Employee training is key to any business's defense against cyberattacks. According to PhishMe, an estimated 91% of cyberattacks start with a phishing email -- an attempt to secure personal or sensitive information by posing as a legitimate actor. It makes sense then that many businesses focus cybersecurity training on recognition of email phishing scams. However, recent studies show that cybercriminals are increasingly turning to social media to bait their prey. In 2016, social media phishing increased by an estimated 500%, and victims are more likely to fall for these scams. Cybersecurity training needs to adapt to this fast-growing form of attack.
A recent article in the New York Times describes a breach at the Pentagon that can be traced back to the wife of an employee who clicked on a link in a social media post. She was discussing summer vacation plans with friends online when a post about a deals on summer travel appeared in her social media feed. She clicked on the malicious link. Once the criminals had access to the wife's device, they were able to access her husband's computer through their shared home network.
Information posted on social media or anywhere online gives cyberthieves clues that help them craft effective phishing campaigns. Consider if a criminal knows where you vacation, who your boss is, which restaurants you frequent, or what sports teams you follow -- if an email or social media post pops up related to those interests, you're more likely to click.
Since people feel that they are among friends on their social media accounts, they are more trusting and thus more likely to fall victim to fraud. While an estimated 30% of spear phishing emails are opened, 66% of victims will click if the spear phishing message is sent through social media. Like a spoofed email address, posts may appear to come from known sources, but are in reality imitations. The growth of fraudulent social media accounts on Facebook and Twitter increased 100% in the last quarter of 2016, according to Proofpoint.
A favored tactic of cybercriminals is posing as a customer service representative of a large brand seeking to solve a problem after a consumer uses social media to reach out to the company. This scam has been labeled as "angler phishing." The realistic looking accounts and websites trick customers into revealing all sorts of sensitive information and passwords. A 2015 study estimated that almost 20% of social media accounts supposedly owned by big brands were fake.
For businesses looking to protect their networks and data, it's important to ensure that employees are aware of the evolving tactics of cybercriminals and educated on the risks of over-sharing and over-trusting online.