Degrees of phishing

Stuart Fuller

Earlier this week, I was asked to present at a digital masterclass on the key trends in social media. The audience was made up of digital brand and marketing professionals from some of the biggest global brands who were keen to understand what the latest opportunities and risks were on the fastest-growing channel to market.

Our theme was the dark shadow of social media, focusing on some of the recent data that has been shared about the growth in fake and malicious social media profiles. Our message wasn’t meant to scare the audience, rather to give the attendant brand custodians the most up-to-date insights into what they should be doing to keep their clients protected online and their reputations intact.

After the presentation, we sat down with the audience and discussed some of the trends in more detail. One issue came through loud and clear − irrespective of industry – and that was phishing. Whether it’s traditional email scams targeted at financial services customers, recruitment fraud or social media targeted ads, phishing is becoming more sophisticated and widespread.

The Anti-Phishing Working Group (APWG) reported that phishing was up by 250% year on year based on figures from the first quarter in 2015, with nearly 230,000 identified phishing attacks launched by email alone in March 2016. In the past couple of weeks alone, we’ve seen a number of major brands being subject of phishing scams on social media, with consumer understanding of the threats still almost zero. The overwhelming response from the brand professionals in the room was: “Why do the social media networks allow it to happen?”

Although the growth in social media usage has certainly accelerated the phishing threat, the old-fashioned email method is still as potent as ever. Whilst most of us are clued up to the classic 419 scam (“I’m the widow of a deposed General”; “I work for xxx bank and I need your help to siphon away $10m”; or “Whilst I’ve never met you, I know you are a good person so I want to give you $5m before I die”), add in some authority to the email and it seems many people still lower their guard.

To underline how prevalent the threat has become, the BBC reported last week of a targeted scam, aimed at new students preparing for life in further education. This latest threat was manifesting in an email sent to students who had been offered a place at certain universities. The emails appeared to come from the relevant university’s finance department, complete with logo, offering the student a government-backed educational grant and inviting them to make an application that included the submission of personal and financial details. Some victims had reported money being taken from their bank accounts after submitting their ‘claim’ for the bursary.

The universities affected to date have reassured students that they have not suffered any data breach, which begs the question how the cyber-criminals obtained the personal data. Unfortunately, it’s easier than people think to obtain those one or two bits of key information that can give credibility to a scam. In this instance, that may have been via an update on a social media network (“Yeah! I got a place at the University of ABC…!”) – cyber-criminals will often set up elaborate ways to capture data that to many of us seems innocuous but to others is very valuable.

One other factor that comes into play in the university scam example is the approach to technology of the ‘target market’. The current generation in education use email in a very different way to those of a working age. Today, communication is more social in terms of being via apps such as Snapchat, WhatsApp, Instagram or Twitter – even Facebook is becoming passé in the eyes of a teenager. They use an email address simply as a sign-up, and may therefore be relatively unaware of the dangers that phishing scams present.

Just like supermarkets offering ‘free’ vouchers through Facebook ads, or online marketplaces offering luxury fashion brands at high street prices, offers such as free money for students are simply too good to be true. If an official-looking person was simply handing out cash in the street outside a university, there’d be a great deal of skepticism about their motives. The same caution needs to be exercised online – if it looks too good to be true, it most certainly is!