How to protect against spear-phishing on social media

Have you ever been phished online? If you are unfamiliar with the term, phishing refers to being presented with a scam demanding action of some kind, such as clicking on a link or downloading an email attachment. Phishing is usually a means to an end: The item you are prompted to interact with is likely to contains malware designed to enlist your device into a botnet, collect a ransom or harvest personal data.

The current state of phishing: What you need to know

According to the 2017 Data Breach Investigations Report from Verizon, resisting the lure of a phishing email is often easier said than done. One in 14 internet users fell for a phishing email in Verizon’s study, and one-quarter of those individuals were fooled more than once.

“Think of phishing as a way to open the ‘door’ into a system.”

In 95 percent of the phishing attempts that resulted in data breaches, the initial success in tricking the victim was followed by additional software installation. Think of phishing as a way to open the “door” into system, so that malware can enter it with relatively less trouble than if it took other routes.

How can you spot phishing as it happens?  There are a few tell-tale forms it is likely to take, including:

  • An online survey that promises a prize if you complete it, but requires you to enter a lot of personal information (e.g., a Social Security number) along the way.
  • A job application sent to a business email address with an unusually large attachment, which purports to be a resume but is actually laced with malware.
  • An invoice for a purchase that you don’t remember making, but which contains a link to contest the transaction (the link in turn leads to a compromised website).

Email is the communication medium most closely associated with phishing. However, there has been a rise in phishing attempts on social media platforms in recent years as well, and these schemes can be more difficult to dismiss since you don’t have the protection of the spam filters and automatic antivirus scans included in many email clients.

Email phishing.Email is a common channel for phishing.

Phishing on social media: Are you at risk?

In early 2017, the Pentagon discovered a massive phishing campaign that targeted 10,000 of its employees on Twitter, according to TIME. The phishers used carefully targeted messages about sports coverage and the Oscars, which had recently concluded at the time, to entice the targets to click links that redirected them to servers in Russia that could install device-hijacking malware.

The incident demonstrated how social media platforms can incubate phishing. The enormous scale and publicly viewable (in most cases) accounts of Twitter et al. means that they are prime targets for a wide variety of old and new spins on the phishing scam.

For example, a phishing angle unique to social media is so-called angler phishing. This technique involves the creation of accounts that falsely claim to be official support channels in order to easily collect sensitive information for taking over someone’s Twitter, Facebook or email. Angler phishing has become increasingly popular in recent months as older approaches – such as spoofing an email from a company CEO – have dropped off.

Best practices for avoiding phishing

Whether you are confronting a phishing attempt via email or a social media account, it is a good idea not to click on anything from a source you don’t recognize. Moreover, it may be useful to use link expanders to decode shortened links (such as ones that begin with bit.ly or a similar shortener). Also always be sure to check that any webpage that asks for sensitive information is secured by HTTPS, which will be indicated in the URL bar with a padlock icon and/or an extended certificate that identifies the domain’s owner.

Finally, it is important to keep up-to-date antivirus software and malware defense on your PC to shield it from infections that may result from phishing or other types of cyber attacks. Ultimate Internet Security from Total Defense is your ticket to proactive malware detection that does not cause a performance hit on your machine. Learn more on our product page to get started today.