A recent warning from the US’s Better Business Bureau (BBB) alerted Facebook users to a new phishing scam which claims recipients have been spotted in a video. (Like this has never been done before!!)
How does it work?
The user receives a Facebook message containing what appears to be a video link along with a very simple message “Is this you?”.
Another variation is “Hey [recipient’s name], what are you doing in this video lol! Search ur name and skip to [time] on video. Type in browser with no spaces -> [address inserted by attacker]”.
There are other similar messages and variances to the degree of poor grammar but the idea is quite simple, convince the recipient they are in a video then ask them to click it.
One theme here, which is still nothing original, is that the message will come from one of the recipient’s Facebook friends.
The BBB states these are phishing scams and that they are attempting to either steal your sensitive data or get you to download malicious software.
“Cybercriminals want your passwords, bank account numbers or other sensitive information, or they want to trick you into downloading malware onto your computer”Better Business Bureau
Done before…many times
Although this particular campaign is new, the idea behind it has been used more times than Jeremy Clarkson says “…In the world.”
Don’t believe me?
Here’s an article detailing a similar campaign from 2018: https://www.onlinethreatalerts.com/article/2018/12/13/the-facebook-omg-watch-video-phishing-scam/
Here is a news article on a similar attack from 2017: https://www.hackread.com/you-are-in-this-video-facebook-malware-scam/
And here is an article showing a remarkably similar campaign…from 2016: https://www.hoax-slayer.net/beware-of-you-are-in-this-video-facebook-scam-messages/
OK, the last 2 were most likely the same campaign just reported at different times, but the point I am trying to make here is that this form of social engineering is simply nothing new.
If it’s so old, why do we keep falling for it?
Our perception, as an organisation who spend most of their lives embroiled in cyber security, is that these are very obviously phishing attempts. The perception of someone else, someone without any security awareness training or prior experience with phishing attacks, will be vastly different.
The reality here is that although scammers are rehashing old techniques, nobody (or at least very few people) are actually being educated on what to do to avoid the next attack.
We have written many times on how security awareness training is essential now but what we really need is a culture shift towards seeking preventative education.
What can I do if I receive one of these messages?
The first thing to do is contact the real person who sent the message. Do this directly, not via Facebook messenger, as their account may be completely out of their control by now.
After you have let the account holder know, remove the message and whatever happens don’t click the link.
There are many telltale signs that attackers leave in their phishing attempts, and the most cost-effective and time efficient method of learning them is with security awareness training.