Unfollow: Pretexting and Phishing on Social Media

Share with your network!

Email phishing attacks may get the lion’s share of attention from infosec professionals, but cybercriminals are also happy to use social media to go after unsuspecting employees. These attacks can result in several negative outcomes, according to Proofpoint’s The Human Factor 2018 Report: credential loss due to phishing, malware infections — even coin mining through browser hijacking.

Attacks on social media take a variety of forms, according to the report:

  • Too-good-to-be-true coupons and malicious links
  • Phishing attacks that use direct messages to contact users
  • Angler phishing, a.k.a. social media support fraud

Social media profiles also create opportunities for cybercriminals to gather information that can later be used for sophisticated attacks, such as Business Email Compromise (BEC). The personal details shared by many on social media can be gathered can make impersonation attempts more convincing.

It’s easy for cybercriminals to create fake social profiles, and to use a person’s social media presence to learn where they live and work, and other people they know — all useful for pretexting, phishing and other social engineering attacks. This intelligence gathering allows criminals to create convincing requests for money, for example, or to encourage victims to download malware or click on malicious links.

Assessing User Knowledge

Many end users lack the knowledge and training to use social media safely, putting themselves and their organizations at risk. Our 2018 Beyond the Phish® Report — which stresses the need to extend cybersecurity training beyond email-based phishing — reveals a lack of understanding of risky social media behaviors. The topics we explore in the report include:

  • Principles of “safe sharing” on social media platforms
  • How to identify and avoid social media impostors and unsafe content

Within the “Using Social Media Safely” category, our data found that end users answered an average of 18% of questions incorrectly. End users in the telecommunications industry performed best on this category, with 12% of questions answered incorrectly. The worst performer was the manufacturing sector, where end users missed twice as many questions — 24%. (For data across all 16 industries on this and other cybersecurity topics, download the Beyond the Phish Report.)

The Risks of Oversharing

Within the context of security, “oversharing” on social media doesn’t just mean sharing inappropriate details about your personal life. End users need to understand that “the more they post about themselves on social media, the more information they are giving to potential hackers,” according to an article on SecurityIntelligence.com. “This information can be used to exploit them or their employer.”

One particular area of concern is the historical details people are encouraged to post about themselves: everything from birthdates and anniversaries to children’s and pets’ names to favorite movies. Requests for this information may come from quizzes and surveys posted by other users, or from the social platforms themselves. Unfortunately, these details can be used by cybercriminals to answer the “secret questions” or “challenge questions” that many online accounts rely upon to verify a user’s identity.

An article on KrebsOnSecurity.com provides a compelling analysis of this risk, along with real-world examples of social posts that could be used to gather intelligence. “On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals,” writes Brian Krebs. “Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.”

Improving Social Media Safety

Since cybercriminals are trolling social media for valuable data, individuals and organizations need to make security a priority. The following are some tips for safer use of social media:

  • Create strong, unique passwords for each social media account
  • Regularly review your privacy controls and settings
  • Think twice before sharing historical details about yourself
  • Remember that what you post can have real-world consequences for job applications and college admissions
  • Be as skeptical about social media interactions as you would with suspicious work email