In the past, phishing attempts were easily recognisable, due to poor grammar and stories that lacked credibility, such as a foreign prince wanting to give money away.
“This is no longer the case, with scammers becoming increasingly convincing in their methods,” says Anna Collard, SVP of content strategy and evangelist at KnowBe4 Africa.
She says it is becoming harder to tell fact from fiction as scammers improve their phishing tactics. “They set up Web pages, social media profiles and e-mails that look convincingly like legitimate brand collateral, and run believable promotions to trick victims into sharing sensitive data.”
Convincing scams
Recent examples of convincing phishing campaigns include social media warnings and fake beer promotions. In one case, a seemingly credible Heineken beer giveaway for Father’s Day was collecting personal details such as birthdates, e-mails, addresses, names, and more.
This kind of information could be used to attempt takeovers of legitimate e-mail addresses, says Collard. What makes this type of ruse successful is that the prizes appear legitimate – branded coolers and merchandise – and the sense of urgency it creates by setting a competition deadline.
She cites another example, in which researchers at Akamai discovered a PayPal phishing kit that attempts to steal victims’ identities and financial information. The phishing page appears to be identical to PayPal’s login page and asks users to solve a captcha before entering their username and password.
“After the victim has logged in, the site tells them that suspicious activity has been detected on their account and asks them to verify their payment card information, social security number, mother's maiden name, and their card’s PIN. It also asks the user to take a picture of themselves holding their passport, driver’s license, or national ID.”
Akamai says this data could be used to create crypto-currency accounts using the victim’s identity.
Targeting social media
Social media platforms such as Twitter, Discord and Facebook are also being used to target victims through scare tactics, Collard adds. “Twitter users have been targeted with messages saying their accounts were flagged for using hate speech. They would then be redirected to a fake Twitter Help Centre, where they would be asked to input their credentials.”
Similarly, Discord users have been accused of sending explicit photos and directed to a QR code which, when scanned, would result in the account being taken over by attackers.
A Facebook-themed phishing scam employed a combination of phishing messages, social engineering and Facebook Messenger to trick users into believing they risk having their accounts deleted.
“Trustwave reported recently that victims receive a message appearing to come from Facebook, warning that their account would be deleted for violating community standards. To appeal, users are directed to a Messenger conversation with a chatbot named ‘Page Support’, which directs them to a form where they must give their login, name, phone number and password,” she explains.
These types of attack could just as easily be designed to appear as if they came from legitimate business tools and critical SaaS applications and could open the floodgates to the company networks too, says Collard.
The majority of company employees are active on Facebook, LinkedIn, and Twitter, and threat actors exploit these platforms to scrape profile information of users and organisations to create targeted spear phishing campaigns in an attempt to hijack accounts, damage your organisation's reputation, or gain access to your network, she warns.
KnowBe4 offers a free Social Media Phishing Test that helps organisations identify which users are vulnerable to these types of phishing attacks, to inform more effective education and awareness campaigns. To complete the test, click here.
Share