Phishing attacks started off as a scheme to gain access to your accounts and personal information via email. The email would come from an address similar to the one that you are familiar with and/or contain a link that looks like it is going to a real website you use but actually is a mirror that gobbles up your login credentials. However, email has a limited reach and people have become more alert to email scams. There are also increased spam filters that make it harder for phishing emails to get delivered. But there is another place- one where people are eager to share personal information for the chance of getting social recognition. Facebook has become a living, breathing can of spam and you’d better believe that phishing attacks have moved into your news feed.
Facebook Phishing Posts
By now you have seen many Facebook posts like the one below. Seeing people respond en mass to these posts is heartbreaking. Millions of people jump at the chance to respond to Facebook phishing posts that ask for a small tidbit of personal data. What the respondents don’t realize is that posts just like these are how accounts get hacked. Think about it, you are giving out almost half of your phone number which takes a lot of guesswork out of using your number to gain access to your account.
It doesn’t stop with volunteering your phone number either. By responding to these posts, you could also be volunteering answers to your security questions. When you really stop and read what these posts are asking for, they are looking to get information that helps them get access and authenticate your account. Maybe you don’t use that info to log into Facebook, but once they get information like your name, email, phone number, city, pet names, birth date, and your mother’s maiden name, they have access to virtually any website you use!
Phishing Text Messages
“Free AT&T Message: Congratulations Emily, you have won…” I get a text that says this almost every day around 7 pm. The first sign of an issue is that my name isn’t Emily, and AT&T knows that for sure. These are phishing text messages. if I followed the link it would take me to a page where I register or log in. From doing that the attackers would have all the data they need to access my actual phone account, and likely gain access to my banking and social media. What to do with these? Don’t even open them! Just hold down on the text then select “Delete” and “Block” (Samsung Galaxy phone). If you open texts or emails, the attacker can see that you are engaged and will target you further. Deleting and blocking without opening is the best course of action.
Phishing or Real?
Phishing attackers are very good at making their attacks appear legitimate. They will impersonate streaming services, phone companies, and legitimate businesses. If you look close, there are usually some hints that you are not interacting with a legitimate company though:
Has your utility company ever called you “dear?” No, the term is not part of common English business communications. Lookout for the use of uncommon language, spelling and grammar errors, and clues that something was not written by a normal marketing employee.
Did You Sign Up for Alerts?
There’s not really any point in having a company text you alerts when you can get them by email. While it may be nice to keep emergency alerts and outage alerts activated, turn off billing alert texts. This way you can know for certain that any text about billing is not legitimate. Another thing to do is to log into your account by going to the company’s website directly. Check your billing that way and avoid clicking links on a text or email.
I cannot stress this enough, there is no reason why you should engage with Facebook posts like the one above. The only people who care what you have to say on these are the people who are trying to steal your identity or scam you via phishing! If you see friends posting or sharing this material, ask them to stop and tell them that it is phishing and they should not volunteer their personal data. While many believe that social media can help us feel less bored and less lonely, it is important to remember that it is a haven for scammers. Do not volunteer your personal information on these platforms, it is dangerous and can make you a target.
Recovering from a Phishing Attack
Phishing leads to identity theft. It isn’t just about hacking your account to steal your photos or mess up your score on a Facebook game. The consequences are real and recovering from a phishing attack is a long and difficult process.
Individuals Recovering from a Phishing Attack
- Backup your data, disconnect all devices from the internet and scan for malware
- Call your bank and close all of your accounts
- Close as many online accounts as possible
- Change your passwords on accounts you can’t close
- You may need to change your phone number
- Enroll in a credit monitoring service and carefully monitor your bank accounts
- Report the phishing attack to the FTC’s Identity Theft Commission
- Moving forward, always use two-factor authentication and enhanced security options
- Guard your personal data closely
Businesses Recovering from Phishing Attack
When it comes to businesses recovering from a phishing attack, they will take the same steps as an individual. However, they will have to further monitor their payroll and provide their suppliers with new credit information. Be sure to notify merchants and suppliers of your security breach so they can help monitor for unusual activity. Depending on the extent of the attack you may need to also notify customers if their personal data was breached as well. You need to consider all of your information such as tax ID numbers, employee data, customer data, phone numbers, email addresses, and financial information. Any of this information that was obtained by the phishing attack needs to be changed or secured.
Phishing: Prevention is Key
When it comes to protecting yourself against phishing, prevention is priceless. You need to be critical of texts, emails, and social media posts and be aware that when you provide personal data you are vulnerable to identity theft. While responding to that Facebook phishing post might give you a brief endorphin rush, the consequences of it could leave your bank account empty and unrecoverable. That’s why it is important to share less and be skeptical. Avoid deals, contests, free games, and mega-posts- the reward will never stack up when you consider the terrible risks!