They might be giving away more than they’d bargained to.
Hackers have actually come up with quite a devious way to get information from your users. In effect, by asking them to verify their identity through logging into their Facebook or other social media account—they are on their way to steal your user’s identity.
What are these scams called?
It’s actually another kind of phishing attack.
While at this point, I’m sure many of users can detect a run of the mill phishing attack, but if not, have them refresh themselves on how to avoid scams.
THIS scam looks so unbelievably real that even those folks that can typically see right through a phishing scam might easily relinquish their credentials while falling for one of these latest cons.
In short, criminals are creating pop-up web pages that are masking a very common method of verifying identification—using Google or Facebook—to login with your credentials. The page looks legitimate. All they are asking you to do is log in with your username and password for your Google or Facebook account, something that is relatively normal today. The webpage looks just like you’d expect it.
What should you be looking for?
How should you be checking to make sure that the login page to Facebook or Google is legitimate? Which pages should you give the green light to?
Should you check the URL is correct? (Most likely this won’t be a problem).
Does the website address look strange? (Probably it won’t).
Is the website secure? (It actually uses HTTPS, the security standard recommend by modern browsers).
Are you using a trusted browser? (You probably are).
Should you make sure you have software or a browser extension to detect suspicious phishing websites?
It you or your users are like most internet users, you’re probably already implementing some basic online security practices.
Yes, you look to check that a website’s URL looks legitimate. You’re actually inspecting the url for Google.com or Facebook.com.
But today, my message to you is that even doing these basics might not be enough. Your users may be falling victim to this new phishing attack—and giving away their username and credentials to a highly used and highly personal site.
Experts are starting to see that criminals have started to compromise popular blog sites and other service-related websites, prompting you to log in to your Facebook, Google, or other social media page in order to view exclusive content, gain access to tools, or other white papers. This is all normal stuff. Your users are used to verifying their identity through social media platforms. Some of the most popular applications—including travel apps like AirBnB and information websites like Quora—routinely ask for authentication through other social media platforms.
A LOT of businesses use social media to legitimately verify their client’s identities.
Your problem now is that some of these pages are not above board. They are trying to exploit your users out of their digital identities. By exploiting a very common way of logging into websites, they’ve created an easy and effective way to steal information out of your users.
These fake pop-up login prompts nearly perfectly replicate the legitimate kind found on Facebook and other social media. You’ll see the exact same navigation bar, URL and link to the actual Facebook.com website. The page is secure. Pretty much everything you’d expect on the legitimate page are all on this fake scam page.
Even the most discerning users are likely duped by this scam.
How can you protect your team from this type of attack?
At this point, there’s really only one way to tell a scam page from a legitimate login (note: this may change as scammers get more sophisticated in their methodology). Essentially, if you drag the pop-up window to the edge of your browser page, and it disappears, it’s a definite fake. A legitimate pop-up should be independent from the browser window. [This is a really a hard scam to test!]
Other than sliding the pop-up to the edge of your browser window, I’d highly recommend using two-factor authentication where possible to protect your user’s credentials. What I mean by two-factor authentication is relying on a token, fob, phone text, or email to accompany a login. This will help ensure that even if a user does have a compromised password, they won’t completely hand over the keys to your kingdom.
Phishing schemes are still on the rise and have led to some of the most serious attacks on organizations large and small.
What’s the only way to avoid falling for one of these attacks?
At this point more than half of the US workforce uses the same or derivatives of a single password for work and social accounts. And even if they’re not repeating the same password across platforms, their social media will have most answers to any personal questions—information making it real easy for a hacker to either exploit other users on your network or give them the information needed to by-pass a login.
Best way to figure out if your network is safe? Ask us for additional security if you’re concerned you might not be doing enough.
