Beware of Phishing Scams: Your Social Media and Email Security Checklist

By Joseph Carson

Phishing scams are on the rise especially with the tax season here. I want to ensure everyone is cautious and diligent during this time and always on the alert for any suspicious requests or emails. Security Awareness is critical and it is always important we are vigorous in our own protection.

I want to bring attention to a recently attempted scam that targeted me via LinkedIn. Social Media scams represent more than 12% of cyber attacks and IRS scams are already in full motion.

I received a request from a person claiming to be a Client Service Representative of a large security software company interested in business development and potential partnerships. The request was for a 15-minute phone conversation to discuss the opportunity further.

I was already very suspicious from such a request and started immediately investigating the LinkedIn profile for authenticity and validation. I also the name via Google Searches to find results using various parameters for the company, education, and even city, with a lack of any valid results. This made it clear that this was a scam. Next, I gathered as much information about the profile as possible including the contact email address which I was then able to trace back to a Russian email server.

To validate this I led the suspect hacker to reveal as much information about themselves as possible having a conversation and of course they repeatedly kept asking for my mobile number so they could have a call. This scam was an attempt to get as much personal information that will then be used to validate data and then likely to be used in targeted email phishing/vishing scam later.

I have since notified both LinkedIn and the company on the incident.

SOCIAL MEDIA SCAMS: Please be cautious for similar types of scams and some ways below to validate/check requests are below:

1. CONNECTION REQUESTS: If you receive a request from LinkedIn or other social networks, be cautious if you do not know the person or do not have any connections with the requests.

2. GOOGLE SEARCH PROFILE: Before accepting do a quick google search on the profile contact details, workplace and education, if no results found it is highly likely a scam (Fake account)

3. SHARED CONNECTION: Do you have shared connections, if not then be suspicious on the request?

4. PHOTO SEARCH: You can also do a profile photo search in Google to see what the results are if any if no results found it is highly likely a scam

5. CHECK EMAIL ADDRESS: If the request appears to be valid if you accept quickly check the email account (if it is from something like bk.ru domain, then it is likely a scam)

6. AUTO RESPONSES: After accepting you might receive an automated message, this is another indication of a scam as it is common to get automated responses

7. ASK ADVICE: If you are uncertain feel free to ask a colleague for advice

8. DELETE CONNECTION: If you confirm that it is a scam, do not communicate with the account, report it to the social network and remove the connection immediately

EMAIL SCAMS: Please be aware that Social Networks are just one platform, these can also be received via email directly. In these situations, please be aware of the following:

1. VALID CONTACT? Do you know the person sending the email?

2. VALID EMAIL? Is the email address valid, you can usually hover over the email address to see the full domain and check if it is real?

3. HYPERLINKS? Before clicking on any hyperlinks check the link before clicking on it

4. LEAST PRIVILEGE: Use a Standard User and not Administrator when clicking on links or opening attachments

5. SCAN ATTACHMENTS? Be cautious when opening any email attachments, scan it with AV before opening

6. BACKUP- Make sure you have a backup

7. REPORT- Report any suspicious incidents and activity

Source:: Thycotic