NAFCU Services Blog

Feb 21, 2013 by Sundeep Kapur

What Brands Can Do to Circumvent Social Hacking

Originally published on

Guest post by Sundeep Kapur, Author, Digital Evangelist and Director of Strategic Marketing for NCR Corporation.

A simple heist. I went for an afternoon stroll in my grandparents' neighborhood (Mumbai, India) when I literally bumped into a young man on a bicycle. The "bump" slowed him down, I heard the words "thief," and saw a group of people chasing him - the young man was caught. The strategy used by these thieves was innocent: young men play ball, the ball enters your community, three young men enter your community to look for the ball, two men steal stuff, a small truck meets them on a distant road, and they are off!

It happens online too. You get a "connection" request on social media. (I used the word connection to imply no one particular social media channel - it could be Facebook, Twitter, Google+, or even LinkedIn.) It's from a brand you know. You join the forum and start paying attention to the discussions. You soon start noticing a couple of individuals who are actively involved on this brand's page and are receiving "affirmations" (likes/endorsements/retweets) from the brand. You now get a friend request to connect personally, you do, and you end up downloading something malicious.

Your personal information is harvested and the trouble begins.

The state of South Carolina lost a lot of consumer data to an international hacking cartel - more than 4.5 million records stolen. The People's Liberation Army of China (PLA) is being blamed for a coordinated hack on U.S. assets. My travel company sent me an affiliate offer with a malicious link.

Who is to blame? The cyber crooks instigating this crime? The consumer for being so gullible? Or is it the brand that gets the blame? Is it not guilt by association? After all, we don't expect this kind of behavior from friends of friends.

Usually, it's the brand that bears both the blame and the responsibility. It's well worth it for the brand to educate consumers about the perils of being phished or "pharmed."

Brands need to have three types of communications - before the event, to help circumvent the phish; during the event, to assist in reducing the impact; and after the event, to both assuage the consumer and prevent this malicious cycle.

The challenge lies in the messaging - most brands are unprepared, the messaging has not been approved, and it takes a significant amount of time to get the message out to the consumer.

An Rx for your brand. Get your team on board by educating them about the potential crime. Get your management team to understand the impact. Now write out a message to your consumers as if your brand has been compromised, choose the channels you are going to use to deploy this message, make your  team aware of what has been done, and solicit management approval to execute. Do this now! As if you have been hacked.

You should also share this type of information with your consumers to make them more aware. Education might lead to prevention, your brand people will be more aware, and you are prepared to deal with the situation. I have seen brands wait for more than 72 hours to respond and by that time it's both ineffective and disengaging.

Brands should also "check out" the people they are endorsing so they don't create an implied connection of trust.

Was it enough? The state of South Carolina offered citizens one free year of credit monitoring and a ton of worry. Why wouldn't the hackers wait for the year to pass before making their moves?

My travel company started off their apology campaign by offering me a 20 percent off coupon to a restaurant. They ultimately ended up waiving six months of my membership fee - I am sure they had to do this for many and this was a real loss of revenue in addition to a loss of face.

Your brand can do a lot better and preempt this through education. Use your social media to raise awareness; it will get more of your consumers to pay attention to the message and the "responsibility" of your campaigns.

So did the gang get caught? The young man who got caught stealing the bicycle refused to divulge the names of those he was working with. So the cops  used a combination of Google and Facebook to find a few "associates." Next they used the young man's SIM card to track calls made to a particular set of numbers. Using mobile tracking they raided a warehouse full of stolen merchandise. This cyber gang was selling merchandise on a major digital shopping network.

When the thief "bumped" into me we both fell. His fall helped us catch him and left me with a bruise and a lot of excitement. I thoroughly enjoyed being part of the investigative process. This is not my real job. I usually spend time with brands helping them both build up social engagement and consumer trust.

Sundeep Kapur will be presenting the Leveraging the Power of Integrated Media Workshop session at NAFCU’s 2013 Strategic Growth Conference. Register today so you don’t miss out!

You can also watch a recorded webinar Sundeep Kapur presented, eMarketers Exclusive—Top 10 Trends of 2013.

Comment on this post.

About the Author