Fraud and Social Media: Phishing for Data
Susan Friedland, Marketing and Communications
Shapiro Financial Security Group, Inc.
June 26, 2015
- ‘Phishing’ in which online attempts are made to steal personal and company information.
- Malware infection in which malicious codes such as viruses, worms, and Trojan horses are injected into the computers’ operating system. As with phishing, we are more likely to download/open files that come from our friends therefore exposing us to infection with codes that are designed to track online activities and give access to ID’s and passwords.
- Confidence schemes designed to separate you from your money in which cybercriminals try to extort money from hijacked accounts:
- For example, after stealing someone’s online identity, the thief will send out a distressed plea for cash to the friends of the victims. A typical approach may be: “I’m traveling abroad and all of my money and documents have been lost. Please wire me $500 so I can get home.”[i]
- A member of our firm recently received an email stating that a relative of his in Wales had recently passed away, and he could inherit $850,000 if he would send them his contact information, including his bank account number so they could deposit his inheritance. (Our staff member has no relatives in Wales. He deleted the email.)
- Collecting information on specific people as a precursor for targeted phishing attacks. When Anthem Insurance had their database breached, the hackers were able to access as many as 80 million records for customers and employees. The thieves were then able to use the information gathered to target the hacked clients with personalized emails that encouraged them to click on a link for bogus credit monitoring services.[ii]
- Selling hijacked accounts to others who then use them for the above purposes as well as selling stolen data.[iii]
It doesn’t take much sophistication to cause damage. Cybercriminals can carry out low-tech attacks by building a convincing fake company or personal profile, connecting to the desired target on a social media site, and using the site to slander the company or to attempt to defraud the person and his/ her friends and family. On the other end of the spectrum, hackers can use highly sophisticated techniques designed to bring down a major company as happened with Sony Corporation in 2014.[iv]
In an SEC Form 10 filing, Facebook estimated that nearly 15 million of it’s accounts are “undesirable”, with nearly 100 million considered “false” accounts. Twitter estimates that approximately 10% of its accounts are fraudulent.[v]
Not surprisingly, financial institutions, health care and technology companies are the primary targets of hackers as they net the most potentially profitable information. 71% of phishing scams detected in 2014 were aimed at financial institutions.[vi] Google, Facebook, Yahoo, Apple and Dropbox are the top five tech companies that are impersonated by phishing sites.[vii]
Although it would seem that hacking into Facebook or other social sites would not bring monetary rewards, it actually opens opportunities that eventually do bring profits. In the first quarter of 2015, Facebook had 1.44 billion users worldwide with 210 million of them in the United States and Canada.[viii] With this level of popularity, the opportunities for cybercriminals are vast.
We are going to look at phishing in depth as it is usually the gateway into the various criminal schemes and is the point at which we, as consumers, can protect ourselves most effectively, if not completely.
Phishing is an attempt to steal your identity via the use of various scams. The most common of these attempts are made via emails that claim to be from a well-known company or known person. Other attempts are made via malicious pop-up windows on websites and by ‘spoof’ or fake websites.
A typical phishing email or website spoof is made to look as if it comes from a legitimate source. The email then leads to a spoofed or fake website that, in turn, makes the email look legitimate. They are designed to trick you into providing personal information such as Social Security numbers, account passwords, credit and debit card numbers. They use catchy statements, graphics and logos that look legitimate. There are appeals to take action that encourage the victim to click through to the hackers’ site. For example:
Urgent messages that attempt to frighten the user by telling them:
- An account will be shut down if the victim doesn’t respond.
- Due to a technical update, the user needs to reactivate or update their information.
- Recent changes in the law require users to identify themselves.[ix]
- Quizzes, colorful banners, surveys or giveaways are all used as lures to catch ones’ attention.
In a technique called ‘spear phishing', the use of the stolen information is enhanced by accumulating information on the target or targets via available online resources: social media, news articles, publications, corporate directories, profiles, etc. The information is then culled to craft an email or site that will catch the attention of potential victims. In the Sony scandal, the initial attack was via an email phishing campaign that targeted several system administrators. The administrators were fooled into clicking on a link to a malicious website that then requested their Apple ID’s and passwords.[x]
According to Verizon’s 2015 Data Breach Investigations Report, “10 phishing emails are sufficient to yield a greater than 90% probability of drawing a bead on a victim, with 1 out of 25 recipients of malicious messages getting caught in the net.”[xi] Kaspersky Security Network, an anti-virus security firm, registers more than 20,000 incidents per day in which social network users attempt to follow links leading to fake Facebook pages.[xii]
Users can land on fake webpages in a number of ways:
False emails purporting to be from a social network or business that seem to come from real email accounts.
- One such scam sent false emails pretending to be from popular networking sites. It contained fictitious offers for popular software upgrades and fake tax forms. If clicked, these ‘offers’ then took the victim to sites where their computers were infected with malware, allowing the criminals to access the computer system remotely and steal their personal information, passwords and on-line transaction information. The hackers were even able to log onto the victim’s computer to conduct banking transactions.[xiii]
- The IRS and the SEC have both been targeted in fake email scams. One purported to be from the IRS Taxpayer Advocate Service and included a fake case number and links to the supposed ‘advocate’. The links then led to a spoofed webpage that phished for personal information. Another was supposedly from SEC staff using the name of the SEC’s Director of the Office of Investor Education and Advocacy. It contained a link to malware.[xiv]
- Another scam sends emails that appear to originate from a financial institution that ‘acquired’ the consumer’s bank, savings and loan or mortgage institution. They direct users to update, validate or confirm account information by clicking on a link that then takes the victim to a spoofed website that looks like that of a legitimate financial institution or lender.[xv]
Messages in social networks that are sent from fake or hijacked accounts.
These may imitate short personal messages and contain a question like “Is that you in this photo?” and a link to the “photo”. If a user follows the link provided, they land on a fake Facebook login page that contains the standard message “Log in to continue”. If clicked, the user is redirected to a phony webpage and their login information is compromised.[xvi]
Search engine results. There are several ways cybercriminals have targeted victims when they type in or search for a web address:
- They have set up websites that appropriate the name and/or websites of legitimate brokerage firms to solicit business from potential investors. They may even claim that they are members of the Securities Investor Protection Corporation (SPIC) and are registered with the Financial Industry Regulatory Authority (FINRA).[xvii]
- They have learned to modify a directory called a host file in Microsoft Windows that can turn your browser into a vehicle for a phishing excursion. The Windows Hosts file allows the user to define which domain names (websites) are linked to which IP addresses. It can be used to block websites, redirect them, create shortcuts, local domains, and more.[xviii] Thieves have coopted this function so when you type in a Web address from your browser, you are directed to a fraudulent site.[xix]
- The domain server itself may be corrupted, thereby leading users to a look-alike site.[xx]
Messages sent from compromised legitimate email accounts to their associated address lists.
Advertising banners with attractive graphics or masquerading as network notifications.[xxi]
Protecting Yourself Online
Your first defense is your own common sense. The Verizon study noted that more than 50% of recipients open a phishing email within the first hour, 23% at some point and 11% open the attachments.[xxii] If you have any concern over an email with an attachment or a link, DO NOT open the link or the attachment. Delete it.
Phishing websites and emails are often poor in quality as they are designed to be transient. If the quality of a logo or the text strikes you as poor, be suspicious.[xxiii] The grammar or spelling may also be incorrect. Leave the site immediately and run a security scan on your device.
Keep your computers’ anti-virus and firewall protections up to date. Consider using an anti-malware program such as Malwarebytes.com. to periodically search for undetected malicious code.
Before clicking any link, banner, following a page, or opening an attachment, always check the web address and the sender’s email address.
Roll your mouse over the link to read the URL address.
Pay attention to whether there is a secure connection – Facebook, LinkedIn, and Twitter all use the HTTPS protocol to submit data. A small padlock symbol - - in the browser bar also tells you that the site is secure. However, while even the presence of the https and the padlock may not guarantee the safety and authenticity of a site, the absence of a secure connection, even if it is the correct address, does mean that the site is not secure.[xxv] Always be sure that the site shows the https designation before submitting any data or engaging in any type of transaction.
Often cybercriminals will use words resembling the actual site’s address, but the real site name is at the end of the URL. Sometimes, the entire address is different.
Be cautious if the URL begins with an IP address such as: http://22.214.171.124/firstgenericbank/account-update/.[xxvi]
Avoid clicking on the ‘Unsubscribe’ option as well. This is another route for collection of your information as it verifies your email address as legitimate.
Unfortunately, this is not infallible - these criminals now have figured out how to bury technical code behind the link, thereby making it almost impossible to detect.[xxvii].
Research with whom you are doing business before opening any account or submitting any personal or business information. Research the firm’s professional memberships and look at the organizations’ credentialing bureaus to be sure the company is legitimate. For personal contacts, if the tone of the message appears out of character or too generic, be suspicious and don’t click through until you have verified the contact personally.
Beware of over sharing on social networks such as Facebook as you do not control who ultimately sees your posts. Unfortunately, 1 in 40 children are victims of identity theft and information available on social media is a contributor to that.[xxviii] Do not post valid personal information for any family member. Some strategies:
Make up a birthdate – you won’t get birthday wishes on your special day, but identity thieves will not get it either.
Post your location using a region rather than your town. New York City rather than Ocean City.
Ignore Facebook’s constant request for more information to ‘complete your profile’.
Avoid posting the name of your childhood pet, your mother’s maiden name, the street you grew up on or any information that you may use to answer a security question on a legitimate site.
Do not geo-tag your pictures, especially those of your children. It tells anyone who cares to know where and when the picture was taken and can put the child at risk.[xxix]
Equifax and Experian offer services that will monitor your credit, give some protection against ID theft, provide change of address monitoring and may monitor your social security number for fraudulent use. American Express also offers a service called Credit Secure. The services are:
If you do notice any discrepancies, act as quickly as possible. Contact the institution or company immediately to notify them of the possible fraudulent activity. For identity theft, contact the Federal Trade Commission. Their Identity Theft website is: https://www.identitytheft.gov/
Unfortunately, it is not possible to completely protect yourself online. Identity thieves and other criminals work overtime to come up with new ways to get around the protections that are available. However, the more educated and aware we are as consumers, the better chance we have at minimizing our chances of being harmed.