What is Phishing?
Phishing is, in a sense, nothing more than the old confidence scam, only nowadays the deception happens online. Preying on human emotion is as primal a tactic. Beyond luring victims with greed (awards and winnings-themed phishing emails) or anxiety (your-account-will-be-blocked-titled phishing scams), phishing preys on trust in more ways than one. And where better would one find trust than among people who know one another – on a social networking site.
Following global trends in online threats, the RSA Anti-Fraud Command Center continues to see large increases in phishing attacks, with a 19% increase in the first half of 2012. Instead of going away, phishing is stronger in numbers and resulting in more losses. And although this threat is more familiar than ever to online users, it still appears to work.
Beware of Phishing in Social Media
With the world turning into a smaller and more ‘social’ village, fraudsters are certain to join the party. Cybercrime follows the money, and as user behavior shifts, fraudsters have been following their target audience (potential victims) to the virtual world’s hot spots.
Using social networks, people behave more socially and are less discriminating with messages or comments they receive on their profiles. With new user numbers soaring every year, phishers get to cast a very wide net. One phishing attack tailored for the look and feel of a single social network can effectively target a very large amount of people, resulting in less work for the fraudster to do and a better yield of potential victims.
With social media, a core component of a successful phishing attack is already built-in: Trust. Users ‘follow’ people they know or trust, they receive messages from people or services they are familiar with (emails from a site’s team for example, a group, a friend’s hijacked account, or comments containing poisoned links).
Rogue communications can sometimes be visually spotted, but most times they look good enough to have the recipient click and go to the phishing site or download a malicious piece of software. In cases where a social network makes heavy use of URL shorteners, telling a suspicious hyperlink before browsing to it is very difficult.
Avoid These Social Media Scams
Social networking sites are getting much better at knowing their users and leveraging that information for more targeted marketing and sales. One of the factors that help enhance the credibility factor in the ever-evolving social media platform is the emerging Freemium model.
Perhaps one of the most popular activities on some social networks is playing social games with other users. The games are free, but only until the user wants to really get ahead in the game or obtain special powers upgrades. This is where the payment prompt jumps in, suddenly making it okay to perform financial transactions through a platform like Facebook. What does this mean for the user? It legitimizes using their credit card details on the social networking site.What does this mean for phishers? More ways to phish, more data to steal (alongside all the other personal information already shared by users), more attacks and more successful phishing!
Another factor that has been encouraging phishing to come through social networks is enterprises going social. For example, banks that wish to market themselves using social media open user groups people can join, inadvertently providing phishers with a model to follow (not any different from online banking portals being imitated for phishing).
As with any online-borne threat, keeping a close watch on trends is essential to any organization serving customers via the Internet. This new and increasingly ‘social’ nature of delivering phishing attacks is a reflection of user behavior – a factor that will always be the most significant driver for online crime trends.
Growing use of social networking is going to make phishing via that media more popular with time, and just further supporting the need for ongoing and timely user-education and awareness campaigns to help consumers protect their online identities and accounts.