Phishing just got personal – avoiding the social media trap

Phishing just got personal – avoiding the social media trap

200 million LinkedIn users. 288 million Tweeters. 1 billion Facebookers. Social media is everywhere and with its rise, the IT landscape has drastically changed – and so has the nature of the cyber threat.

Certain attacks have always been successful – historically, figures like Kevin Mitnick have identified ways of penetrating the organisations they are after.

While statistically, the number of hacks is reducing, the impact has become much more severe and the tools more sophisticated than ever.

A weapon of choice for hackers in this evolving threat landscape has long been the phishing attack.

With public awareness of the scams rising, cyber criminals have moved from trying to dupe unsuspecting users into submitting their personal details directly via generic emails to much more targeted attacks.

Spear Phishing

One of the most complex and convincing types of attack is 'spear phishing'. This type of attack works by generating a dossier on the individual, with the intention of compromising their specific IT equipment or account – and this is where social media becomes a great tool for phishing scammers.

Snippets of information we upload may not appear to contain much information. However by collecting and assembling information across different networks, cyber criminals can create a bigger picture.

By trawling the internet, cyber criminals can piece together information including date of birth, current responsibilities, previous jobs, education, phone numbers, personal information, likes and dislikes as well as personal and professional connections.

Using this information, the hackers fool the victim into believing the email is from a source they would expect or hope to receive messages from.

Once the victim clicks on the link or attachment in the email, malware is downloaded and deployed on their computer, potentially infecting and compromising the entire corporate network.

To prevent hackers from gaining access to corporate networks and information, it is crucial that businesses educate their employees about the scale of the threat posed by the information they post online and deploy the necessary defences against such threats. They must also ensure that their security posture is as mature as their threats require it to be.

While there is no doubt that social media sites such as LinkedIn are great resources to promote yourself and to network with like-minded professionals, it's sadly not just prospective employers gathering these details.

If a cyber criminal identifies you as having elevated security privileges or expertise in an area, they are specifically looking to gain information about these details, which can be enough to make you a target. If your profile shows these kind of specialisms, it is probably best to avoid mentioning the names of colleagues.

Be careful who you add to your network as this allows hackers to easily identify your connections if they are targeting you personally.

Equally, to prevent your identity from being stolen it is crucial to limit the amount of personal details you share. You might even consider hiding your real name – if new contacts in your network genuinely need to get in touch with you, you can simply introduce yourself via a private email.

It's not just professional accounts that are being targeted with ever more sophisticated attacks. Many phishing scammers can now create fake Facebook 'Like' buttons on websites. A pop up then appears and you are asked to login via Facebook.

But it is not Facebook – it's a site held by the phishers who now have all the information they need to log into your actual Facebook account. To avoid this, only login to your Facebook directly to 'Like' an article.

If phishers do succeed in hacking into your social media accounts they can use them as a platform to send links containing malicious software to your contacts.

Worse still, as they have access to your previous messages and conversations, they can include personal information and even your own wording to make their scamming emails appear more genuine.

To avoid this, ensure that you regularly update your passwords and contact people privately via email, text or instant messaging services to minimise the risk of your network receiving malicious links.

As a rule once you publish any information on the internet it will likely stay there, even if you remove it from a particular site or network.

Even if websites have privacy restrictions it is possible for aggregation sites which gather data from multiple sites to capture this information. And the more information about you is out there, the more likely it is that someone will connect the dots and take advantage of your online presence.

The lesson is clear: be mindful about what information you publish on social media sites. It sounds obvious, but employees are still not doing enough to limit their online profiling.

The chance to promote yourself online is great, but this shouldn't be at the risk of your personal identity being stolen, or even your colleagues finding themselves at the receiving end of a phishing scam. Social media is the ultimate weapon for phishing hackers. The cyber threat is real – and now it's personal.

  • Jason Kalwa is a cyber security consultant at Thales UK.
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Scam alert
Fake jobs and phone calls: How Americans lost $12.5 bn to fraud in 2024
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Representational image of a cybercriminal
Allstate sued for exposing personal customer information in plaintext
Latest in News
Project Moohan prototype at Samsung Galaxy Unpacked, an XR goggles headset on display in a show area
Samsung's Android XR headset could avoid the Apple Vision Pro's biggest mistake, according to this leak
Rivian R1T
Big Rivian update delivers hands-off driving to rival Tesla Autopilot – and a new 'Rally' mode
The Samsung Galaxy S25 Edge, close up on the dual camera system, against a marbled background
The Samsung Galaxy S25 Edge is being tipped to come with a sweet Google Gemini deal
Diego Luna looks questioningly at the back of someone's head as Cassian Andor in the show Andor
Disney+ is making Andor free to stream on YouTube, and now you have no excuse not to watch the best Star Wars show
Matt Murdock and Kirsten McDuffie standing in a court room in Daredevil: Born Again
Daredevil: Born Again episode 3 contains another Marvel reference to Spider-Man, but it's got nothing to do with Tom Holland's Peter Parker
Man having Windows 11 problems with his laptop
Fed up of adverts creeping into Windows 11? You won’t like Microsoft’s latest update, then, although it does provide some important bug fixes