Hackers have devised an even more devious scheme at getting your users to relinquish their credentials online.
Yes, it’s a phishing scam. But this one looks so believable that even some of your more skeptical users might even fall for this new con.
The details…
In essence, these criminals have created web pages masking some of the most trafficked pages—the likes of LinkedIn, Facebook, Twitter, Amazon—asking for your credentials. The pages look credible. The page is simply asking just for your login and username to that specific account. At first glance everything looks legitimate.
So, what should your team be on the lookout for?
How should they (and you) check if a website asking for your credentials is fake or legit? Which ones should you actually get the green light to log in?
Check the URL is correct?
Check the web address isn’t strange in some way?
Does the site use HTTPS (meaning it’s securely transferring your login information)?
Or should you be using a certain trusted browser?
And avoid software or a browser extension that detects webpages (or web domains) suspected of phishing?
If your users are like most internet users, you’re probably relying on basic
security practices to stay safe online.
I’m sure many of you are looking for Facebook.com or
Google.com. But even doing this, experts are warning you still may fall victim
to newly creative phishing attacks giving away your password credentials.
Experts are starting to find links being distributed through blogs and other services, prompting you to log into your Facebook account before reading an exclusive article or white paper.
Asking you to login to your social media or Google account is not new—a LOT of businesses use different social media platforms to legitimately verify their client’s identities. The problem now is some of these pages might not be above board—they are exploiting what had been a very easy and effective tool to steal identities and information from your users.
What I want your users to be aware of is that when they click on the “log into Facebook” button from any website in aims to verify their identity, is they have to be careful. They’ll likely be redirected to facebook.com or served with a facebook.com pop-up in a new window, asking them to enter Facebook credentials to authenticate, and are permitting that service or website to access your profile’s necessary information.
BUT malicious blogs and services online are serving users with a very similar login authentication as legitimate sites. A very similar prompt asking for your user’s login credentials have been designed to capture your users credentials—hook, line and sinker.
This fake pop-up login prompt nearly perfectly reproduces the look of your Facebook account—or other social media account—including navigation bar, shadows and URL to the Facebook website. The page is even secure—with a valid HTTPS for the webpage. In pretty much every aspect these fake credential pages look and feel safe, and many very discerning individuals have fallen for this attack.
How can you protect your team from this type of attack?
Right now there’s really only one sure-fire way to detect one of these fake pop-up pages. If you drag the pop-up window outside of your original browser screen, and it disappears, it’s a definite fake.
Other than that, experts—myself included—recommend to try to use two-factor authentication, which ensures you are actually going to the sites you intend to (these fake credential-stealing pages have yet to discover effective ways to overcome 2-factor systems utilizing email, phone of a key fob). Best practice would be to know which of your personal or work accounts have two-factor authentication and make use of them.
Phishing schemes are still on the rise and have led to some of the most serious attacks on organizations large and small.
Why should you be concerned about your user’s personal identity and Facebook credentials?
They’re probably using similar logins on social media and at work! Nearly half of the US workforce uses the same or derivatives of a password for work and play.
Even if they’re not sharing passwords across sites, when a hacker accesses social media, they’re able to find out a TON of information on your people. Enough to figure out how to scam their employers out of money or find ways onto their networks.
Best way to figure out if your network is safe? Experts recommend a network security assessment.