Fighting The Phishers On Facebook And Twitter

Facebook and Twitter have both recently been hit by phishing scams. Despite the publicity, most phishers targeting enterprise data are not hooking victims via social networks—at least not yet.

“We’ve yet to respond to an incident where messaging from social networking sites like Facebook and LinkedIn was used to send the phish … but it’s coming,” said Rohyt Belani, CEO of Intrepidus Group. “I think the reason why it’s not a popular way to deliver phishing attacks against companies is because companies are still figuring out if they are going to embrace social networking or shun it. Companies are currently spending money on carefully monitoring their brand and trademarks, and they are wary to fully embrace social networking sites.”

Still, with companies looking to Twitter to reach out to customers, spear phishers may soon have a fantastic weapon to target enterprises.

“Mostly because of all of these URL length reduction services like http://twitpic.com/ or tinyurl.com,” Belani said, “the user has no idea where they are going to be redirected to when they click that link, and phishers are going to soon take advantage of that user behavior.”

Earlier this year, the Intrepidus Group performed a study of 69,000 employees from companies around the world using 32 phishing scenarios. What they found was 23 percent were susceptible to the attacks. Sixty percent of those who responded to the phishing e-mails did so within 3 hours of receiving them, according to the study.

“The successful phishing attacks are very targeted these days,” Belani said. “Attackers carefully plan their phishing e-mails and can extract valuable information from a variety of sources. Of course, business social network sites like LinkedIn are treasure troves of information for a phisher, but there are many other contact aggregators that are goldmines for social engineers [such as zoominfo.com and jigsaw.com].”

Over at Netragard, officials performed a penetration test using a bogus Facebook profile and tricked employees at an energy company into giving up credentials that could have been used to access the majority of the systems on the network, including the mainframe.

With that in mind, here are a few tips for training employees to avoid phishers:

1. Show, Don’t Just Tell. It helps if employees see how what they are learning applies to them. Consider showing them a real phishing e-mail and explain to them the types of tactics spear phishers use to target people both in and out of the office.

“If they feel like they are learning security tips that will help them at home as well as work, they will be more receptive to training,” Belani said. “Send them real mock phishing examples regularly to hone their skills. Make it fun.”

2. Evaluate Your Communication Policies. Businesses should take a look at their own policies around corporate communication and gauge just how vulnerable to phishing they are, Belani said.

“Do they regularly send out links in e-mail? Consider altering that behavior and in place of URLs in e-mail direct employees to the link on the intranet page ‘Intranet / Home / HR / New 401k.’”

3. It’s Not Paranoia If They Are Really After You. Some suspicion is a good thing. Teach employees to question e-mail, especially from new senders. If you get an unusual or unexpected message, attachment or question, try confirming its validity offline.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

17 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

18 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

19 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

20 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

23 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

1 day ago