People need to be on the lookout for phishing attacks sent from legitimate but compromised social media accounts, according to Paul Ducklin at Naked Security. Ducklin describes a scam sent in by a reader who received an unexpected message from one of their Facebook friends. The message said, “Hi [name]. Hope you’re all well. Do you use online banking? I need help paying a bill.” The recipient recognized that it was a scam, but continued the conversation to find out what the scammer would say.
The scammer went on to explain that they had locked themselves out of their banking account until midnight and needed to borrow £290 to pay a bill. The recipient asked for more details, and the scammer said they had taken out a loan from a real banking startup based in the UK.
“The situation here is plausible – anyone who has ever been forced to take out a short-term ‘payday loan’ will know that fees mount up quickly for missed payments – and many of us might decide that helping out a friend or family member is something we ought to do,” Ducklin explains.
Ducklin stresses that people need to be particularly vigilant for phishing attacks that come from their friends’ compromised accounts:
- “Always check your facts before you help friends in trouble. But take care how you get hold of a friend you’re worried about – never reply directly to an online account that could have been hacked. Find another way to contact your friend, based on information that you already have in your possession.
- “Let your friends know if you think they’ve been hacked. But never reply using the account that’s been hacked or else you are just tipping off the scammers. Find a different way to get hold of them, such as a phone call, where you’ll have a way to satisfy yourself you really are talking to them.
- “Use a password manager and 2FA to make it harder for the scammers. A password manager stops you putting real passwords into fake sites, which helps prevent you getting phished. And using 2FA means that your password alone is not enough for scammers to log in to your account.
- “Report scams if you can. It might not feel as though you are doing much to help, but if many people provide some evidence, there is a least a chance of doing something about it. On the other hand, if no one says anything, then nothing will or can be done.”
New-school security awareness training can help your employees defend themselves against scams in their personal and professional lives.
Naked Security has the story.