Think hackers can only get you through email, and not social media? Think again.
Arun Vishwanath discusses the two levels of phishing through social media:
Level 1: by connecting with you as a friend, and
Level 2: by reaching out for information.
As an IT professional, it is important that you train your coworkers on the importance of social media monitoring.
Level 1: The Connection
The first step that phishers take when trying to get information from others, is by reaching out to them with a request from a common name and vague information. It is important to monitor who becomes a “friend” on social media, because now they have access to everything about that person. It just takes one person within the network to blindly connect that can lead to infecting the whole batch.
Arun did a study to see what type of account would be more successful in phishing others, and the results came in, that people who had common connections were more likely to get connected than people who didn’t, whether or not they had a photograph on their profile.
So once connected, it can lead someone to believe that they know the connection through mutual friendship, and that’s how they phishers/hackers get in.
Level 2: The Outreach
Now mobile devices make it easier, according to Arun, to connect with strangers. There isn’t an easy way to access the credentials that can validate the person. It becomes harder to find the authenticity of the person who is trying to connect when viewed through a mobile device. Same goes with email.
It is harder to authenticate an email when it is through mobile since the source header isn’t visible. This includes receiving emails from “people you may know” who are in fact phishers that used what they could find on social media to create relatable content. They can even pose as the boss who needs certain information, or a credit card number.
People trust other people when it comes to social media, they like to put a person behind the facade. Once they’ve been hacked, they have a name or face to blame for the event. Which is important to make sure that the connections are legitimate.
How to Stop the Social Media Phishing:
Don’t cut off social media from the work environment completely. Arun has found that psychologically “If you prohibit people from doing something they normally do, they are going to find a way to do it.” This may lead to mobile interactions, which can be more harmful than helpful.
The best approach would be to scare people into not accepting every/any one. Arun ran a test with some people in the office, with full permission, and found that 25% of the employees linked with his phishing account. He presented that information which scared the employees to monitor who to accept.
Arun looks at the psychology of why people are susceptible to the phishing and diagnoses the catalysts that cause people to fall.
His work can be found at ArunVishwanath.us
To listen to the whole podcast click here.