Phishing, the practice of trying to lure unsuspecting victims to click on links to install malware or divulging confidential information, is a tactic which unfortunately involves more than just malicious emails. Phishing attacks can also take place in other environments such as via texts, phone calls, or social media.
Facebook, in particular, seems especially prone to these types of nuisances, such as those involving fake websites set up by scammers in the hopes of tricking people into divulging their account information. Facebook does offer some tips to combat these efforts (such as being on the lookout for sloppy messages, messages which claim to have attached passwords, malicious links, or requests for confidential information). However, the threats also involve fake charity requests for victims of the latest natural disaster.
How can you avoid phishing? Below are tips from email security organization Proofpoint for both consumers and IT departments, which I combined with commentary based on my own experiences
Be wary of fake news
Social media con artists use divisive political content to enrage voters and spread misinformation. Avoid “fake news” or news of dubious accuracy and refrain from clicking on links sent to you or posted on social media. Think like a newsroom: You need to confirm accuracy. If you see a news story, verify it on an online news site. Never blindly repost information without checking for accuracy, no matter how much you might wish it to be true.
Be wary of bots
Keep an eye out for bot accounts and block them since they aren’t likely to promote honest or legitimate content. Be cautious of any Twitter and Facebook accounts where something doesn’t look quite right, or he/she seems especially aggressive. Telltale signs of a bot include accounts with random names/numbers, accounts which frequently repost items, accounts posting material which doesn’t seem relevant to the context of a discussion or thread, and accounts which contribute no actual content but just share/retweet other accounts.
Investigate details behind questionable ads
Use Facebook’s “Info and Ads” to determine the motivations behind ads. For instance, when you see a political ad on Facebook which seems suspect or sensational, click the ad and then click the page associated with it. Facebook’s goal is provide “increased accountability for bad actors, which will help to prevent abuse on Facebook” and to “bring additional transparency to Pages and the ads they’re running.”
If the ad comes from a less-than-reputable source, disregard future content from this page or entity as phishing attempts are more likely from these types of accounts.
Avoid clicking links
Do not click on Twitter Direct Message (DM) or Facebook Messenger links unless you are positive they are reputable. They might contain malware or direct you to credential phishing sites that will attempt to steal your passwords or financial information or install malware on your system or device.
Links can also be obfuscated by adding a bunch of unnecessary words or random characters to what seems like a legitimate site in the hopes that you’ll be fooled into opening them. For instance, a link to www.americanexpressfinancialserviceadvice.com or www.citibank2018BBB.com might seem OK at first glance but look closer. You can highlight the link and press Ctrl-C to copy it, then open a text editor like Notepad and press Ctrl-V to paste it in for closer inspection.
Use a quality filter
If it is not already on, activate your quality Twitter filter. This tool (which is enabled by default) helps you locate the quality tweets amongst the noise generated by bots and other low-value entities.
To check your setting, click your profile picture at the top right of the Twitter site and then choose “Settings.” At the “Settings” screen, select “Notifications” from the left column. Check the “Quality filter” box to enable the filter.
Note, Twitter states this “does not filter notifications from people you follow or accounts you’ve recently interacted with.”
Also, verify that Twitter accounts purportedly owned by famous people or governmental officials really are who they say they are by ensuring there is a blue circle with a check in it next to their name or Twitter handle.
Finally, unfollow pages of dubious accuracy or pages prone to promoting sensationalistic “click bait” ads or posts.