Prevention from Phishing and Social Engineering on Social Media

Imagine receiving an email that appears to be from your bank, warning you about an unauthorized login attempt. It urges you to click a link and verify your account details immediately. The email looks legitimate, but something feels off. This is a classic example of a phishing attempt, a prevalent cyber threat that can lead to identity theft and significant financial loss. Understanding phishing is the first step in defending against it.

• What is social media phishing?
• How to detect phishing attacks?
• How is social network site fraud perpetrated?
• What to do if you fall victim to some phishing attack?

What is Phishing?

Phishing is a cyber attack where scammers pose as trustworthy entities to trick individuals into divulging sensitive information. It's akin to fishing, where bait is used to lure fish; in phishing, the bait is often a deceptive email or message.

What is Social Engineering?

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Tactics include creating a sense of fear, urgency, or authority to compel victims to act against their best interests.

What are social engineering and phishing?

While social media phishing is a common tactic, social engineering itself is a broader umbrella term encompassing various cybercrime tricks. It's essentially the art of manipulating human psychology to steal sensitive information. Recent reports suggest nearly half (49.6%) of all internet traffic now comes from bots, some of which can be employed in social engineering attacks.

Phishing remains a significant threat, with studies indicating percentages about 8% of social media cyberattacks being caused by phishing attempts in 2024. In simpler terms, social engineering aims to trick you into revealing personal data like usernames, passwords, credit card information, or other sensitive details for fraudulent purposes.

Beyond social media phishing, social engineering encompasses tactics like baiting (offering something desirable to lure a victim), pretexting (fabricating a scenario to gain trust), quid pro quo (offering something in exchange for information), spear-phishing (targeting specific individuals or organizations), and tailgating (physically following someone into a restricted area).

What percentage of phishing attacks take advantage of social networks?

As of the most recent data, 84.5% of all phishing attacks specifically target users of social networking sites. These attacks exploit the trust and familiarity that users have with these platforms, making them susceptible to deceptive messages and malicious links. It’s crucial for individuals to stay vigilant, recognize phishing attempts, and take necessary precautions to protect their online security.

What are Common Phishing Attacks?

The attackers use common types of phishing, some of which have been drafted underneath for your guidance. Skimming the basic know-how of phishing could save you from plausible worries.

Phishing Kits and Phishing

Phishing kits are a type of pre-made toolkit specifically designed to launch phishing attacks. It's essentially a package containing the tools and resources needed to create fake websites and emails that look legitimate. These kits typically include pre-designed website templates, email templates, scripts for sending emails, and tools for collecting stolen data. Phishing kits are often marketed towards individuals with little to no programming knowledge, making it easier for them to launch phishing campaigns.

Phishing is the overall act of attempting to trick someone into revealing personal information or clicking on malicious links. It's a cybercrime technique used to steal sensitive data like passwords, credit card information, or social security numbers.

Phishing can be done through various methods, including emails, text messages (smishing), phone calls (vishing), and social media messages. Attackers impersonate legitimate entities (banks, social media platforms, etc.) to create a sense of trust and urgency. Phishing attacks can range in sophistication. Some are crude attempts with obvious red flags, while others can be very convincing, mimicking real organizations and using psychological manipulation tactics.

One of the most common types of social engineering attacks is phishing. In phishing, the user is convinced for installing a particular program, and often the user is taken into trust that the program is from a trusted source and is genuine, while in reality, it is not the case. Sometimes the users are tricked into sharing personal, business, or financial information via email, chat applications, and by joining various websites.

For example, multiple websites ask for sharing your Facebook or Google profile. Some phishing attackers contact various users in the name of asking for charity while the main reason is to get your financial information such as bank account type and IBAN. Banking perhaps is the most vulnerable sector for phishing attackers.

Vishing

Phishing becomes vishing when executed on telephonic calls. The hackers, attackers, and offenders call the targeted persons, employees, and organizations directly and start the fishy story based on social engineering psychology.

Baiting

In baiting, the attacker or hacker tries to transmit malware to your personal computer through infected devices such as USB or CD. Once a person installs the program or transfers the data from such an infected device the attacker could get access to one’s system and thus can use the device for his purpose.

PreTexting

This kind of social engineering attack occurs when the attacker presents false circumstances and compels the client to share sensitive data. Instances have been reported where the attacker might act as a trusted financial industry that asks for your account information for verifying your identity on their website.

Quid Pro Quo

It is fascinating for the users to exchange their information for getting a special discount on buying the desired item or getting a gift. Such kinds of offers are presented to manipulate the users into sharing their data. Quid Pro Quo is a Latin term which means the exchange of goods and services and establishes the concept of give and take.

Spear Phishing

Spear Phishing is specific as it focuses on specific users or organizations. Such phishing attacks aim at building virtual contact. Free favor is extended initially and later on users are divulged into sharing their personal, sensitive information. Historically, these attackers have higher success rates. Usually, governments do not have much control over social media. So illiberal regimes also try to get into these tactics as the public can easily believe them. This has led to the weaponization of social media spear phishing and cyberattacks on democracy.

Tailgating

Unlike other types of social engineering attacks, the concept of tailgating is physical. In tailgating, an unauthorized individual or attacker follows an authorized attacker intending to get a chance to get access to relevant information. Such a person might ask for your laptop or phone for a minute as a favor and may tell you that he just has to send a text or email to his close acquaintance.

Three components of Social Engineering

Social engineering is the art of what three things? The question is quite valid and needs fair consideration. It's an art of manipulating, Influencing, and Deceiving. The technical fitness of hackers creates an environment to process their bad intentions. To you, learning the technical knowledge of elements of social engineering is vital.

1. Google Dorks (Advance Search Operators)

Google search becomes the entry point for phishing attacks. Especially crafted google searches are termed as the Google Dorks. This is also called Open Source Intelligence Gathering (OSIG or OSINT). It is therefore recommended that employees take extra care while selecting Google images for their official use. In the same stream, the phishers use hi-tech tools to accumulate data for misuse in the future. It is very easy for attackers to identify employees’ socialization platforms. Limiting access to highly confidential data could cope with phishing attacks.

2. Supply Chain Attacks

Phishing attackers use two channels to access the data of potential companies.

1. Direct access to a company’s website and an internal communication mechanism
2. Indirect access through the supply chain: vendors and suppliers

Contemporary POS thus appears to be more vulnerable to attackers who try to position themselves somewhere in the whole supply chain and sound to sign a contract for rendering outsourcing services. The whole story does start here and the target company incurs financial losses in the short run.

3. Email Oriented Attacks

The use of emails for phishing purposes has been very common throughout the digital age. The attackers write a researched and convincing story to either win your sympathy or motivate you to take initiative. Through emails, phishing experts launch malware and infected links into your inbox.

As soon as you click on the link or open the attachment, the process of phishing starts. Many of us have listened about the chiefs of Nigerian countries who, the scammers, motivate their target to transfer money to them for partnership or other logical purposes. Anyhow, people now know all about these attacks and know how to avoid such tactics. If you have put the auto-downloading off, email phishing could not harm you.

How to Detect Phishing Attacks?

It is quite imperative to detect phishing attacks before you get affected by a treacherous network of attackers. Keeping an eye on the following could help you prevent cyber attacks.

• The phishing attackers like purchasing domains that are usually misspelled and resemble some popular ethical domain. For example, social engineers may launch gimletrnedia.com parallel to gimletmedia.com to get the victims engaged emotionally and psychologically.

Similarly, you may receive a phishing email from totalpet.com for some fake hiring and showing that Total Petroleum is interested to hire you. If you are the relevant person in the same industry, it is more likely for you to be scammed within a few days.

• Well-written emails, stuffed with incorrect orthodoxy design, are always phishing attacks. This is because spammers rarely use a premium tool like Grammarly to check their emails before they send them.
• Genuine organizations always send emails from their official domain names. Be aware of the intentions of the hacker if you receive an official email from some public domain: gmail.com or hotmail.com.
• Voice calls from unknown sources are often called vishing attacks. It is better to not receive such calls to avoid plausible threats of social phishing attacks.
• Instead of approaching an individual, the attackers craft the systematic email and send it to thousands of receivers simultaneously. The probability of phishing victims increases this way. If you suspect that the same email has been sent to multiple receivers, make sure someone is trying to harm you.
• In the contemporary age of social media, fake accounts with photographs of celebrities are inciting people to engage with what they say and win a handsome amount as a cash prize. They then lead your nerves to derive the required data from you for your financial or reputational exploitation. Never take part in like such pages irrespective of the destination of these pages. This is therefore essential to know how to detect phishing attacks.
• Phishing attackers use infected links and attachments and motivate their prey to either download the malware-infected attachment or click on the link enclosed. Such links, usually, take you nowhere except to connect you to some mock website. A click on a viral link sometimes is enough to have access to your data and location, which further sets the stage to rob you of your confidential data.
• Unessential and irrelevant google searches may take you to the ruthless world of social phishing. Stop yourself from searching for unnecessary things in the Cyber Kingdom.

Example of a Phishing Attack

An email arrives in your inbox, congratulating you on winning a shopping spree. It asks you to click a link to claim your prize. Red flags include the sender's email domain not matching the alleged company's official domain and the urgency to act quickly.

Popular Social Engineering Attacks

Let me include some known social media phishing examples to highlight the gravity of phishing attacks! A few years ago, a phishing attacker used the counterfeit profile of Mark Zuckerberg, the director of Facebook. His fake profile was used to send emails to many for congratulating them that they had won the official lottery. The attacker then asked for personal and bank details to disburse the amount of the lottery.

Several people became victims consequently. Most people pretend to belong to the war-hit countries – Syria and Iraq – and request the target to disclose his complete bank account information for depositing a huge share of their legacy. They simply give the reason that the war has abolished their commercial life and they want to keep their money in safe hands.

Through tactics of social engineering psychology, scan the targets and take no mercy on you. The New York Times, a reliable newspaper, reported an instance where the attackers phished a retired army officer. He was approached for disbursement of his lottery funds amounting to $750,000. He was asked to deposit disbursement charges of more than $1000. He did it and finally got no response from the attacker.

Prevention and protection from social phishing attacks

Best phishing protection could be achieved by taking a few small things into account. Moreover, you could use phishing detection tools and techniques to avoid unwanted attacks.

• Be Wary of Clicks: Avoid clicking on links or opening attachments from unknown sources.
• Verify Sender Information: Double-check email addresses and contact details.
• Scrutinize URLs: Ensure the website you're visiting is secure and legitimate.
• Strong Passwords & MFA: Use robust passwords and enable Multi-Factor Authentication.
• Be Wary of Unsolicited Contact: Exercise caution with unexpected requests for personal information.
• Report Suspicious Activity: Notify the relevant authorities or platforms of any dubious interactions.

Conclusion

Phishing attacks and social engineering are significant threats in our digital world. By staying informed and exercising caution, we can protect ourselves and navigate the deceptive waters of cyber threats. Awareness is, indeed, our best defense.