You receive a LinkedIn message from an event organizer you worked with last year. They’re interested in having you give a talk at a conference this summer. They send you a link to log in to the conference portal and register your interest. To make things easy, in just a couple of clicks, you can log in to the portal using your Gmail-logged email credentials.
It turns out the LinkedIn profile was a fake, and the portal was a credential skimming phishing tool. Having been targeted on social media, you’ve now given away your company email login credentials.
As social media use has proliferated, this type of phishing has grown in prominence. Social phishing is a digital pandemic. According to Data Breach research, 50% of attacks in large organizational breaches involve social phishing.
How can enterprises protect themselves from social phishing?
A phishing attack happens when a cyber attacker leverages a trusted relationship to trick a victim into sharing personal information – usually through clicking a malicious link.
Traditionally, phishing attacks have happened via emails. As a result, email security is a multi-billion dollar industry. However, phishing on social media is fast catching email up as the place where bad actors launch their attacks.
And third-party cloud channels don’t enjoy nearly the same protections that email inboxes do.
Security for collaboration, chat, and social channels are often under-developed. Certain applications might promise security measures such as end-to-end encryption, but once those security measures are bypassed, it’s basically a free-for-all for your attackers. The average cybersecurity team traditionally wields no tools that protect them from social engineering and phishing attacks mounted through LinkedIn, Slack, or WhatsApp.
Bad actors know this, which is why they are shifting their resources to focus on social media phishing and breach attacks that leverage a trusted relationship to get inside your perimeter.
The spear-phishing techniques deployed on email and social channels are very similar and involve social engineering to enable the initial compromise to succeed.
As in the example at the beginning of this blog, in social media phishing, the attacker can often perform their target recon on the channel itself. Most often, for businesses and organizations, it’s LinkedIn. Then, they make a simple connection request to the target to begin establishing the trusted relationship. The more connections the attacker makes within the organization, the greater the found sense of trust.
At this point, the threat actor is in an excellent position to launch the attack by doing either one or both of two things:
Both instances not only wreak havoc on the financials and the equipment of the company but also causes brand and reputation damage, as well.
Moreover, social phishing attacks give birth to more attacks, as access to one employee’s credentials can lead to stolen credentials from other coworkers, outside contractors, or business partners and clients.
Guide: Learn how to foil spear phishing attempts
to protect yourself and your company.
Many companies are shifting or have shifted to long-lasting hybrid or work-from-home scenarios. However, since home offices are inherently less secure than traditional offices, the risk of more people falling victim to social media phishing and social engineering attacks grows exponentially.
There are simple, basic ways to safeguard employees and executives from social phishing:
However, beyond these simple steps, a cloud-based security solution is still needed, as most social phishing attacks are perpetrated through cloud-based apps. The best thing you can do is deploy a cybersecurity solution capable of the following:
Instances of social phishing will only continue to grow as more companies and businesses adapt communication and collaboration tools. However, this is not to say that organizations should give up on these applications. In fact, they can’t. These are now mission-critical business tools.
Enterprises must never be complacent in terms of protecting their brand and employees. Taking the initial steps to safeguard yourself from phishing on social media and other applications is great. But taking that protection a step further through a robust cybersecurity solution ensures that social phishing won’t ever become a serious problem for you.
Solutions: Check out how we protect social media apps here.