When phishing first began, it was largely relegated to email. Attackers send millions of fake emails out trying to trick someone into clicking a malicious links or download and open a malware-laden file.
But as social media has become a big part of where people spend their online time, phishing has morphed to adopt that social platform and find new ways to trick users into revealing sensitive data or opening a malicious link.
Employees often use social media while on work devices, which can mean a big vulnerability in your business IT security strategy.
Approximately 82% of the U.S. population uses social media.
Social phishing, also known as smishing, strikes when users typically have their guard down. They are scrolling through posts by friends and family, laughing at memes, and looking to chat with people in the same fandoms or interest groups as themselves.
This is fertile ground for phishing attackers because when a user’s guard is down, they are more susceptible to fall for phishing attacks.
Two Most Common Types of Social Phishing Attacks
There are many common types of social phishing attacks. Some are a simple fake link, while others play the long game and befriend a person just to gather personal details or scam them out of money.
Here are two of the most common smishing attacks.
Hidden Link to a Malicious Site
Many social platforms will automatically shorten a URL, which makes it hard to tell if it’s going to a legitimate site or not. An attacker will often send a URL to someone through a post they make on their timeline, in a reply to a post, or using direct messaging.
Many people aren’t looking for phishing when on social media, so they’ll often click a link without giving it a second thought, which can lead to a drive-by injection of malware as soon as the malicious site loads.
Pretending to Have the Same Interests to Scam Someone
There is so much information about us on social media that it’s easy for a hacker to pretend to be interested in the same things, to know where a person works, and even to know someone’s favorite restaurant.
Using personal bits of information scraped from online profiles and posts, a criminal will strike up a conversation with someone about a common interest. Such as, “I saw you also love Coldplay as much as me, which album is your favorite?”
The conversation will start innocently enough that someone doesn’t suspect that they’re being played. Then after a week or so of seemingly innocent conversations, the attacker will begin to ask for increasingly personal information. Or they may suddenly need some “financial help” and promise to pay the victim back.
When targeted phishing takes place over social media, it was found to be over 70% successful.
Ways to Protect Your Company from Social Phishing
One way that you can eliminate the threat of malicious sites doing drive-by downloads of malware onto employee PCs or phones is to install DNS filtering on all employee devices.
A DNS filter looks at URLs before it directs the browser to load those sites. If it detects a malicious site, the user is redirected to a warning page instead.
This can help prevent a malware infection if a person clicks on a malicious social media link.
Employee Education on Smishing
Employees must understand that phishing over social media is happening and could happen to them. They need to keep their guard up about phishing not only when looking through their email, but also when scrolling through memes and posts on social networks.
Ongoing employee cybersecurity training has been found to cut a company’s security risk by as much as 70%.
Blocking Social Media Use on a Company Network
If you want to take a strict stance to protect against social media phishing as well as ensure employees aren’t scrolling through TikTok when they should be working, you could block social sites on your network.
This will only work for in-office employees connected to your Wi-Fi, but it’s a simple setting to block any non-productive social sites that could also pose a phishing danger.
Monitor for Fake Accounts Impersonating Your Business
There’s a proliferation of fake accounts on social media that are used for social phishing. These accounts pretend to be a person or business that already has an account on a social platform and will even use their images and logo on the fake profile.
These types of impersonation accounts will usually reach out to all the “friends” and followers of the real account trying to trick them into connecting to the fake profile, which will then allow the hacker to deploy different types of smishing tactics.
Regularly search social media to ensure no one is impersonating your business account and recommend to your employees that they do the same. Fake accounts can be reported to the social media provider.
Is Your Network Set Up to Defend Against Social Phishing?
It’s important to keep evolving your network security for the newest types of online attacks. Pro Tech Guy can help your Natick or Sudbury business with safeguards like DNS filtering and network protection.
Contact us today to learn more. Call 508-364-8189 or reach us online.