The Department of Defense is particularly vulnerable to compromise via social media. Despite the Robin Sage and hijacking and defacement of the official Twitter account of the U.S. Central Command incidents, the DoD was slow to formalize a department-wide policy on official and personal social media use. In the meantime, threat actors from low-level scammers to foreign intelligence entities have abused U.S. social media companies for financial crimes and espionage. Due to these two incidents, and many others, DoD has finally created a department-wide social media policy, DoD Instruction 5400.17, to address both external official presence (EOP) and personal social media use by DoD personnel.
Over the past year, ZeroFox threat intelligence analysts observed a significant increase in both the number of targets and financial losses due to what the FBI has coined “Confidence/Romance” scams – a type of scam within the broader category of “social engineering.” These scammers use the military uniform as an emblem of trust to play on human emotions, either to develop a romantic relationship with civilian victims or to lure servicemembers into a relationship using fake dating profiles. The criminals unsurprisingly have no qualms about using deceased soldiers. We are tracking scammers impersonating a Medal of Honor recipient who sadly died of cancer while lobbying Congress for legislative changes. Another data point demonstrating the magnitude of the problem – a now retired four-star general is known to have been impersonated over 52,000 times on social media – the most impersonations of a single individual tracked by ZeroFox to date. Only 15,000 of those times occurred while the general was on active duty.
Romance scam impersonations targeting U.S. military servicemembers and their families are growing at an exponential rate. Servicemembers filed more than 700,000 reports with FTC’s 2021 Consumer Sentinel Network Data Book since 2018. Total losses tallied up to $718.7 million, nearly twice the amount reported over a four-year period in the 2020 Data Book. The actual incidents and losses are likely an order of magnitude higher as most victims fail to report these crimes. From a national security perspective, these statistics should be a wake-up call. The scale of military romance scams degrades trust in the U.S. military and decreases readiness at a time when our competition with both Russia and China is at its highest points in decades.
Romance and confidence scams are not the only objective of threat actors on social media. In August, an unknown threat actor copied the text of an official post from the U.S. Army regarding IPPS-A – the Army’s new integrated pay and personnel system – and reposted it under a fake profile of a current four-star general but changed the email address from army.mil to gmail.com. We can infer the goal of the threat actor responsible for the impersonation was to steal the PII of U.S. Army soldiers but for what purpose – financial gain or espionage?
If that post was part of an espionage campaign it would not be the first time a foreign intelligence entity has created a social media profile impersonating a DoD official. In the defection and espionage case of the former U.S. Air Force counterintelligence agent Monica Witt, her Iranian co-conspirators created a profile impersonating a DoD employee and used that fake profile to target other DoD employees with access to national security information.
Leaders at all echelons must lead from the front on the use of social media. Military leaders tend to be shy regarding social media for obvious OPSEC reasons. However, the U.S. Armed Forces must tell their story or someone else will tell it for them. More units and leaders need to establish official and verified social media profiles. Staying ahead of threats can be as easy as establishing your presence before they do it for you.
That does not mean everyone who is paid to wear the uniform should use ‘cool guy’ photos as their profile pictures. Unless the individual is using social media in an official manner under the EOP guidance, all servicemembers should refrain from profile photos in uniform or using titles and ranks in their profiles. Other photos and posts should be made with strict privacy controls to limit the opportunities for scammers to lift and shift content to a fake profile or view posts that could affect OPSEC. Leaders must demonstrate responsible social media use by being present where their unit’s members are and dissuade them from posting security clearance information.
DoD must also update the policy to mandate official social media managers for EOP use multifactor authentication and a unique password to prevent account takeover. The current version of DODI 5400.17 does not require any specific security controls around official social media accounts. These standard security controls are necessary to prevent incidents like the CENTCOM Twitter account takeover.
DoD should create a new instruction that bridges the gap between 5400.17 and O-2000.22 (Designation and Physical Protection of DoD High Risk Personnel) that focuses solely on digital persona protection. The new instruction would be for the purpose of protecting the digital personas of designated high-ranking individual servicemembers, political appointees, Medal of Honor awardees, and for other servicemembers who are known to have had their likenesses abused.
Fake accounts on social media have been a problem for years. Investors, advertisers and policymakers should push social media companies to identify likely fake and spam accounts and alert any impersonated individuals. Integrity on these platforms is crucial toward building trust with investors, advertisers, and policymakers.
At the moment, the U.S. Armed Forces are the most trusted organization in the United States. That trust is at stake if DoD fails to manage social media risks like account takeovers and impersonations. DoD also has a tremendous opportunity to enhance its image and expand the pool of applicants. Leaders at all echelons are the key to success on the social media battlegrounds, too.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]