Unfriended: How to spot a social media phish

- [Instructor] A friend and I were chatting about a healthy lifestyle change I wanted to make. My friend raved about a woman on Instagram that had lots of helpful tips on this particular lifestyle change. She sent me the woman's profile and I followed her immediately. A few days passed and I received a follow request from the woman. I was surprised. This woman had lots of followers and didn't follow too many people. I was flattered in the moment but I also felt a little suspicious. The next day, I received a message from the woman. It simply read hey. At this point, my slight suspicion turned into full suspicion. I checked the Instagram handle again to make sure I was talking to the right person. Though the handles were similar, the one that I was being messaged from had an extra I in it. And when I visited the profile page of the fake account, the follower count was different, even though the bio and the grid looked exactly the same. It was a social engineer. I immediately blocked the person but other accounts like it continued to follow me until I unfollowed the legitimate account. This is a comment tactic used by attackers to move under the umbrella trust that popular accounts have built with their following. Remember the halo effect we talked about? Social media has taken the world by storm in the last decade. It connects us to people all over the world and allows us to create platforms for ourselves, and our businesses. Unfortunately, it also gives attackers a way to gather more information on us. It also provides another avenue for them to trick victims into doing or sharing something that they would not ordinarily choose to. Using social media in this way is called social media phishing. Social media is a great place to collect information about a person. You can find birthday posts, which are often posted on a person's birthday and often indicate how old a person is. You can find answers to security questions like a pet's name. There are even certain challenges or games that are played on social media platforms like Twitter where a tweet will say something like your alien name is the street you grew up on plus your mother's maiden name. Seemingly harmless on the surface, an attacker could use this information to answer security questions. Some attackers even use LinkedIn to collect information on targets. It's not uncommon to have your phone number and address in your resume, which can be uploaded to LinkedIn for potential recruitment. In some social media phishing attacks, like the one I shared in the beginning of this video, impersonation is heavily leveraged. Impersonation is the act of pretending to be someone else. It gives the attacker the ability to become someone that would be more unassuming, which potentially lowers the guard of the victim. Like catfishing. Catfishing is a kind of impersonation. It's when a person impersonates someone with the intention of romantic connection. Catfishing can be used in social media phishing. A victim could be lured into a relationship with a catfish and can be persuaded or influenced into a number of things because of the trust created. Some social media phishing attacks are a little less obvious. When on Facebook, I'll see a friend post a quiz they've taken with a third party. I'll be honest, it's always a little tempting for me. I mean, who wouldn't want to know what Hogwarts house they would be in? However, some of these third-party applications ask for access to your Facebook account or other personal information before you can get your results. This is a way of enticing you into interacting with the quiz and sharing information. It's not always clear what the information is used for from the user's perspective but it could be used in a number of ways. In the beginning of social media, I remember the push to add as many people to your social media network as possible. More followers or connections seem to indicate more popularity. Little did we know, not all connections or followers were well-meaning. This is why it's important to be a little more selective about who you're adding to your social media networks. If you don't know the person requesting to follow you, and this person's not connected to anyone you know, refusing to add that person to your network may be the better way to go.