Sign up to our newsletter
The latest security news direct to your inbox
Social scams come in all shapes and sizes – but many begin with a simple offer of friendship… fake friendship.
Befriending the wrong person on Facebook can hand a criminal the tools for an identity theft attack – and on LinkedIn, talking to the wrong ‘recruiter’ can lead to disaster.
Even on Twitter, where users collect followers like stamps, spambots will try every trick in the book to get you to follow back – and hope that you will help spread their malicious message to the world.
Social scams can affect you on anything – whether you’re idly flicking through friend requests on a smartphone, or on a work PC or Mac. The platform doesn’t matter – it’s often the human being sat in front of it that new “friends” are taking aim at, hoping for you to offer up private information freely, or even to enlist your help to spread their attacks.
ESET Senior Research Fellow David Harley warns that no one is ‘immune’, “Identity theft and threats to privacy are no respecters of operating systems. Twitter account hijacking, fake Facebook friends, LinkedIn phishing, Facebook pages offering non-existent freebies as a way of collecting clicks or worse, this is all stuff that’s difficult to automate detection for, whether you’re selling an operating software or third-party security software.”
The Facebook friend who ‘must have unfriended you’
If you receive a Facebook friend request from someone you already befriended on the network, it’s easy to have a wry smile, and think that they must have clicked the ‘unfriend’ button at some point – and have now decided to welcome you back. Be careful. That might be true – but it might be a scammer on an account “cloned” from your friend’s. Cloning accounts by befriending someone, copying their profile, then blocking them and sending requests to all their friends can be a rich source of data for cybercriminals, according to scam site Facecrooks.com. Even cautious site users who have set profiles to share information with Friends Only can then be data-mined by the scammer – or the ‘new friend’ is free to bombard you with malicious links.
The Pinterest followers who let you repin for prizes
Pinterest’s security teams have issued warnings about fake followers on the site – often identifiable by the fact that all their pins are shortened via sites such as Bit.ly, or that they have only one or two pins. Most of these are links designed to take you to surveys (built to harvest information) or fake ‘deals’ where you’re asked to repin the link, spreading it to other users for the chance to win prizes. The site’s Debra Atkins offers a detailed page of warnings about such ‘fakes’, saying, ‘These links are fake pins meant to redirect you to another site – don’t click on them.’
The Twitter followers who appear when you used a rude word
Merely using a word with a double meaning on Twitter can summon hordes of spam-bots – who enthusiastically retweet your potentially rude post, then lurk in your follower list in the hope you’ll follow them back. Sometimes, this can be baffling – for instance, Yahoo News found a tweet about a space exploration vehicle was retweeted hundreds of times, simply because the vehicle was called a “penetrator”. Following any of these ‘new friends’ back can be a recipe for constant, irritating spam and direct messages. If you’ve just said something rude, be careful if your follower count spikes – they’re probably spammers, drawn in by your dirty words.
The attractive recruiter with an easy job just for you
LinkedIn accounts are high-value targets for cybercriminals – the nature of LinkedIn means people post large amounts of factual information on the site, such as addresses, phone numbers and work email addresses, key tools for ID theft. Bogus LinkedIn invitations have become a key tool for phishers - but even within the site, you can’t trust every invitation, especially when it comes to job offers. Bogus ‘recruiters’ have begun to offer too-good-to-be-true jobs on the site (often offered by profiles who happen to be attractive women) – with the aim either of harvesting personal details, or diverting users to fake sites to harvest passwords and inject malware. Before accepting any friend request on LinkedIn, check the user’s profile – does it look real? Do you share any contacts. If you don’t share even second-degree contracts, there may well be something fishy (or phishy) going on.
The lover who showers you in gifts
On dating sites, scams are pure social engineering – often crafted over years. Criminals are also much cleverer, and more professional, than used to be the case. To fool ‘lovers’ into parting with money, cybercriminals will even offer their victims gifts – before repaying themselves tenfold. Mark Brooks of OnlinePersonalsWatch says, “Scammers will take months to groom a target. They’ll send gifts, and make users feel beautiful and cared for, and then it them with a test. A small request to open up their wallets. Then they’re off to the races.”
Author Rob Waugh, We Live Security