Facebook and the Lure of Phishing

phishing graphic

From political intrigue during the election, to millions of dollars in tax fraud, to public embarrassment, phishing turns out to be an all-purpose cyber tool for the enterprising hacker. In one more link in long chain of phishing exploits, Facebook and Google were in the news this past week when word that employees were targeted in a phishing scheme became public. The companies reportedly paid out $100 million to the scammer before the fraud was uncovered.

What is phishing? Usually, it involves a scammer attempting to manipulate the victim into installing malware or disclosing login credentials. Often, this is accomplished through email, where attackers can spoof legitimate business emails or emails from friends and family. While many modern email programs are fairly effective at weeding out potential phishing emails and spam, an unfortunate number may still get into your inbox. Phishing is effective because so many people fall for it.

Besides email, Facebook and other social networks remain a top choice for phishing, since they can often spoof entire profiles, giving the scam a credibility boost that email lacks. Who wouldn’t click a link shared by a “friend”? Another version of phishing, called spear-phishing, can use information on social networks to accomplish the scam. Spear-phishing is a more targeted version of traditional phishing attacks, and usually involve a more tailored approach. Since spear-phishing involves some level of research and targeting for a narrower population – or even one person – it’s usually pointed at higher value targets. In one famous example, the campaign manager for Hilary Clinton’s presidential bid in 2016 was lured by a very sleek spear-phishing email, which led to his emails being disclosed to the public.

How can you protect yourself? Fortunately, many researchers are working to reduce the threat of phishing. The Anti-Phishing Working Group has published a nice list of tips for consumers to help combat phishing through education. As always, be wary of links and attachments, and be mindful about the possibility that a friend’s social networking profile might have been spoofed. And if something seems too good to be true, it probably is.