Online scams have come a long way since “Nigerian princes” first began gracing our email inboxes. Now, phishers (those who trick people into sharing logins and other sensitive information online) use more personalized tactics.
Case in point: A current phishing scam targets Facebook influencers — individuals with enough national or international prominence to earn blue official verification check marks on profiles and pages owned by them.
These scammers target verified Facebook users via its Messenger app, by impersonating the company — with official-looking threats to revoke check marks if the users fail to “verify” their information, which involves clicking on a link to an external site and entering login information.
“Also, verified individuals may be more of a target to begin with. Depends on what the attacker is trying to get.”
According to a recent Infosec blog post by IT Security expert Susan Morrow, “Consumer phishing scams are a global problem. In the U.S., the Federal Trade Commission (FTC) received more than 1.4 million fraud reports in 2018. In 25% of those cases, money was lost, with the total being around $1.48 billion. This is an increase of 38% over 2017. In the UK, CIFAS (national anti-fraud body) collected a record of 305,564 scam reports in 2017.”
The Phishing Activity Trends Report, 1st Quarter 2019 by the nonprofit Anti-Phishing Working Group (APWG) stated that “The total number of phishing sites detected by APWG in the first quarter of 2019 was up notably over the third and fourth quarters of 2018…” and that “The number of phishing attacks hosted on Web sites that have HTTPS and SSL certificates reached a new high.” In the past, many considered sites with HTTPS (which have encrypted website connections via SSL certificates) extremely safe.
A growing trend
Regarding phishers targeting social media influencers, Cyber Security Analyst Hunter Healy, who works for Visa, first heard of the Facebook-related and similar attacks in early 2019. And she sees a rising trend, due to a changing online landscape.
“Now we have so much business activity online; there’s a whole new vulnerability,” Healy said. “I think you will see more cybersecurity services targeted towards celebrities and influencers since their business is online.”
Diesi believes that targeting social media accounts has gained popularity for several reasons: People can find social media handles much easier than email addresses; people haven’t grown as wary of exchanges on Facebook, Twitter, etc. as compared to email ones; and anti-phishing tools tend to protect email better than social media accounts.
“Attackers are getting craftier with better ways to catch us off guard,” Diesi said. “And, no surprise, attacks against verified individuals — well known and not — will continue to rise.”
Healy also stated that many remain vulnerable to this type of phishing scheme because it hasn’t gained widespread attention yet.
Or inconclusive evidence?
However, not everyone feels certain of an upward trend.
World-renowned security technologist, author and academic Bruce Schneier has his doubts.
“Stats are hard because the data’s hard to come by,” Schneier said. “Who would have the data on how many? Do we think the FTC gets every possible report?”
“It’s always hard to see if it’s a rise in actual numbers or just reporters writing more articles,” Schneier said.
Schneier believes trying to measure trends in this area can pose problems. For instance, he wondered how one would go about counting the rise in such attacks. By the number of people who lost money? The number of accounts successfully hacked? Perhaps a wide range of other options? Schneier also stated that most people don’t report every phishing attempt or even know of all of the ones thrown at them — such as the ones going straight to spam folders. However if someone really wants to research existing data, Schneier recommends The Cambridge Cybercrime Centre — which he considers successful in collecting some high-quality statistics, adding that he likes that they don’t have “an agenda.”
Grit Daily’s managing editor, Stewart Rogers, a verified Facebook user recently targeted by phishers, said that — based solely on personal experiences — he hasn’t sensed a rising trend for phishing attempts. Actually, he thought the opposite.
“In fact, if anything, I’ve seen fewer fishing attempts and hacking attempts [for my accounts] than ever before. Then again, I do have two-factor authentication switched on and everything. And, I know what I’m looking for [regarding signs of fraud],” Rogers said.
Why target influencers? A few reasons exist, according to Healy, such as money, defamation, and hacktivism — a politically-charged hack for a specific cause. And some influencers receive targets on their backs for multiple reasons, such as those who have wealth in addition to a large following, which can yield great dividends for phishers.
“Hackers can use a verified account as a way to improve the spread of their attack. Someone is more likely to believe a verified account, making the phish more likely to be successful,” Diesi said.
A cautionary Murdoch tale
According to a Business Insider article, senior director at cyber defense firm K2 Intelligence, Nicoletta Kotsianas, stated that some hackers mainly enjoy “the ride” — as with the recent Wendi Murdoch case.
The article claims that in early 2019 a con artist posed online as Murdoch, a high-profile businesswoman — using convincing techniques — to get social media influencers to pay for flights to Indonesia and fake photography permits.
Kotsianas told INSIDER that after targeting Hollywood players, these types of phishers turned their focus to influencers — “Instagram stars, travel photographers, people who do stuff that involves them travelling all over the world.”
“It’s about convincing some people that there’s someone else, and manipulating them, being into that, and world-building around the whole thing,” Kotsianas said. “They’re making some money off it, but it’s really about the ride along the way.”
Don’t underestimate the bait
So, how do you avoid falling prey?
“So many of us think we’re reasonably aware, but it only takes one time,” Healy said. “The average informed consumer is pretty vulnerable.
“It’s really hard, even for informed people like myself to tell.”
Diesi, who recently received an online phishing attempt via LinkedIn, said that some can appear quite convincing — especially those that come from accounts of friends or colleagues that hackers have compromised.
Spotting a fake
Over the weekend, as soon as Rogers looked at the message in his Facebook inbox — threatening his verified status — he saw the red flags.
“When I see it, I know exactly what I’m looking for,” Rogers said. “Once I saw the t.co link, I knew right away. You’re not going to see a Twitter link in a Facebook official post. Simple as that.”
According to a Facebook spokesperson, “We are constantly strengthening our technology to keep scammers off Facebook. We encourage people to be vigilant about not clicking on suspicious links and to report suspicious messages to us so we can take appropriate action.”
Facebook wants users to keep several things in mind. They shouldn’t trust messages requesting money, offering gifts, or threatening to ban or delete accounts. Official Facebook messages regarding user accounts only originate from fb.com, facebook.com or facebookmail.com. Users can confirm their authenticity by viewing emails from the company in the Security and Login settings. Facebook will never ask for passwords in an email or send them as attachments. Users shouldn’t click any links or attachments in suspicious-looking emails or messages. Also, they should look for telltale signs, such as grammatical errors and landing pages external to facebook.com.
Healy also advises consumers to pay close attention to URLs, recommending that they look for subtle misspellings or subdomains. Because people can only see the first part of a URL on mobile devices, Healy suggests looking at desktop versions, or copying and pasting the entire URL somewhere that allows full viewing.
See something, say something
Facebook encourages users to report suspicious messages and to visit their page for next steps on hacked accounts if suspecting breaches. Healy recommends reporting phishing attempts to the FTC, too, by visiting the link Ftc.gov/complaint or texting information to 7726 (SPAM).
The role of social media
Diesi, Healy, and Schneier all believe that social media platforms have shown solid effort in combating these types of phishing attempts.
And, Schneier said that companies like Facebook shouldn’t shoulder the blame in situations like this.
“It’s not Facebook’s problem. It’s outside of Facebook… They [these phishers] don’t target the site. They target the people,” Schneier said. “They [Facebook] do what they can. But, it’s hard. If you fall for a fake website and type in your login credentials, you’ll get whacked.”
“Sites are trying to deal with this. But, it’s hard. You really want to minimize false positives,” he added.
Healy believes Facebook has “tried to get ahead of the malicious link sharing” and “really beefed up” their support and user-reporting systems.
According to Facebook, they have a 24-hour team focused on finding and blocking fake accounts and content not allowed on the platform; grew their security and safety team in 2018 to more than 30,000; and use technology that helps prevent the creation of millions of fake accounts every day.
How to protect yourself
Facebook has an online Help Center with information on how users can protect their accounts. Healy recommends adopting best practices, such as two-factor authentication and not sharing passwords with others, or using the same passwords for social media and email accounts. She also suggests confirming the identity of old acquaintances who want to re-connect with you online — via a different platform or offline method, and staying up-to-date with phishing alerts from the FTC and news outlets.
For social media influencers, Healy strongly recommends they they manage the security of their brands and businesses by hiring expert cybersecurity consultants.
“Hackers are very resourceful and always coming up with the newest and latest thing,” Healy said.
Upping the game
Speaking of more sophisticated methods, Schneier mentioned an article he read recently on AI technology that can mimic people’s voices. He discussed the possibility of criminals using this technology. For example, someone could potentially use a CEO’s voiceprints to fool his company’s financial officers into transferring funds to specific bank accounts.
According to Healy, one of the newer scams she’s heard of involves fake websites popping up to capture personal information from unsuspecting utilities customers. They can encounter these sites when conducting personal business online, such as paying cable TV bills. And she believes that social media has helped hackers around the world expand their reach — and conduct more-advanced phishing operations.
She cautions others against turning complacent with online security.
“More than ever, our online accounts are our identities. No one ever thinks it’ll happen to them, until it does.”