Most security organizations have long since lost the fight to keep employees from using social media on work computers; indeed, many people now have to be on Facebook or Twitter as part of their professional duties. The goal now is to help contain any damage from social media attacks—keeping in mind that even an attack via someone's personal account can affect their work lives.
To that end, we spoke to some security pros about scams and attack vectors that are springing up on social medial. Here are their tips for avoiding social media scams.
Social media accounts aren't a shortcut to riches. The world of con artistry has seen endless variations of the get rich quick scheme. SEO expert Bradley Shaw points to one current example on Twitter, the "Twitter cash starter kit," which promises users that they can hit it rich on the platform in unspecified ways. The key to the scam? "Victims will pay an initial fee for the kit itself by entering their debit or credit card information," says Shaw. Once the scammer has access to that information, charges quickly mount: "Their cards are charged a hidden 'membership' fee of $50 each month after initial signup. They can also make further fraudulent charges."
You can't win a contest you never entered. There are plenty of "free" too-good-to-be true enticements that can woo the unwary as well. J.A. Hitchcock, president of WHOA and WHOA-KTD, a volunteer organization that fights online harassment, notes one scam becoming increasingly popular on Snapchat. "A user gets a graphic that claims they are a winner. When they click on the graphic and fill out requested info, they're asked to download an app in order to receive a prize. That app most likely contains a virus."
Beware of wolves in brands' clothing… One particularly devious scam involves imitating a business's social media presence. "Fraudsters step up and grab unclaimed businesses on social media and act as the owner," says Julian Wong, architect at fraud detection provider DataVisor. "Someone looking to book an appointment at a spa reaches the fraudster instead of the legitimate business owner, who then takes the caller's credit card info as a 'down payment' to book or hold the appointment and then runs off with the money."
...especially if they're offering help. One scam exploits an aspect of life we've come to expect and rely on—that sometimes brand accounts seek you out, not the other way around. Companies ranging from cable providers to airlines automatically search social media to find people complaining about their services and then use support accounts to reach out and try to resolve issues. But those complaint tweets are public and those search tools are available to anybody. Philip Tully, senior data scientist at ZeroFOX, a company that detects risk on social media, outlines how this can get scary: a fake "support" account, with graphics and a bio borrowed from a real one, reaches out to someone having problems, asking them to log into a phishing site where they give their account number and password.
Sign up for Computerworld eNewsletters.