I wrote yesterday about a scam on Twitter where bots purport to be well-followed celebrities scamming followers to give up cryptocurrency. But scammers aren’t just stopping there – in some cases, they use the combination of a well-known name (such as Elon Musk) and use twitter’s promoted tweets functionality to convince followers the celebrity endorses the post, as shown below:
Image Source: Sophos
The most disturbing part of this scam is that Twitter didn’t catch the scam tweet for over 12 hours! In a world where social engineering scams only take seconds to render an endpoint compromised, 12 hours is a lifetime!
But, is it really Twitter’s job to stop scams?
Of course, they’d like to ensure as positive an environment as possible for their users, but in all fairness, Twitter – and other social media platforms – aren’t exactly in the security business, right? There are far too many posts to verify that every one is legitimate.
From a corporate standpoint, organizations should begin with the assumption that social media platforms are not going to spot and stop scams; instead it’s up to the organization to protect itself at the perimeter (with email, URL, and DNS protection), the endpoint (via antivirus, endpoint protection, etc.), and the user with Security Awareness Training. By educating users on something as simple as “promoted tweets by actual prominent user have a blue checkmark” the “promoted” scam can be rendered powerless. More importantly, by elevating the user’s sense of security vigilance through Security Awareness Training, they would find the tweet suspect by default and never fall for whatever scam it’s promoting.
This scam is just one of many this week. There will be more next week. And the next. So many, that your users won’t be able to keep up on a per-scam basis. By leveraging Security Awareness Training, it won’t matter what the scam details are; your users will spot it a mile away.
I suggest you send the following to your employees in accounting specifically. You're welcome to copy, paste, and/or edit:
The bad guys are finding new ways to scam you on social media all the time. At the moment, fake celebrities are "giving away" e-currency like bitcoin on Twitter. This type of scam has also been seen on Facebook and other social media platforms. If it's too good to be true.... Think Before You Click!
Train your employees to not fall for any kind of social engineering attacks. Install the free phish alert button on their workstation and mobile devices so they can report any kind of suspicious incident that makes it through the filters.
Free Phish Alert Button
When new spear phishing campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against cybercrime is to roll out KnowBe4's free Phish Alert Button to your employees' desktops. Once installed, the Phish Alert Button allows your users on the front lines to sound the alarm when suspicious and potentially dangerous phishing emails slip past the other layers of protection your organization relies on to keep the bad guys at bay.
Don't like to click on redirected links? Cut & Paste this link in your browser: