Facebook is one of the most popular social media sites, with 2.70 billion registered users worldwide. Many of these users go online to connect with one another.
It is, therefore, reasonable to expect some users to be unguarded and relaxed with strangers they encounter online compared to strangers they meet in real life. For many of them, virtual danger is taken for granted.
Online vulnerability is exactly what makes people easy prey to cyber criminals. Large social media sites are hunting grounds for hackers as it is a place to make friends.
Among the ways hackers attempt to extract information from their unsuspecting victims is through social engineering. Unlike the typical hacking, social engineering is accomplished through human interaction—usually ending with the victim giving up their private information.
This article discusses two of several common ways of social engineering that can take place on Facebook:
Attackers will do their best to create believable profiles to use when attracting their targets. The usual approach is to appear as a “mutual friend” to gain the target’s trust prior to the actual social interaction.
Fake profiles take advantage of the tendency of people to unknowingly accept friend requests, mostly assuming that the request comes from past acquaintances.
Carelessly adding and falling for fake profiles make the victim incredibly vulnerable, especially when particularly very active on Facebook. Once connected, information such as daily activities, profile pictures, locations and other friends become easily accessible. These information will help attackers tailor their social engineering plan to the target.
Additionally, some attackers will do their best to attempt to get to know their victim. Appearing friendly will make people less wary about security of the links sent through chat—links that may be used to phish or inject malware.
The best way to be protected is simply not to add unverified persons as friends. Furthermore, avoid posting day to day activities and photos revealing unnecessary information such as one’s current location.
Attackers promote raffles online that give incredibly low chances for anyone to win. These raffles are promoted on Facebook where raffle tickets are sold.
Payments are typically accepted via PayPal or bank transfers. After receiving the payment, the attacker hands out numbers that act as the raffle ticket code but the system is programmed to ensure that none of the issued tickets hold the winning number. The money collected from selling the tickets are simply pocketed by the criminals.
Other times, people will be chosen as winners with a catch. The catch tends to be “a small fee to send over the prize.” Doing this grants the attacker two things: additional money and the home address of the winner.
People who are invited to join the raffle typically tend to be those known to have gambling addictions.
Avoid gambling online, especially in conjunction with entities that are not approved by the local government or gambling authorities.
The unfortunate thing about social engineering is that it completely bypasses whatever online security is being employed by a user. The only way to truly be protected is to exercise constant vigilance both online and offline.
Regardless the sophistication of systems’ protection, humans are always the weakest point in security.
Photo by: PxHere
This content is part of the Banker’s Association of the Philippines’ (BAP) #CyberSafe campaign, where the BAP aims to promote awareness in cybersecurity. The campaign will upload new posts tackling common web security questions and issues, on Wednesdays and Sundays every week.
For more content on cybersecurity, visit the BAP Official YouTube channel.