By This weekend, we’ve expanded our online presence by joining Facebook Pages. On Meta’s web application, we have witnessed firsthand the abundance of sophisticated phishing attempts, along with the tactics used to create believable fraudulent messages.
The Scheme
In a span of a few days since we created the page, we’ve started receiving messages similar to:
Dear
Your site may no longer be available because it does not comply with our Terms of Service.
If you believe your site does not violate our policies, please confirm by following the instructions below. These steps only take a few minutes. Pages are not deleted or blocked permanently.
Confirm your account here ◉ *MALICIOUS URL REMOVED*
Examples of the Message Format Used For Phishing
The Surprising Simplicity in This Attempt
At a seconds glance, I can now easily spot this textbook-style phishing attempt. But is the first glance that matters here.
Phishing tactics nowadays have a way of hiding deep into our psyche, leveraging well-understood psychological principles to manipulate our actions.
There are some key characteristics that make it so believable:
Urgency
The message conveys a sense of immediate threat (in our case) to the user’s account. This sense of urgency, a technique often seen in advertising or e-commerce platforms to prompt quick decision-making, “buy now, only one left” is often a pressure for the user to act quickly, let their guard down and fall into the trap.
False Legitimacy
As you can see in some images, the text is mostly concise, correct, stating a warning and a quick possible solution. And yes, at a first glance, the official sounding language, the terms, logo and other branding elements make it appear legitimate enough to catch unsuspecting victims.
This is the most important characteristic and was the one that almost got me!
Phishing Net (Link / Email)
These websites are nowadays carefully designed to resemble legitimate login pages, making it easy for users to be deceived into entering sensitive information.
Request for action
This is a simple characteristic, but but nevertheless and extra written step to not only paste a malicious url, but to also request to visit or contact a trap.
Defensive Measures against Phishing
Use Two-Factor Authentication
Activate 2FA for your Facebook account, this way if you mistakenly entered credentials on a phishing website, the attacker could still not access your account, giving you time to reset passwords.
Note: Multi Factor Authentication (SMS, or with Authenticator apps) still is not a 100% proof of security. We also discussed about the risks of SMS based authentication. Not to mention that mobile devices are at even bigger risk of security breaches. Nevertheless, 2FA is an important layer of security to have in your arsenal of defense.
Be Cautious with Links
Avoid clicking on direct links in messages or posts that seem unusual, even if they appear to come from friends.
Making a habit of not accessing url’s is a good muscle memory to have, for the times when the brain is easily tricked into clicking.
Educate Friends and Family
“We are as strong as our missing link”. Share knowledge about phishing scams with your group of friends.
And as always, stay safe!