Image by Gerd Altmann on Pixabay
If we are walking down the street and someone approaches us with a supposed winning lottery coupon saying that they cannot cash it and that they are looking for someone to buy it from them, so they can at least recover some of the prize money, we are likely to completely doubt the person’s intentions. This scam is not the only deception attempt that society has become accustomed to over time.
There are a lot of other examples and, although different variants have been developed, the operation of all of them is essentially always the same. Even though knowing them does not completely eliminate the fraudsters’ chances of success, it does greatly limit the effectiveness of these techniques.
Something similar happens with certain fraudulent messages that circulate through the Internet. Nowadays it is very rare not to have heard of the Nigerian Scam, in which a supposed prince of that region contacts us by email to, in one way or another, share his wealth with us; or not to have seen the announcement of the million euros that we have just won for having been the one millionth visitor in a web site we have just accessed.
Since each of these spaces involves a different means with a specific type of interaction, the scams or types of deception in each of them will also be different. This gives rise to a wide range of possibilities to which society is no longer so accustomed. In addition, the fact that new platforms, applications or functionalities emerge every little while means a source of threats that can go completely unnoticed, increasing the chances of falling into them.
All these attacks are part of Social Engineering techniques, the aim of which is to hack people or, more simply, to deceive them in order to obtain economic benefit or certain, often sensitive, information. The following are examples of how these attacks are carried out on the most used platforms currently.
There are many ways by which attacks are executed through this social network. Two main methods can be distinguished: message chains and targeted attacks. This difference can be seen as a reflection of phishing and spear phishing attacks that occur in email.
Photo by Anton on Pexels
The attackers behind WhatsApp message chains, as in the case of phishing, do not have a defined target, they do not want to deceive a specific person. What they are looking for is for their message to spread to as many individuals as possible so that, statistically, someone will end up falling into the trap.
Messages advertising discount vouchers for restaurants or fast food establishments; coupons worth a certain amount to buy in supermarkets; or the announcement that, because of the confinement due to the Coronavirus, Netflix is giving away free passes for one year. These are just a few examples and, since they take advantage of new situations at the social level to adapt their messages, we should never let our guard down.
On the other hand, the goal of targeted attacks, as in spear phishing, is to get a specific person to take the bait. The objective is to take control of their WhatsApp account. To enable the sessions of this application on a device, it is necessary to enter a numerical code that is sent via text message to the phone in question.
Photo by energepic.com on Pexels
However, they leave the option for the user to show disagreement with this action through a questionnaire in which, among other things, they must enter their login data. This is where the scam lies. If the user accesses and falls victim to this message, their account will be compromised. Moreover, if they used the same password for other accounts (something unfortunately very frequent) the amount of information at risk is even greater.
The attackers’ modus operandi is to create an account identical to the one conducting the raffles and to follow a large number of users, many of whom are also part of the legitimate account’s network of contacts. On the day of the draw they send a message to the users who participated telling them that they are the winners. From here, the rest is history: links to fraudulent websites, infected executables, data requests… Victims will encounter any of these scenarios and, if they do not have an adequate level of alertness, they will end up falling into them.
Even in the professional social network, where we only expect to find serious profiles and job opportunities, there is a gap for incidents of this type. In this network you can find memes, commercial videos and invitations to events, but above all it highlights the transmission of documents, studies and articles of interest, being scientific in the best cases. Therefore, hoaxes related to prizes and big discounts would be too suspicious and would not be effective.
Photo by natanaelginting on Freepik
Threats aiming at LinkedIn users target another type of curiosity: the intellectual one. Since August 2019, social engineers have been known to pose as researchers from prestigious groups or universities (such as Cambridge) who urged to download an innovative and high-interest scientific study. As we can already imagine, it was actually an infected file.
These examples demonstrate that users must remain alert at all time during their contact with social networks. Attackers adapt quickly to new functionalities and platforms, they have the ability to create messages that go completely unnoticed in order to get as many victims as possible. This makes it impossible to keep up with all modalities.
To achieve a good level of security on the networks, the first step is not to spread or viralize chain messages of which may be suspected of their legitimacy. Secondly, it is very useful to be clear about the following:
- What data should not be shared and that, therefore, we will never be asked from official entities.
- Any executable file can actually be a malware that infects our device.
- Links do not always have to lead to legitimate web pages. Almost identical replicas can be made to obtain certain data or include infected elements. We should always try to access the website in question from the browser, avoiding clicking on the links that may have been provided to us.
Last but not least, it is vitally important to take into account the human factor. As mentioned at the beginning of this article, even if everyone knows how the Nigerian Scam works, this method is still in force today and that is because there are still people who fall into them. This is not to say that these people are careless or less clever, far from it; the reason is that these are very powerful techniques that directly attack certain human vulnerabilities.
The best way to protect yourself is to understand these vulnerabilities and get to know yourself in order to know which of them you need to strengthen as a priority. Kymatio has the necessary technology to carry out this identification and trains each user in a personalized way, thus maintaining an adequate level of alertness.