Social media plays a big role in the world we live in today. We can use it to track down old friends, post fun details about vacations, and stay up to date on what's happening in the lives of family members that live hundreds of miles away.
The downside to social networking is all the scams that are constantly being spread. You won't believe that latest scam making the rounds.
Watch out for this spear phishing attack circulating on social media
We're talking about a spear phishing attack that targets people in the workforce. However, anyone can be targeted with this scam.
What's happening is, a fake profile has been created on several social media sites. The fictitious person is named "Mia Ash," and is supposedly a photographer based in London.
Image: Example of fraudulent Mia Ash social media profile. (Source: SecureWorks)
The cybercriminals behind this scam begin by connecting with potential victims on LinkedIn. They then invite those connections to accept a friend request on Facebook, to have more intimate conversations.
Once the victim accepts the friend request, Mia sends a phishing email containing a malicious link. Researchers with SecureWorks say that the link leads to an Excel or Word document and if the victim enables macros, a Trojan infects their gadget.
If the remote access trojan (RAT) is launched, the cybercriminal can gain access to the victim's system. That allows them to cause all kinds of havoc, like steal critical information, and infect computers connected to the network with malware.
It's believed that the hackers are state actors for the government of Iran, dubbed COBALT GYPSY. This isn't the first time that scammers use fake social media profiles to reel in new victims and it won't be the last.
The best way to avoid this type of scam is to not accept friend requests on social networking sites from people you've not met in person. You also need to be able to recognize phishing emails. Keep reading for suggestions that will help.
How to protect against social media spear phishing:
- Be cautious with links - If you get an email or notification that you find suspicious, don't click on its links. It could be a phishing attack. It's always better to type a website's address directly into a browser than clicking on a link.
- Do NOT enable macros - You should never download PDF, Word or Excel files attached to unsolicited emails to begin with. If you do open one of these documents and it says that you need to turn on macros, close the file and delete it immediately.
- Stay away from posting work details - It's unnecessary for you to associate work details with your Facebook profile. Cybercriminals use this information to target specific groups.
- Be judicious with friend requests - It's best not to friend someone on social media that you've never met in person.
- Watch for typos - Phishing scams are infamous for having typos and grammatical errors. These are things to watch for in phishing emails. Take our phishing IQ test to see if you can spot a fake email.
- Use unique passwords - Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it's simple for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.