Phishing Gone Social: Kapersky Lab Research Shows 1 in 5 Scams Target Facebook

Social networking users beware: you are prime targets for hackers. Research by Kapersky Lab showed that nearly 35% of their tracked phishing attacks in 2013 routed users to sham social networking sites, with about 22% of those attempts luring users with fake Facebook links.

In the 2013 research, Facebook was the top site imitated in phishing attacks. Kapersky’s Q1 2014 research showed a slight shift in behaviors — Yahoo profile pages surged into the top spot — but Facebook traps still accounted for nearly 11% of the triggers in the company’s anti-phishing systems.

The bottom line: Kapersky products register more than 20,000 Facebook phishing incidents every day. When considering that this research is based on just a fragment of users, it’s clear that these types of phishing attempts are both prevalent and successful.

Evaluating the Risk

But what is the danger? It’s just social networking, right? Wrong. While you might initially be inclined to brush off these sorts of successful phishing attacks, it’s critical to consider the implications of Facebook and other social networking breaches:

• Social network phishing links generally route users to a phony login page. If the users do enter their credentials, the hacker receives this information and immediately has access to the account. If the same user name and password are used on other sites, those accounts are also compromised.
• Once a criminal has access to a Facebook account, privacy settings offer no protections. Private information, contacts, photos, files, and more are up for grabs. These kinds of details can be used to gain access to other people, places, and things.
• Many people use Facebook to log into other applications, including retail sites and file storage sites. With access to these applications, criminals can obtain additional personal information and make purchases.
• It’s not just the owner of the account who is at risk. Hackers can use the initial access to lure in unsuspecting friends and contacts by sending malicious links or downloads.

Mitigating the Threat

One thing is for certain: criminals clearly see value in focusing on Facebook and other sites like it in their phishing attacks. Perhaps users are inclined to click these kinds of links because social networking is a medium that is rooted in sharing. More likely, the recognition and trust associated with these brands lure users in, prompting them to click or respond without thinking.

Whatever the reason, it’s clear that users lack the education and understanding required to recognize these social network phishing attempts and react appropriately. Phishing attacks, like other social engineering threats, are only successful if users fall into the trap. Many of today’s employees simply doesn’t understand that clicking the wrong email link, downloading the wrong attachment, and sharing too much on social media can result in a major breach of personal and corporate data or give hackers an entryway to secure networks and systems.

Now is the time to extend information security to the desktop. And it’s not just about educating, it’s about changing behaviors. Security awareness training programs must do more than simply make employees aware that phishing, smishing, and social engineering attacks exist. The best defense is an education program that helps employees recognize these threats and make the right decisions when they encounter them.