Phishing, in all its forms, is the most common method of cyber-attack and has been responsible for everything from ransomware to credential theft part. Cyber criminals are carefully crafting these attacks to mimic your trusted partners (banks, streaming services, governments, etc.) to trick us all into giving away our information and to gain access to critical systems.  Many computer users are aware of phishing via email, but may not be aware of the rise in Vishing, Spear Phishing, Whaling, Baiting, and more. 

Social Media is often overlooked when it comes to personal security habits, practices and awareness, because of how much .personal information is shared and how easy it is to connect directly with nearly anyone online.  Cyber criminals have taken note and are actively carrying out a variety of new attacks on those platforms.

Phishing and impersonation on social media platforms has exploded in recent years and is now a key part of most cyber criminal’s playbook. There has also been an explosion of new, fraudulent social media accounts that are designed to trick people into accepting friend requests and sharing private information.  Unfortunately, many people are easily deceived when they use social media platforms such as Facebook, Instagram, Twitter, and LinkedIn since they’re on there to socialize, and may not be aware of these social engineering scams.

Cyber Criminals are tracking us and our activities online so that they can craft ever more clever phishing attacks, using the information we share online to learn about us, our habits, and our contacts.  In the case of “Whaling” and “Spear Phishing” these criminals are strategically selecting their targets and learning all about their personal lives on Facebook, their professional lives on LinkedIn, and then building a very specific phishing campaign that might include email, phone, text, and in extreme cases an in-person component.  Now that most people have a public profile on one of these platforms, scammers can send a direct message to anyone at any time and know whether it’s been received and read.  We must all be vigilant about protecting our information and spotting fake and malicious accounts and activities. To protect yourself online you first need to build an awareness of the potential risks and because these threats are constantly changing and adapting you must always be vigilant when using technology.  To lower the risk of falling victim to these types of attacks we would make the following recommendations:

Make Your Profile Private on Social Platforms

Cyber scammers love public social media profiles because they can gather information about you to strike up a conversation, track your activities, and collect your various pieces of contact information.  In more direct attacks these Cyber Criminals will clone your profile and set up a fake page to phish your connections. Essentially pretending to be you online.  Or, they’ll use fake profiles to connect with you in order to gain your trust, share links, and build an attack profile to use against you in the future.

You can reduce your risk by making your profile private to only your connections. This means that only people you’ve connected with will be able to see your posts and images, not the general public.  You may still want to keep your profile public on sites like LinkedIn, where many people network for business, but you can see how to make your Instagram, Facebook, and Linkedin profile private below. 

Instagram

Hide Your Contacts/Friends List

Scammers will research your activity online, looking closely at the people and pages that you interact with regularly so that they can learn about your preferences, activities, and communication style.  This kind of information might seem mundane, but think about it – every successful bank heist starts with a reconnaissance mission first to learn how the bank operates and where it’s weaknesses are.

One other caution, is to consider what information you are sharing through posts, comments, and surveys.  Over the years there have been hundreds of social media posts asking seemingly entertaining questions that actually expose important private data.  By responding to online games with questions like “tag your five best friends growing up”, or “share your favorite vacation spot” you could actually be publicly sharing information that could be used to verify your identity to organizations like banks and credit card providers.

Hiding your friends or connections list can help prevent social media phishing scammers from using your social media profile to gain access to your connections. This privacy option is available on platforms such as LinkedIn, Instagram and Facebook and can be accessed through the settings and privacy pages.

Instagram

Be Wary of Links Sent via Direct Message & in Posts

In social media, links are the preferred method of phishing. It’s difficult to tell where you’re going in a social media post because the links are often to short.

For example, The URL https://tier3it.ca/2022/13/01/4-ways-to-combat-social-phishing-attacks /” shortens to “https://t3it.sc/4wtcbs/.

 Scammers have learned that using a free link shortening services like bit.ly allows them to make a link that looks legitimate, but will actually take you to a compromised site that they control.  For this reason we would suggest you exercise extreme caution when clicking any links in a social media post or direct message.

Inquiring about your business, a scammer may reach out to you on LinkedIn with a link to their website that they claim is theirs. Don’t click on links in direct messages or social media posts unless you’re sure they’re legitimate. It’s possible that they’re leading to a phishing site that drives malware onto your computer or that collects your data through well crafted forms.  The best option is to open a browser, search for the business’ site, or enter the domain directly so that you can be sure of it’s authenticity.

Even if a connection of yours sends you a link, make sure to check out the source. Shares on social media are frequently motivated by the visual appeal of a post and not by a thorough investigation into the author’s credentials.

Research Before You Accept Friend Request

It can be a fun experience to be asked to connect via a social media platform. It could be a new business opportunity or an opportunity to reconnect with a former student or coworker. Fraudsters will try to take advantage of you by using phishing scams. They’ll try to contact you, which could be a precursor to a direct message. They establish trust in the communications by imitating someone you know to extract more information from you.

If you receive a friend request, do some research on the person by viewing their profile, searching them on another platform, or using a search engine first to look for any “red flags” that just don’t seem right to you.  For example, visit the company webpage to see if they’re listed as a current employee.  Or you can search their name on Google to see if they come up in any search results that are related to their position, employment, or community.

The more you control your friends and contacts list, the more secure you and your online profiles will be. 

Your Social Media Safety Depends On You

As you can see, scammers and cyber criminals are using these technologies to their advantage.  By staying vigilant with your online profiles you can help to reduce the likelihood of becoming the target of an attack.  After all, most crimes are crimes of opportunity.  Meaning that criminals take advantage of people who are not prepared, or who have put themselves in a position of risk. 

If you run a business, it’s a great idea to educate your staff about the risks of oversharing on social media and other ways they can protect themselves and your business.  Tier 3 IT Solutions has a team of cyber security professionals who help businesses prepare and defend against all types of threats day in and day out.  Please reach out to learn more, and to have a no obligation consultation today.