An ocean of ink has flowed about the risks of social media for financial institutions. The publicized dangers usually concern a bank that had its reputation undermined by the inadvertent disclosure of private or personal financial information via social networking.

A 2014 Accenture paper on social media quotes the head of privacy and information management at a major bank who says, “The biggest risk for me is our employees disclosing information about our clients on social media.”

Sometimes, employees use poor judgment about what to share on social platforms, and bad outcomes occasionally follow.

As a result, banks in the social media space, plus many government regulatory agencies, have called for the adoption of social media policies by financial institutions. These policies are used partly to stem the rising tide of “oversharing” that jeopardizes reputation and compliance.

But there’s another serious problem: bank employees may also be vulnerable to exploitation, based on what they’re sharing about their own lives and work responsibilities. Hackers, identity thieves, and criminals often use social sites to locate employees, and determine if they’re vulnerable to attack.

For example, by searching social media, here’s what I can tell you about ’Creighton Harrison’ without having met him. His name and bank details have been changed for the purposes of this exercise.

For five years, Creighton has been an IT supervisor for a rapidly-expanding regional bank with 12 branches. He graduated from a middle-of-the-road college with an associate degree in engineering. He’s never been promoted at his job, he posts often on social media, and most of his Facebook friends are in technology or share his passion for motorcycles, competing in motor cross races, and speed. He’s the father of two children, one with special needs due to an unusual vision disorder, and his marriage is in trouble, partly due to consumer and medical debt. His wife works part-time at a public library, and he fantasizes about winning the lottery so he can buy a rare motorcycle he’s had his eye on. He also dreams of owning a motorcycle dealership and sponsoring motocross races.

“Creighton” put all of this on social media. Employees like Creighton are referred to as the ‘soft underbelly’ of banks because they offer easy access points for financial criminals. He works with highly sensitive data in the most-secure department of the bank. Unfortunately, his penchant for sharing personal details on social media may unintentionally compromise his employer’s security.

The Wall Street Journal recently called bank staffers “the greatest danger” in the effort to protect bank data. Banks know that when their tech employees identify their positions and responsibilities on social sites, they can become targets for spearphishing. Mistakes are inevitable, and hopefully, training and testing can weed out most mistakes.
However, malicious activity by data thieves is a different kind of problem and banks may not see it coming. Employees may not see it coming, either.

What looks and feels like a genuine social community of shared interests may be a front that enables a data thief to gain the confidence of possible bank employee targets. These thieves may be patient, moving otherwise trustworthy employees slowly down a path to compromise sensitive information. It could also take very little time to seduce disgruntled employees into criminal cooperation.

Standards in a social world require financial institutions to monitor the social media activity of their employees, and to analyze the content so employers can make sense of the chaotic mass of messages. This can help a compliance team spot risky activity incited by data thieves.

When developing social media policies, monitoring systems, and standards, banks need to acknowledge that some social media risk is inadvertent and unintended. It could take far less time to seduce disgruntled employees into criminal cooperation.