Tales of social media and social engineering

Do you know how much of your personal information is available online and waiting to be used against you? You might be surprised at how much is available. Many people do not consider the volume and depth of information available online, particularly on social platforms such as LinkedIn, Facebook, and Twitter. Social media offers cybercriminals ample opportunities to social engineer or manipulate people to their nefarious advantage – even outside of the social platform providing the fodder for their efforts.

Pete the Job Seeker

Meet Pete. Pete is currently in the market for a new career opportunity. He has been using LinkedIn more than usual and has accepted quite a few new connection requests to build a network in his industry and at some key companies that he finds attractive. Unfortunately, one of those connection requests was a fake profile. Through the course of several messages that involved sharing similar experiences and some personal information Pete was lured into clicking a link to a list of interview questions pertinent to his field. That link was malicious and installed malware on his computer. The hacker now has access to all the personal data stored on his computer – including the family’s social security numbers, bank accounts, passwords, and more.

Dorothy the Dog Lover

Dorothy loves all animals, but she is especially involved in local dog rescue groups. She volunteers, often fundraises for them, and shares her passion prolifically on Facebook and Instagram. She recently purchased some supplies from a local pet store for donation to her local animal shelter. In addition to checking in at the locally owned retailer when she arrived for curbside pickup, she posted pictures of the donated items and left a glowing review on the retailer’s Facebook page about the smooth purchase process. By itself this is common social media behavior and supportive of the local community. However, it provided ammunition for a cybercriminal to send a text to the number provided in one of Dorothy’s Facebook posts regarding adoption inquiries for a dog she is fostering. The text appeared to be from the retailer and contained a link to a survey that, upon completion, would donate $10 to the rescue organization of her choice. By clicking the link and completing the fake survey, Dorthey provided additional information to the cybercriminals that can be used to create fake profiles, open fraudulent accounts, and mis-represent her!

Social Media – Not Just for Socializing
Social media platforms are a breeding ground for fake profile personas waiting to take advantage of you. For instance, LinkedIn has a professional influence unlike other social media sites, often making users less cautious when connecting with strangers. When people willingly make these connections under the assumption of making professional networking contacts, cybercriminals can lure them into divulging personal details and direct them to malicious sites to load content or lure the victim into revealing information.

Social Engineering is a never-ending weapon of choice for cyber criminals and social media hands them most of the information they need for successful attacks. Cybercriminals without having an account on LinkedIn can use a quick company search to find several contacts from a company, including information such as their job positions and email addresses. They can also easily mine Facebook for birthdates, high schools, names such as maiden names and names of children and pets, hobbies, places frequented, favorite activities, recent purchases, and so much more. This quick search gives the attacker a new list of targets to familiarize themselves with for more successful spear-phishing attempts.

If an attacker wanted to target you personally, they could easily find your “weak spot” in the form of interests or hobbies from one or more of your social media profiles. They could then craft a relevant spear-phishing email or text message spoofed to look as if it is coming from a company or person that you commonly interact with.

Always be aware of the information you share with the world and be cautious of how that information can result in you, or your organization being more susceptible to a compromise. Personal connections now are more important than ever; just be extra vigilant about reviewing all communications with a critical eye. Use the checklist below to determine the likelihood that a communication is fraudulent.

  • Are any URLs in the communication correct when you research the sending company? Check all links before clicking.
  • Many URLs are hidden in buttons labeled “Click Here” or “Continue.” Hover over the button to view the URL.
  • Does the sender’s email address look correct? Your bank will not be using a public Internet account such as Gmail, Yahoo, iCloud, etc.
  • Is the sender requesting personal or financial information via email, such as a bank requesting your PIN for verification?
  • Is the email personalized with your name? Legitimate companies will usually address you by name and not generic greetings such as “Valued Customer.”
  • Are there misspellings, punctuation errors, or grammatical mistakes?
  • Are the images low quality or stretched?
  • Is there a misplaced sense of urgency?
  • Does the email contain an unexpected attachment?
  • Is the email from your CEO who is in a meeting but needs you to run out and buy gift cards?

Stop – Look – Think – Don’t be fooled!