As part of this year’s Scams Awareness Week, MailGuard has partnered with the Australian Competition & Consumer Commission (ACCC) to help shine a spotlight on identity theft and scams. This year’s theme is “Be yourself. Don’t let a scammer be you.”
Today’s key message focuses on staying protected from social media scams.
Social media platforms like LinkedIn, Facebook, Twitter and Instagram have become an integral part of our lives. Many of us check our accounts daily to stay connected, especially amid a pandemic-ridden world of lockdowns and remote working, and cybercriminals are exploiting social media’s ubiquity to their advantage. For example, receiving new LinkedIn requests from unknown connections is a common occurrence – but would you be able to tell that this email we intercepted was a fake one?
We’re observing that as social media networks grow in popularity around the world, cybercriminals are using them as a hunting ground to gather information on users and to steal their identities. Sophisticated cybercriminal networks are more effective than ever in understanding their target ‘audience’. Through thorough research, they can create scams designed around a person's typical email use, preferences and habits. It’s little surprise that scams originating on social media increased by 20% last year, according to the ACCC’s Targeting Scams Report.
“Scammers troll social media accounts and information that you post or share such as your name, date of birth, location, names of pets, interests and hobbies, etc. can be used in harmful ways,” says the ACCC.
Scams like these rely on a technique called social engineering, a method of cybercrime that hinges on psychological manipulation. Hacking into a company using social engineering techniques is as simple as sending a cleverly worded email to people who work there, using information gleaned from sources like social media accounts. If criminals can trick one person into clicking on a malicious link or logging into a compromised website, they can use that person as an access point to the company’s most valuable data.
- Serious catfishing, when you enter into a “relationship” with someone via a dating website or social media, only to have to help them out with money when they’re in a jam all the time - and yet you’ve never actually met in person
- False business invoices purportedly from a service your business already uses, like accounting software providers Xero, MYOB or Intuit
Cybercriminals can target both individuals and businesses, all drawing on how humans interact on a daily basis, and the fact that those individuals are gatekeepers to valuable data like bank account numbers, file storage, credit card details, etc.
On an individual level, cybercriminals can tailor their attacks and profile targets via publicly available data on social media platforms. Status updates, exchanges with friends, polls and quizzes, photos and videos can reveal a lot about a person, and scammers often use this information to guess your account passwords and impersonate you for illegal purposes. In addition, the proliferation of social media allows networks to collect data on colleagues, family and friends, and where possible determine their movements, like when they might be at a conference or in a presentation or meeting. These insights translate directly into higher campaign performance and a wider victim pool.
Social media networks are also increasingly being used to commit business identity theft. Information about organisations and their employees is readily available on social media platforms like LinkedIn (like office addresses, details of new hires, upcoming corporate events, mergers, virtual office tours etc.). In addition, the social media accounts of employees may also reveal information related to their colleagues, bosses & companies. All this information can go a long way when attempting to impersonate businesses for fraudulent gains.
The ACCC recommends the following measures when using social media networks:
- Set your social media privacy settings to private and ensure you’re only sharing your photos and posts with people you know and trust.
- Don’t accept ‘friend’ requests from strangers.
- Review and reduce the number of apps on your device that can access your social media profile.
- If a known contact on social media asks for money or claims you’ve won a prize, call the family or friend directly using a trusted phone number to verify it was really them.
For businesses responding to other “businesses” on social media, it’s advisable to check they are verified and legitimate accounts (do a Google search and call the business in question directly). Secure & frequently changed passwords, multi-factor authentication and vigilant monitoring of the type of information shared & exchanged in social media accounts can also go a long way in preventing identity theft.
Nine out of 10 cyber-attacks occur via email, so we also encourage companies to ensure their business email security is up to scratch by adopting a strategic, multi-layered approach. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods and solutions, in the event that if one fails, the others will stop the threat.
You may already have native security from your email hosting provider, like Google or Microsoft, but it’s key to remember that no one vendor can stop all attacks. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist third-party cloud email solution like MailGuard to complement Microsoft 365.
We recommend that you report any scam that you see or hear to the relevant authorities. Let this also be a good opportunity to re-evaluate your business’ cyber readiness and take proactive measures to help your teams become more cyber resilient. If you need more support in protecting your business from email scams, feel free to reach out to us at firstname.lastname@example.org.
As part of Scams Awareness Week, we will be focusing on scams related to business email compromise tomorrow. Watch our blog for more updates.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.