What should you know about social media phishing, or SMP? Many of us associate phishing risk with get-rich-quick links or attachments in marginally literate email messages, not our social media accounts and activity. What you should know is that phishing threat actors are deviously clever at setting traps by exploiting popular and trusted platforms, apps and topics in the news. What better hunting ground, then, for the digitally savvy criminal than social media?
Here are some answers to common questions asked about social media phishing.
What is social media phishing (SMP)?
Social media phishing is used by attackers seeking to steal personal data to sell on the dark web or to gain access, typically to financial accounts. They may also troll for personal details for credential phishing purposes. For example, when armed with your birthday, social security number, middle name, mother's maiden name and the like, combined with educated guesses about where you bank or keep retirement accounts, they can reset your password and pillage your accounts. Too much of this type of detail is easily found on social media websites.
Alternatively, an attacker may simply post an irresistible phishing link (e.g. "You won't believe your eyes" or "See how I made $200,000 in 10 minutes") on a friend's social page. When the link is clicked, the victim is routed through a series of screens and spoofed web pages where attackers harvest important identifying information. You can read all about the methods they use - some are diabolically clever - on our Phishing Prevention & Email Security Blog.
As of 2021, more than 3.96 billion people worldwide are using social media. The average social-media consumer has 8.6 accounts on different networking sites; popular platforms like Facebook see 66% of their users logging in daily.[1] This type of heavy and diverse traffic makes for a bottomless trough from which phishing threat actors gorge.
Why is social media a target for phishing attacks?
Social media is invaluable to threat actors for social engineering, which is a variety of deceptive tactics through which attackers use your good nature against you to get confidential information. Social media users choose their platforms to get and generously give information. They often make public where they live, work and vacation. They offer up the names, ages and birthdays of their children, friends and colleagues. They probably don't realize how easy they're making it for a digital criminal to structure and launch a targeted attack.
The attack may come in the form of, for example, a post with a link designed to entice the victim to share it on their social media. The victim's contacts - trusting the source - may click on the link. From there, they're taken to a phishing (but genuine looking) website. An authentication challenge will appear, obliging the user to validate their identity by supplying their social media (or Google Drive or OneDrive or other) credentials in order to see the content they were tricked into pursuing. Typically, the authentication will fail, forcing the victim to reenter credentials. In many cases, these credentials are all that's needed for an attacker to wreak digital devastation.
What are examples of social media phishing?
On Facebook, beware of third-party apps that demand excessive amounts of information. Also, criminals can easily create a phishing site that looks just like the Facebook login page. On LinkedIn, look out for fake recruiters. They may send a document you must download to pursue that amazing opportunity. Once downloaded, the document unleashes malware via macros that aren't readily visible to the untrained user. Educate yourself on how criminals manipulate other platforms - Twitter, Instagram, YouTube and more - to launch attacks and steal your stuff. Check out Cofense resources, and those offered by trusted organizations such as National Cyber Security Alliance.
How can I protect myself against phishing on social media?
To steer clear of phishing on social media, a few quick best practices include these "don'ts":
- Don't accept friend requests from strangers.
- Don't click on links to update your personal details - instead, visit the platform's support pages to see what updating is needed, and how and when to do it.
- Don't use the same password and user name for all your accounts because once one of them is stolen, all your accounts will be in jeopardy.
- Don't ignore prompts to update your operating system; many attacks exploit unpatched vulnerabilities.
Social media is meant to be fun and informative. Don't let the crooks ruin it for you. Keep in mind that attackers will try to use one successful exploit to go after not just you but your family, friends, colleagues, neighbors and employer.
[1] Source: Backlinko, https://backlinko.com/social-media-users