Social media platforms like Facebook and LinkedIn are powerful tools for content creators and researchers. They give us a way to rapidly learn about people and get our content to millions of people.
They also present a prime opportunity for criminals and attackers. How do you know the person on the other side of the screen is who they claim to be?
There are clever technologists addressing that challenge, like the verified feature on Twitter/X. This aims to communicate authenticity of an account and prevent impersonation. 1
Why Spear Phishers Want Your Data
Social media has become an integral part of our lives. Lurking behind those likes and shares is a growing threat: spear phishing.
Traditional phishing attacks cast a wide net. Spear phishing is a new threat. It’s a highly targeted form of cybercrime that uses social media as its hunting ground.2
What Are Spear Phishers Looking For?
Spear phishers are after valuable personal and professional information. They use this valuable information to make further attacks for financial gain.
Personal Details: Names, birthdates, addresses, and phone numbers
Professional Information: Job titles, company names, and work email addresses
Financial Data: Bank account numbers, credit card details, and investment information
Login Credentials: Passwords and usernames for various accounts
Insider Knowledge: Company secrets, upcoming deals, or strategic plans
Why is this Data Valuable?
Identity Theft: Personal details are used to create fake identities for financial fraud.
Corporate Espionage: Professional information is leveraged for competitive advantage or sold to unscrupulous competition.
Financial Gain: Steal and defraud you through your bank account or credit card.
Further Attacks: Login credentials are used to compromise more accounts or launch attacks within an organization.
Blackmail: Sensitive information is used to extort individuals or companies.
How They Do It
Spear phishers use social engineering techniques to find their target. They leverage information freely shared on social media platforms:
Research: They study your social media profiles, posts, and interactions to gather personal information.
Impersonation: Using this information, they create convincing fake profiles or emails that appear to be from trusted contacts.
Targeted Messaging: They craft personalized messages that resonate with your interests or current activities.
Emotional Manipulation: They often use urgency, curiosity, or fear to prompt quick, unthinking responses.
Protect Yourself
Be Cautious: Think twice before sharing personal information on social media.
Verify Requests: Always double-check unusual requests, even if they seem to come from known contacts.
Use Privacy Settings: Limit who can see your posts and personal information.
Use Security Tools: Set up a password manager, strong password complexity, multi-factor authentication, and keep your software updated.
My Experience of a Spear Phishing Attack
I’ve written about being a longtime fan of encryption, Bitcoin and blockchain. Knowing this information presents an attack vector for fraudsters. Phishers pose as crypto experts to target me.
Recently I received a LinkedIn message from someone claiming to be a blockchain recruiter. They claimed to have an open opportunity that they wanted to discuss via WhatsApp.
This is immediately suspicious. Reputable companies have normal phone numbers and established recruitment procedures. I naively went along with it, providing my phone number.
No meeting occurred. My phone and social media were inundated with targeted messages. They sold my number to other scammers. Likely the account itself is fake or hacked.
What other steps can you take to prevent spear phishing attacks?
Get the other person on a video call to prevent catfishing
Use a scheduling system to guard your time against bullshit leads
Use email aliases when inputting an email into an unfamiliar website
One tool that can help you create email aliases is SimpleLogin by Proton. Proton offers an excellent suite of privacy and security oriented software services including encrypted email and calendar, VPN, cloud storage drive, private documents and notes.
I’ve been using Proton products for years. Start your free trial today with my affiliate link below.
Stay hungry, stay curious.
Taras