A new social media service, Nextdoor, is gaining steam as we come out of the COVID-19 pandemic. The platform is used to share trusted information about one’s neighborhood, to give and get help (can I borrow a tractor), get business recommendations, or find out about local public services. Nextdoor is a unique and novel way of bringing neighbors together in an online platform similar to Facebook, however, CyberHoot and others have strong privacy concerns.
Nexdoor recognizes the potential for abuse from social media platforms and has implemented a number of security features (hide my street address), guidelines (civil discourse), and policies (no political advertisements) all required when you sign up for the app. However, this doesn’t prevent all scams, misuse, and even harassment.
Security Features
CyberHoot recommends the following actions in order to help you stay safe and protected while using Nextdoor. Even if you’re not currently on the platform it’s a good idea to know the risks of Nextdoor so you can share with friends and family who use it.
Hide Your Street Number
First and foremost, enable the tool to hide your street number from your ‘neighborhood’. Everyone can still see your street name, but not your full address. This is vitally important to protecting your privacy in some hacking scenarios. For example, if your neighbor’s Nextdoor account is hacked into, do you want the hacker to see your home number?
- Select your Profile Picture in the top right corner
- Select Settings > Privacy.
- Look for Show Address to my Neighborhood setting
- Select the option that only shows your street name
Watch out for Phishing Messages
Like any online account, a hacker may break into your neighbor’s Nextdoor account and send you a phishing email or seek emergency funds in a payment scam.
Oftentimes, you can detect cybercriminals just by looking for some of these common red flags when you receive a message from someone you allegedly know but the contents of the message don’t add up:
- Spelling mistakes and bad grammar
- Different fonts and incorrect accent placements
- Messages asking about login credentials
- Mismatched links (the link text doesn’t match the link that appears at the bottom of your browser when you hover your cursor over it)
- Unexpected messages from a sender who urges you to take some sort of an action (change password, change billing information, etc)
Nextdoor messages have been sent by hackers who have broken into someone’s account to “hack the neighborhood”.
Privacy Issues Abound
Nextdoor defines what data is collected from you and how it’s used in Nextdoor’s privacy policy. CyberHoot research shows they prohibit neighbors from selling the private data they have access to on NextDoor, however, the company itself markets that data to 3rd parties for profit. If you use Nextdoor on multiple devices (computer, phone, tablet), it collects data from all those systems. If you log in to Nextdoor through your Facebook account, it can take data from there as well. Privacy is not protected well for users of this app.
Do Your Research on Recommendations
The Nextdoor App could be useful for asking neighbors about local contractors and businesses based upon neighbor’s experiences. However, there have been reports of Nextdoor users hiring contractors for home repairs, only to be left with an incomplete or botched project after having paid thousands of dollars. It’s generally a good idea to research businesses by reading multiple source online reviews (Angie’s List (now Angi.com), Trust Pilot) – not just a Nextdoor referral.
Meet in Person for Payments
Scammers and cybercriminals are known to use third-party payment apps to collect payments from their victims. If neighbors refuse to meet in person for cash payments, then there’s a chance someone hacked into their account and is trying to scam you.
Never Share Personal Information
Giving personal information to any neighbor on Nextdoor can put you at risk. Accounts of yours could be compromised, causing you to lose money or other items of value. Never give your login information, email address, phone number, credit card numbers, bank account, social security number, or any other personal information.
Reporting Content and Users
Users can report content they think violates the community guidelines. Posts, comments, and user profiles can be reported so the Nextdoor team can review their activities and take proper action.
To report a post or comment, select the top right of the poster/commenter’s name and select Report post or Report comment. To report a neighbor, access your Neighbors page or tab from the main menu, select the neighbor you want to report and then select the down arrow (web) or three dots (mobile app) followed by Report.
Users can also message ‘Neighborhood Leads’ about spam or unusual activity. The ‘leads’ are normal users in your neighborhood who have special permissions to help with moderating neighborhood activity. If you see something suspicious, message them directly about it.
Users can stay informed about all scams that the site is currently dealing with by visiting its Crime & safety section in Nextdoor’s Help resources.
What Else Should We Do To Secure Ourselves?
In addition to our recommendations for the Nextdoor platform, you and your company needs to take proactive measures today to reduce your chances of being a victim. CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Adopt two-factor authentication on all critical Internet-accessible services
- Adopt a password manager for better personal/work password hygiene
- Require 14+ character Passwords in your Governance Policies
- Follow a 3-2-1 backup method for all critical and sensitive data
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Document and test Business Continuity Disaster Recovery (BCDR) plans
- Perform a risk assessment every two to three years
Start building your robust, defense-in-depth cybersecurity plan today with CyberHoot.