Don’t fall prey to the catfishing.

You get a message on a social media site from a lovely lady or handsome fellow. They want to chat and get to know you more. You think no since they are strangers. You respond to be polite or friendly since, after all, you are on social media. They seem OK as you talk to them further. Lured into a comfort zone, your guard lowers, sharing more information about yourself. Your relationship moves to a point where this other person wishes to speak to you, but all the chat apps aren’t working for them. They request you to download an app. Or your new friend is underaged, and their parent gained access to their smartphone and are railing against you. The parent demands payment, or they will report you to the police.

You are now a victim of a phishing attack. Cybercriminals use catfishing of a real person to lure you into either putting yourself in a compromised position or clicking a malicious link to gain access to your data. Catfishing is when someone takes other’s photos or online avatars and use them as their own to create false identities. It’s usually connected with deceptive online romances or scams for personal gain. They are using social engineering attacks.

Catfishing is Social Engineering

Most social engineering attacks are random. For example, the bad guys send out an email blast to a billion addresses with the expectation that .01 click on the malicious link. We aren’t talking about that here; we are speaking of the more targeted attacks, such as Whaling and Spear Phishing, where it isn’t random. Whaling is a phishing attack that is aimed explicitly at wealthy, powerful, or prominent individuals such as CEOs, politicians, or celebrities using email or electronic communications to scam them. On the other hand, spear phishing is a targeted attack on an individual or organization.

Recent Examples

Recently, according to the Israel Defense Forces (IDF), the Palestinian group, Hamas, took to Facebook, Instagram, and the messaging app, Telegram, in an attempt to lure young male soldiers into downloading an app on their smartphone. This app is malware that could take remote photographs, access files, steal SMS messages and address books, and share the device’s GPS location. The IDF was able to identify, track, and take down the app. The app was a security risk to soldiers putting operations in jeopardy. Using social media as a way to penetrate the IDF isn’t new, this was the third attempt by Hamas in using the catfishing technique. What was new was the malware.

In the past, scammers have preyed upon U.S. service members in a similar method, but it was a sextortion ring. Identified and targeted via social media and online dating websites, the men had attractive girls contact them luring them into online affairs then the scammer would change roles to the father of the girl claiming the girl was his juvenile daughter. Instead of not pursuing charges through the police, the father asked for payment to keep quiet. In 2018, over 400 service members from the Army, Navy, Air Force, and Marine Corps lost more than $560,000 to this scam.

Weakest Link

The cybercriminals go for the weakest link in the cybersecurity chain, and that is the human element. They prey on human nature. Our desire to be liked, appreciated, helpful, and found attractive. They feed our egos.

Don’t be the weakest link. It requires you to be aware of the risk out there, especially if you are in a position of leadership.

Schedule time to talk about your cyber risk and cybersecurity concerns and questions.