patched, but the vulnerabilities continue.

These days, the targets are much larger. Hackers are now using applications like WhatsApp and Messenger to launch phishing campaigns to target corporations across the globe.

With more businesses using messaging and file-sharing apps to conduct international conference calls, such a move by hackers is a natural next step in cyber warfare. In spite of this, many companies have yet to realize this growing threat to their IT security. This is not surprising given that many businesses are accustomed to thinking of their vulnerabilities through more known methods: typically attacks on servers, phishing emails, and human engineering.

What methods are attackers using?

Hackers have taken their methods and applied them in new territory. A recent report reveals that 71 percent of all fraudulent transactions in the second quarter of 2018 came from mobile banking apps or more broadly used apps and platforms like Facebook Messenger and WhatsApp. By exploiting vulnerabilities in phone and message apps, hackers are expanding their reach.

Such attacks are not new. In 2017, Kaspersky Lab reported that hackers have been attacking banks and government institutions in over 40 countries using “legitimate and reputable applications.”

Even with tighter security controls around company servers and networks, hackers have figured out ways to step up their use of apps as a means to gain entry. In one recent case, a message was sent via a company’s WhatsApp account, purportedly from the company CEO. The message:

"I need to inform you of a confidential acquisition regarding a payment that I need you to secure on my behalf. I am on the line with my lawyer now, can I give you a call shortly?"

 However, the CEO was not making the request. It was the work of hackers, who had used a weakness in WhatsApp technology to send the message. Fortunately, the request was never fulfilled. The staff member who received the message reported the suspicious request to the IT department, who was able to determine the request was fraudulent.

In addition, the company had protocols in place that would have thwarted any money from making it into the hands of hackers. Their procedure for approving financial transactions involved three steps requiring sign-off from designated people and phone verification.

Companies must be alert to the potential risks associated with using social media apps, including knowing how their own practices are opening the door to exploitation.

Unfortunately, not all companies can avoid falling victim to hackers, even with stringent authorization protocols in place. Bitcoin exchange Binance was victim of a large-scale security breach in May 2019 in which hackers diverted $40 million in bitcoin. Using several methods of attack, hackers obtained user information, including two-factor authentication codes, which allowed them account access.

From there, the thieves were able to withdraw 7,000 bitcoin from the company’s internet-connected wallet.

That the hackers obtained the two-factor authorization codes made this particular theft difficult to avoid. Yet the company’s losses could have been worse, except for the fact that the amount of cryptocurrency in their online account was just 2 percent of their total cryptocurrency holdings. Binance announced a few days after the breach that the company would be making up that 2 percent with company funds. For some companies who cannot recover as quickly, a loss of 2 percent of holdings could be a major setback.

What to look for

Breaches of social media apps tend to follow similar methodology as breaches that occur on company networks and email systems.

Companies and employees should be on the lookout for the following activity or behavior:

– Requests made via any social media app purporting to come from senior leadership. Is the name spelled correctly? Does the user name match the one the senior manager uses? Are the requests going to the appropriate person? Has the request been verified by phone with senior management that the request came from?

– Unfamiliar/unrecognized phone numbers. Much like email requests that use the person’s name, but comes attached to a completely different email account, social media requests coming from an unrecognized phone number should be treated with suspicion.

– Unusual behavior. Most CEOs would not use a social media app to make financial transaction requests. Nor would they use social media to ask for confidential bank account passwords or login credentials. Who can verify your CEO’s whereabouts and request activity? For requests that are not financial in nature, is the language typical of the person reaching out, or is there something not quite right about the request?

Prevention strategies

Here are a few things to keep in mind when using social media as part of your business:

– Never make financial requests over social media – and make it company policy to not honor such requests.

– Educate all staff. From senior leadership to administrative personnel, all employees should understand that social media requests for money or sensitive account information will not be used, nor will they be honored.

– Have a process for vetting all online requests. Have all monetary requests vetted through C-level management as well as examined by IT.

– Regularly update passwords. Reset all passwords on social media apps and alert IT to any suspicious activity – even that which isn’t a monetary request.

– Establish and actively use a three-step process for financial requests. Before releasing any funds, know who is authorized to approve such requests. Also, have in place a process that requires voice verification, including selected passwords that are changed regularly, as well as sign-off from key personnel. With every financial request, make sure to follow the procedure without exception.

As companies adopt more social media tools to conduct business, cyber thieves and social engineering attempts will continue to grow in frequency and severity. Companies must be alert to the potential risks associated with using social media apps, including knowing how their own practices are opening the door to exploitation.

Companies should establish strong verification processes and should have written social media policies in place. Likewise, companies need to educate employees on the policies, and on how to handle requests that seem out of the ordinary. Hackers will continue to find new ways to breach company systems. Staying one step ahead of the risks means examining your business activities from every angle to help reduce exposure and loss.

About the Author: John Coletti is Chief Underwriting Officer, Cyber & Technology – North America. He can be reached at

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. AXA XL Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.