Remember the time when our email inbox was filled with requests to help endangered (and filthy rich) Nigerian princes?
Those scams never died, they just evolved. Attackers improved their tactics and changed the channel.
More people connected to the internet means that cyber criminals just have more potential victims. And when internet users migrate towards the social networks, guess where the attackers will be waiting?
Does this look familiar?
I bet you thought it’s a harmless post. But you could be just one click away from a nasty malware infection.
That’s why we decided to break down social media scams, so you can know what to expect and how to protect yourself.
Core reasons behind scams on social networks
Scammers plan most of their scams with one and only goal in mind: money. They will do anything to monetize your actions and your sensitive information.
They trick you to click on a link, download or install something, like or follow a social profile, share something or send it to your friends. They’ll try to gain any type of information from and about you that they can exploit or simply sell to others. They’ll even try to talk you into willingly sending them money.
However, some of these scams are done just for fun or out of curiosity, to find out if and how something works.
A quick example of a basically harmless scam: you’ve most likely come across at least one chain letter passed on via popular social networks. These are messages that claim that the owners of the network will start charging users or that it will shut down. They will prompt you to forward the message to everyone you know in order to shut down. Others claim that a brand or celebrity will donate money to a charity cause for every share of that message.
These kinds of scams are only social media clutter and noise. But they can also turn malicious very quickly.
How scammers take advantage of social networks to make money
Most websites make money from selling advertisements. The most common type of advertising is based on paying for impressions (page views – how many times did a potential customer view an ad?)
The impressions system is based purely on traffic, on the number of times an ad was displayed to a user while viewing a web page.
The pay-per-click system means that advertisers only pay the website when a user clicks on an ad.
This system can be tricked by generating clicks that don’t come from genuinely interested users, or by hijacking clicks that were intended for a legitimate advertiser.
You may argue that it’s harmless, and that an individual page view or click will only bring scammers a tiny amount of money.
So what if they trick you into clicking on an ad and you thought it’s a completely different thing? Only wasted time, right?
Well, if you start multiplying those few cents from your click with other millions of clicks that they managed to gather, you’ll see that scammers can fraudulently raise serious amounts of money.
This is called “Click fraud” and, according to a report from the Association of National Advertisers, marketers all over the world could lose this year up to $7.2 billion because of it.
It’s also worth noting that 90% of web attacks are delivered through advertising networks.
This is similar to the previous point.
By making you like a page, follow an account, comment or tag people, scammers will raise the numbers of a social account. They also ensure that the action will appear in your news feed, providing them with access to more people.
Sometimes, this is for the own benefit of the scammers, so they can pretend their account has genuine online influence and then place ads it or even sell it.
Other times, third parties such as brands or companies will buy likes or followers for their social accounts. This way, they’ll be able to better sell their social media accounts; by making advertisers think they have real influence.
I’m just trying to clear how these things work, so I’ll not comment on the ethics of this action, as it’s not the main subject here.
Phishing is the name given to cybercriminals’ attempt to trick you into giving them sensitive information or money.
They will craft a plausible message that seems to come from a social network representative or from one of your online buddies. They will then lead you to a site that appears to be legit, where you’ll be prompted to enter sensitive information.
From name to email address, phone number, home address, social security number, to credit card details, bank account number, passwords, etc. – this kind of information can be used for financial fraud, identity theft, and blackmail and so on. That’s why it’s important to keep in mind that your personal information is as precious as gold and you should do anything to protect it.
Phishing attacks used to happen mostly through emails, but the landscape has changed dramatically over the past years, due to the rapid growth in social networks usage.
How scammers can take advantage of social media for phishing attacks:
– By pretending to be a representative of a social network.
Phishers take their time to create websites that look identical to your favorite social media networks. They also create fake emails or social profiles that seem to belong to genuine representatives of the network.
After they contact you either directly on the network, through private messages, or through emails that seem to be from the social network’s representatives, and they try to trick you to click on a link to: reset your password, reconfirm your account, and confirm that you don’t want your social account to be cancelled and so on.
This kind of information can then be used to access your account and send messages to friends, to further spread the links.
Other times, they can make money by exploiting the personal information they’ve obtained, either by selling it to third parties or by blackmailing you with this repercussion.
– By sending messages that appear to come from a buddy. In those messages, they invite you to click on a link to check out a video or see some disturbing news.
– By finding out essential information about you that will then increase their chances of a spear phishing attack.
Spear phishing is directed at specific companies or individuals, and it’s not as automated as common phishing.
The attackers will take their time to gather all available information about their target, in order to create a highly personalized and believable email.
Last autumn, researchers from the Dell Secure Works Counter Threat Unit identified a network of at least 25 well developed LinkedIn profiles that were part of a social engineering campaign.
Spear phishing requires a bigger effort, but it’s the most effective kind of phishing attack. And with the publicly available information that we voluntarily share on social media, its chances for success will most likely increase in time.
Phishing is also a potential launch ramp for malware, which leads us to… trick nr. 4:
Malware is used as a collective name for malicious software – the type designed to disrupt or damage your data, software or hardware. Viruses, worms, keyloggers, Trojans – all these are just different forms of malware.
Cyber criminals spread malicious software for profit through adware (forced advertising), spyware (stealing your sensitive information) or ransomware(software that encrypts your content, blocks access to your system and demands payment in return for they key that will decrypt your data).
Usually, attackers get malware into your device through a variety of mechanisms that involve exploiting human and technical factors. You can get infected with malicious software just because you thought you were downloading a browser extension, an app or a game.
Examples of harmful apps to steer clear from:
This kind of applications carries more or less dangerous types of malicious code. Afterwards, your social account will be used to spread the apps to your friends, sending them messages to encourage to download the software as well, thus further propagating itself.
These scripts can also command your profile to like other pages, helping scammers further monetize the con.
We’ve mentioned these before. Chain letters are messages that catch your interest by claiming that a social network plans on charging users in the near future or that they will shut down. Chain letters ask you to distribute the message to everyone you know, in order to stop the network from charging money or shutting down.
Other forms of chain letters claim that a brand or celebrity will donate money to a charity cause for every share of that message. Bill Gates and Mark Zuckerberg are usually targeted for this one.
Variations include emotionally extorting you through fake stories of sick kids, false warnings of viruses circulating, monetary rewards, etc.
These letters used to be sent exclusively via email but, nowadays, because of the increasing popularity of social networks, cyber criminals started taking advantage of them and our decreasing attention span.
Chain letters can take the form of a post from an online buddy, or a direct message.
They are generally harmless, but, other times:
Many people have fallen for this kind of stuff and continue to propagate the messages.
Break the chain – report the message (or mark it as spam), delete it and inform the ones who sent them that they are fake.
Common tricks you can come across
Instead of focusing only on highly technical methods, scammers base their attacks on social engineering tactics.
Cyber criminals will cheat, lie, exploit your trust, take advantage of your emotions, curiosity or lack of technological knowledge, trick you to install malware or divulge sensitive information. No trick is off-limits.
It’s important to note that most people won’t even report when they were tricked via social engineering. They realize they were stupid and don’t want to further embarrass themselves. Reporting would benefit everyone involved, so it’s time to get over your mild embarrassment.
Here are a few scenarios that you must pay attention to:
Shocking news uses something that’s hot right then. It’s something that everyone is talking about in the media and on social networks, such as a terrorist attack or a flight crash. You might expect to see a video or news, but, instead, the link leads to spammy, pop-up filled or malware-laden websites.
“Curiosity killed the cat”.
Kim Kardashian’s newest bum photos? Bin Laden’s video death? Vanilla Ice dead?
Always a sure way to get clicks from gullible users.
Photos of sick babies or endangered animals that lure you into watching a video or to see news.
Gift exchanges, free coupons, free trips, free iPhones, free likes or followers, gift cards – basically, free everything.
These scenarios usually take advantage of big brands names: Starbucks, Victoria’s Secret, the Cheesecake Factory. And they come in exchange for other potential ways for the scammer to propagate the con: click here, like and share, tag friends, follow someone, etc.
Remember the Nigerian prince scam, where you’re typically required to send money over so that, in turn, you’ll receive several times more than the originally borrowed sum?
Or the spammy emails that claimed that you won millions of dollars at a lottery or a prize in a competition?
In order to receive the prize, they prompt you to send over some personal identification information and a small fee for post office.
These kind of scams just moved from email to direct messages on social networks. Here’s an example from LinkedIn.
Easy money doesn’t exist. These are usually bogus offers that claim to help you start making thousands and then require a fee for you to get going.
In this category you can fit any message that has urgent requests. “Click here now, confirm here, download this, fill in this, install this” – messages that require your urgent action are usually used in phishing attempts.
Read and Visit us for more information about Social Scams the Full Breakdown and Protection Plan