ID thieves use angler phishing scam on social networks: Internet Scambusters #745
Angler phishing is the latest ploy being used by scammers on social networks like Twitter and Facebook.
They pose as customer service reps following up complaints and convince victims to hand over confidential information, as we explain in this week's issue.
We also have a warning about fake delivery service messages that aim to infect your PC with malware.
Now, here we go...
Angler Phishing Scams Reel In Stolen IDs
When you're seeking customer service support via Twitter, beware of getting caught on the hook of an angler phishing scam.
Angler phishing? That's the name security experts have given to a con trick in which scammers pose as customer service reps for the company you're complaining to.
Here's how it works.
It's common practice among some of the 300 million people on Twitter to use the social media service to talk about problems they're having.
Many organizations have their own Twitter account -- usually "@" followed by its name, for example "@paypal."
A message that includes that "handle" goes to the company's Twitter feed, so they can read it and respond.
Alternatively, a user can apply a hashtag -- "#" -- followed by the name, for example "#paypal," and the message or tweet will go into a list with all other tweets using the same hashtag.
The hashtag approach means that Twitter users are sharing their complaints for anyone to see.
So, it's only natural that companies also monitor hashtag lists for tweets that use their name.
Either way, organizations that take customer service seriously are usually quick to respond to these grumbles by contacting the user so they can try to put things right.
Scammers Step In
But these organizations are not the only ones monitoring the complaints. And that's where the angler phishing tricksters step in.
As it happens, the example we used of PayPal is one of the most common targets for the scammers.
The crooks have their own Twitter accounts, often with names resembling the target company or with authentic sounding titles that include words like "bank." Sometimes the fake organization name begins with the word "Ask," as though inviting customer service inquiries.
The scammers know the grumblers are waiting for a reply, so they step in and supply one. In the process, posing as PayPal or whomever, they ask the customer for personal information, like their sign-on details.
A typical message apologizes for whatever trouble the consumer is complaining about and invites them to visit their fake website page "to better serve you."
They may use a website address shortener to totally disguise themselves -- for example, one starting with "bit.ly/" followed by a sequence of letters and numbers.
The message also tries to hurry victims along by promising to solve their problems immediately after they sign on with their account details.
Once they have the details they need, the scammers sign on to the customers' accounts and, depending on which organization they're mimicking, try to withdraw money or make purchases.
In some cases, they may use the details to open credit card and loan accounts.
According to one report, once the scammers have the account information they need, they then send another message to the victim, thanking them and redirecting them to the genuine site they're seeking -- hoping to throw their victims off the scent and allow more time to commit their crime.
Facebook and Instagram Targeted
The same report -- from financial intelligence site Fortune.com -- says the scam is now also starting to make an appearance on other social media sites such as Facebook and Instagram.
It quotes security expert Devin Redmond as saying: "The bad guys put it all together -- a social media account, the website, even fake email accounts -- to create a whole environment."
Meanwhile, says Fortune, a variation using hijacked LinkedIn accounts belonging to insurance brokers has also shown up.
The security specialists who uncovered the angler phishing scam, Proofpoint, says the fake PayPal page looks remarkably convincing, including the financial firm's logo.
Watch this brief video produced by Proofpoint for banks and other financial institutions:
Sometimes, angler phishing scams are almost impossible to spot but you should always be wary of tweets and emails that promise to quickly resolve your problems by clicking a link. If that link then takes you to a site where you're invited to sign on -- don't. It's almost certainly a scam.
There are also a number of organizations that publish lists of suspicious websites. You'll find details of these plus lots of other useful tips on how to spot and avoid angler phishing and other scams in PayPal's fraud guide.
Alert of the Week
Once it was a rarity, but now that more and more of us buy online, we often expect to see packages show up on our doorstep.
And we're not surprised to find a note saying they missed a shipment that requires a signature.
In the same way, scammers are sending out similar emails hoping to trick recipients into clicking a link.
One message received recently by a member of the Scambusters team started by saying:
"Your shipment has arrived, but we were unable to deliver it to your address because nobody was present.
"Someone must always be present at the destination address, on the delivery day, to sign for the parcel."
Fair enough, but...
A link that supposedly led to a delivery notice actually would have taken them to a download site in Vietnam where a digital package of malware was awaiting them.
The address was cleverly designed to look like it came from UPS.
If you get a message like this, ignore it; but if you think there may be a package for you, look up the phone number for the delivery company and call them direct.
That's all for today -- we'll see you next week.