Phishing Awareness: Impersonation & Social Media

Mass-Target Brand Impersonations & Social Media Phishing Attacks

Mass-Target Brand Impersonations

A Mass-Target Brand Impersonation occurs when scammers send a malicious email to individual(s) or mass users of any organization by impersonating a known individual, business partner, or service provider. During a Mass Phishing Attack, phishers impersonate a brand and use that brand, specifically, to seem credible to targeted victims in order for them to steal personal information. The targeted group will have some common interest based on their brand preferences, demographics, and life choices. The potential victims will receive a mass email that is actually a cloned version of a transactional email, such as receipts, payment reminders, or gift cards. 

Microsoft remains the most phished brand, as hacker techniques continue to evolve

Overall, Microsoft remained the most impersonated brand in phishing attacks for the fourth straight quarter. Microsoft’s sustained popularity with hackers stems from the lucrativeness of Office 365 credentials, which provide a single entry point to the entire Office 365 suite while enabling them to conduct multi-phased attacks using compromised accounts. Moreover, analysis of phishing emails and pages reveals that attackers are getting increasingly sophisticated with attacks targeting corporate email users.

30% of phishing messages get opened by targeted users (Verizon)

While a Mass Phishing Attack is personalized and targeted specifically to you, it is more likely that you will open the email. This is why it is very important for you and your business to take personal precautions. 

A way in which you can prevent a Mass Phishing Attack is by checking details from an email when it is received. Discover whether you are marked in the “To” section or “cc” section of the received mail. Avoid replying to an email marked to you with an unknown set of people.

Social Media Attacks

Social Media Attacks are a type of fraud in which users receive an enticing invitation to click on an infected link or provide personal information. While the primary attack vector for “regular” phishing is through email, social media phishing, is – you guess it – primarily perpetrated through social media sites. As we explained in Different Types of Phishing & How to Prevent It, phishing is defined as social engineering using digital methods for malicious purposes. In the case of social media, there are numerous forms of phishing that occur:

  • Impersonation

Because phishing is the malicious use of social engineering, impersonation plays a huge role in the success of an attack. By posing as someone with any kind of authority, it’s easy to damage that person, the brand associated with them, and trick users into taking a specific action. This doesn’t include parody accounts, which are commonly labeled, but more so incidents that negatively impact users. One of the most common examples is that when a celebrity posts a Twitter, a threat actor replies to it, posing as that user, saying they are giving away free bitcoins. Hint: they aren’t.

  • Credential Theft / Propagation 

Not only are threat actors sending phishing attacks right on social platforms, they also trick users into logging into fake landing pages, which in turn hands over their credentials. When this happens, a threat actor can gain access to the user’s account, and further, propagate attacks to trick new users into handing over their credentials or act more like a BEC attack and ask for a wire transfer.

  • Data Dumps

It’s not uncommon for dumps of breached databases to make the rounds on the internet. This can happen on dumpsites, forums, and even sold on the dark web or other marketplaces.

  • Intelligence gathering (for account takeover and spear phishing)

Quick, what was the name of your first pet? It was fluffy, wasn’t it? Well, that post you shared on social media 10 years ago just happens to contain the information used to reset passwords. How about personal information about your life beyond the basics? A threat actor can find that too, and then use that information to build a sophisticated spear phishing campaign custom-designed for you.

Social media phishing, primarily Facebook and Instagram, saw the highest quarter- over-quarter growth of any industry with a 74.7 percent increase, according to the Vade Secure Phishers’ Favorites report for Q1 2019.

Here are a few tips on how to avoid becoming a victim of social media phishing:

  • Do not click on links in posts, tweets or direct messages unless you are 100% certain that they are genuine and well-intentioned.
  • Take time to consider your actions before responding to approaches on social media.
  • Ask yourself if somebody genuine would really contact you in this way with this information.
  • Recognize threats of financial issues or offers that seem too good to be true, for what they really are.
  • If in doubt, call the correct number of the organization or individual from whom the post or tweet claims to be from, to check its authenticity.
  • Even if the post or tweet seems to come from someone you trust, their account may have been hacked or spoofed.
  • If the approach is via Twitter, note that accounts of legitimate businesses usually feature a blue ‘verified’ tick to indicate that the account is authentic. They will also never request login credentials.
  • Also, check for the number of followers on the account. Genuine organizations – including their customer support handles – are likely to have a much larger following.

To learn how CIT can protect your organization, employees, brands, and users from social media-based digital risks, learn about our Cybersecurity Services.

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised. 

Don’t Gamble With Your Security  Contact us