What social media phishing looks like and how to avoid it

Posted by Kevin Hutchinson, CISSP on Aug 4, 2017 1:54:54 PM

With so many social media avenues available for people to freely share information about themselves on a daily or even hourly basis, many threat actors have found these outlets to contain a treasure trove of personal information and a new way to lure people into their sinister web.

In my last article I focused on phishing primarily as it applies to email. As I shift the focus to social media, similar safeguard principles still apply.

In social media, the method used to lure you into clicking on a message, picture or link is called “click bait”. Something about it, the image or the caption, appeals to you so you click on it. Here are a few things to keep in mind when using social media.

If it sounds too good to be true, it probably is. A few months ago an advertisement was making its way through Facebook, claiming a major home improvement store was giving away $50 gift certificates for Mother’s Day. Sound too good to be true? It was! It turns out that this was a carefully crafted scheme used to get people to give up their person information. It wasn’t a promotion from the retailer as advertised and anyone that was duped into giving up their information got nothing in return.

About a month later the same social media site offered another “coupon” promising a free dozen doughnuts from a well-known doughnut company in celebration of the company’s anniversary. Once again, this was a targeted campaign designed to get you to give up personal information in exchange for nothing.

An easy way to validate the information you are seeing is to go to the company web site and see if there is anything on their site about this “promotion.” Just because they don’t have it on their main web site does not always mean it may not be the real deal, but it may be worth a quick phone call or email to find out.

Don’t click here. You will hear me say this over and over again, but it is one of the simplest and soundest pieces of advice I can offer. Just as embedded links in an email can lead to compromising the operating system of your computer, phone or tablet, the same holds true with links embedded in social media messages. Validate the link before you click on it.

Know where you are going. With the creation of URL shortening, in many cases you only see a concatenated string of numbers and letters that really don’t mean anything on the surface as they mask the true website and full URL. Lucky for you, there are a number of sites and utilities available to help you past that hurdle.


Instead of clicking on the compressed URL, copy it and use a site like Unshorten.It! That way when you see a caption that reads “How to cut cheese” and it has a compressed URL like https://goo.gl/qFmXPA, you can see that it will take you to http://www.paxtonandwhitfield.co.uk/how-to-cut-cheese and not a prank site for a similar expression.

Phishing through email and social media does not appear to be going away anytime soon. As a leader in cybersecurity, IGI is here to help educate people in ways to safeguard their identities and data.

Want a customized cyber awareness training plan, vulnerability assessment or system audit? Contact us today to learn how we can help you improve your security posture.

Topics: Cybersecurity