Phishing, the practice of trying to lure unsuspecting victims to click on links to install malware or divulging confidential information, is a tactic which unfortunately involves more than just malicious emails. Phishing attacks can also take place in other environments such as via texts, phone calls, or social media.
Facebook, in particular, seems especially prone to these types of nuisances, such as those involving fake websites set up by scammers in the hopes of tricking people into divulging their account information. Facebook does offer some tips to combat these efforts (such as being on the lookout for sloppy messages, messages which claim to have attached passwords, malicious links, or requests for confidential information). However, the threats also involve fake charity requests for victims of the latest natural disaster.
SEE: Research: As overseas business operations grow, so do concerns over cyberwarfare and cybersecurity (Tech Pro Research)
How can you avoid phishing? Below are tips from email security organization Proofpoint for both consumers and IT departments, which I combined with commentary based on my own experiences
Tips for Consumers
1. Be wary of fake news
Social media con artists use divisive political content to enrage voters and spread misinformation. Avoid "fake news" or news of dubious accuracy and refrain from clicking on links sent to you or posted on social media. Think like a newsroom: You need to confirm accuracy. If you see a news story, verify it on an online news site. Never blindly repost information without checking for accuracy, no matter how much you might wish it to be true.
2. Be wary of bots
Keep an eye out for bot accounts and block them since they aren't likely to promote honest or legitimate content. Be cautious of any Twitter and Facebook accounts where something doesn't look quite right, or he/she seems especially aggressive. Telltale signs of a bot include accounts with random names/numbers, accounts which frequently repost items, accounts posting material which doesn't seem relevant to the context of a discussion or thread, and accounts which contribute no actual content but just share/retweet other accounts.
3. Investigate details behind questionable ads
Use Facebook's "Info and Ads" to determine the motivations behind ads. For instance, when you see a political ad on Facebook which seems suspect or sensational, click the ad and then click the page associated with it. Facebook's goal is provide "increased accountability for bad actors, which will help to prevent abuse on Facebook" and to "bring additional transparency to Pages and the ads they're running."
If the ad comes from a less-than-reputable source, disregard future content from this page or entity as phishing attempts are more likely from these types of accounts.
4. Avoid clicking links
Do not click on Twitter Direct Message (DM) or Facebook Messenger links unless you are positive they are reputable. They might contain malware or direct you to credential phishing sites that will attempt to steal your passwords or financial information or install malware on your system or device.
Links can also be obfuscated by adding a bunch of unnecessary words or random characters to what seems like a legitimate site in the hopes that you'll be fooled into opening them. For instance, a link to www.americanexpressfinancialserviceadvice.com or www.citibank2018BBB.com might seem OK at first glance but look closer. You can highlight the link and press Ctrl-C to copy it, then open a text editor like Notepad and press Ctrl-V to paste it in for closer inspection.
SEE: Brute force and dictionary attacks: A cheat sheet (TechRepublic)
5. Use a quality filter
If it is not already on, activate your quality Twitter filter. This tool (which is enabled by default) helps you locate the quality tweets amongst the noise generated by bots and other low-value entities.
To check your setting, click your profile picture at the top right of the Twitter site and then choose "Settings." At the "Settings" screen, select "Notifications" from the left column. Check the "Quality filter" box to enable the filter.
Note, Twitter states this "does not filter notifications from people you follow or accounts you've recently interacted with."
Also, verify that Twitter accounts purportedly owned by famous people or governmental officials really are who they say they are by ensuring there is a blue circle with a check in it next to their name or Twitter handle.
Finally, unfollow pages of dubious accuracy or pages prone to promoting sensationalistic "click bait" ads or posts.
SEE: Mobile device security: A guide for business leaders (Tech Pro Research)
Tips for IT departments
6. Know the current situation and share details
Monitor social media and make sure that individuals who are responsible for company social media posts or updates are aware of what to look for regarding common or new scams. Send weekly email updates or broadcasts as needed to help educate personnel (but don't send too much communication or it may go unheeded).
Staff should also be wary of statements made on social media with no source material provided.
For example, if someone posts a quote attributed to a politician or business representative but doesn't provide a verifiable link to the source or other information to substantiate the details, don't trust it.
7. Establish official guidelines and restrictions
Review and update your digital and social media risk management strategy and governance, including policies, processes, and programs to specifically address the growing number and types of threats on social platforms. Ensure you include instructions about how to secure both branded and employee accounts.
Tech Pro Research offers various comprehensive policies covering technological topics. Their social media policy is a good reference to help protect organizations. They also provide a social media and web usage policy as well.
SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)
8. Safeguard social media access
Mandate that social media postings, updates, or interactions be conducted only on approved devices (either company or employee-owned). Ensure that these devices contain the latest anti-malware software and controls, that they are set to lock either with strong passwords or biometric mechanisms, and they can be remotely erased if lost or stolen.
9. Look at the big picture
Think comprehensively. As the number and types of risks continue to expand, the responsibility for managing digital and social media risks extends well beyond the IT department. Make sure you partner effectively across your organization. For instance, if social media is handled by outside agencies, ensure they follow security and policy guidelines and are aware of the latest developments.
10. Engage in minimalism
Limit social media sprawl: Account sprawl can run rampant and lead to fake and unmanaged accounts that can damage brand reputation and customer experience. Also, limit the number of people who have access to social media accounts—and change any passwords if they depart the organization.
- Office workers beware: Holiday gift card spear phishing attacks on the rise (TechRepublic)
- 3 ways for your business to spot a spear phishing email during the holidays (TechRepublic)
- How sophisticated phishing grants attackers total control of your computer (TechRepublic)
- Phishing gets more complex as decoy PDF pops up with Microsoft-issued SSL certificate (TechRepublic)
- Your email account is a big phishing target for hackers (ZDNet)
- Cross-site scripting attacks: A cheat sheet (TechRepublic)
- Phishing attacks: Why is email still such an easy target for hackers? (ZDNet)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.