Have you gotten any questionable friend requests on Facebook recently? Received a suspicious email or verification code attempt claiming to come from Dell, Google, or Apple, perhaps? You’re not alone. But beware before you click “Accept,” visit a link, or start providing information — a recent uptick in such incidents has alarmed security experts, who worry that hackers are increasing their use of illicit means to try and steal your data or hack into your personally identifiable information.
Why would anyone attempt such a complex attack?
The main answer is also the most obvious: for social engineering. Defined as an attempt by cyber criminals to gain access to personal information about you that you may otherwise restrict to friends or connections only, social engineering often starts with your email address. Once a hacker has that, he or she can send endless amounts of spam to you — but also potentially hack into your account to send spam to those in your contact list.
The longer con comes from hackers who will then try to identify your closest peers, co-workers, and superiors. Once that network is infiltrated, the classic example of phishing can occur: hackers create an email address that very closely mirrors that of an executive at your company (think email@example.com instead of firstname.lastname@example.org), then send requests for private records, financial information, or wire transfers in hopes that such commands will be followed by a subordinate without question or caution.
The friend request scheme also has another nefarious aim: if you blindly approve those fake-looking friend requests, you’ll probably find posts or messages that include viral links to funny animal videos, cute kid stories, or other Internet fluff. But don’t let their innocuous titles fool you: often these posts or messages will feature bogus links that lead to malware-infected sites or phishing sites that could cultivate your personal information, steal passwords, and embed themselves onto your own Facebook newsfeed, where more of your friends and family could click and get infected.
So how can you spot a fake Facebook friend request or bogus customer email, attachment, or website?
1. If you don’t personally know the person (or don’t share several friends in common), don’t click “Accept.”
This one seems obvious, but we all overlook it sometimes in hopes of expanding our social network. Even if the contact might seem like an old friend of an old friend, if you don’t remember meeting them in real life or don’t know them through your present-day professional networks, chances are it’s a fake. Check the person’s list of friends and choose the “mutual” drop-down to see whom you both know. If any of your mutual friends are on the list, message them to see if they know the person.
2. Change your privacy settings.
As Facebook scams have proliferated and the platform has increasingly been in the news for its security snafus, this should become standard operating procedure: click the arrow in the upper right-hand corner of the Facebook toolbar, then click Privacy from the left-hand menu, then edit each question under Privacy Settings & Tools to either “Friends” or “Friends of Friends.” Beware any category set to “Public”!
3. Watch out for friend requests that come from profiles with very little activity
An unusually small (or large) number of friends, grammatically incorrect or illegible writing, or nothing but shared videos and photos on their timeline. This can apply to Facebook, LinkedIn, Twitter, Instagram, Snapchat, or any social media service. If the profile looks brand new, consider this another tip-off that the person is most likely a fake. In addition, fake profiles will often feature an extremely low or high number of friends or connections — either the scammers have expended little effort setting up their fake profile or they’ve sent out a blitz of friend requests to other scammers, all of which have been approved. And if you see no personally identifiable posts — think location check-ins, silly status updates, or selfies — be suspicious and don’t click “Approve.”
4. Look closely for malicious emails and attachments, along with suspicious web links and phone calls.
This social engineering scam rears its ugly head every few months, with everyone from senior citizens to tax preparers to Microsoft customers susceptible. In October, the big news came when Dell announced that a website it had set up to help customers recover from malicious software may have been hijacked over the summer by hackers who specialize in deploying such malware. The cause? Nothing more than a lapsed domain renewal. Which is exactly the kind of lazy Internet policing that cybercriminals hope for.
5. Make sure everyone at your company undergoes online security training.
Whether they’re new employees coming on board or existing employees who’ve been an integral part of your business for years, regular, ongoing security training is a must. Although these services range widely in scope and duration, the basics are easy: don’t open any email attachment from a user you don’t recognize, validate web links before you click by hovering over them or manually typing them into a browser, and always keep an eye out for discrepancies in email domain names, subject lines, and body copy.
What’s at stake with these kinds of scams?
Just the security of your company’s data, the sanctity of its finances, and the stability of its reputation. Hackers routinely steal billions of dollars through social media scams, ransomware attempts, and business email compromise. And the information required to perpetuate such heists often comes through the simplest of means.
If you do receive a fake friend request, suspicious financial transfer email, or illicit email, report it to the responsible service and alert your IT provider. The more security experts know about these hacking attempts, the more we can try and fight them using proactive monitoring, anti-spam and anti-malware services, and multi-layered network security solutions.
Want to know more about how to keep your systems and business information safe while avoiding social engineering and business email compromise attempts? Contact CMIT Solutions today. We worry about your IT so you don’t have to, freeing you up to do your job more efficiently and productively.