A recent Instagram security warned millions of its users of its ‘believable’ new phishing attacks. Phishing now is not just limited to good old emails talking about your bank account having issues it does not have. The ways one could identify phishing then was through bad spelling, poor grammar, incorrect wording and weird-looking web sites.
Although the phoney mails have not stopped, cyber-crooks have now invaded our social media accounts. We are seeing an increasing number of cyber crooks going after our email and social media passwords.
Paul Ducklin, Senior Technologies, Sophos says, on how to be safe and secure to avoid phishing scams abusing Instagram or any other brand. "Successful phishers know three things: less is more; calm language works better than !!!SHOUTING!!!; and ripping off official content is easier than creating their own material. As a result, you can no longer rely on the obvious telltales of phishing from the past, such as spelling mistakes, wild promises, unbelievable threats or messed up web pages. These days, don't look for reasons to disbelieve an email - look for very specific reasons to accept it instead. Most importantly, if an email wants you to go online and do something such as check your account, ignore any and all instructions in the email itself. If it's an account you actually use, you'll know how to get there already, so follow your own nose, not someone else's.”
Use a password manager. Not just because it'll never pick your cat's name as a password; not just because it'll make sure you have a different password for every website, even sites you don't consider important; but also because a password manager makes it surprisingly hard to put the right password into the wrong site.
Use 2FA. Those one-time codes that arrive in text messages, or that come from an app on your phone, or are generated by a special USB dongle you plug in only when needed - they're a tiny inconvenience for you, but they make your password alone very much less useful to the crooks.
Never click on email links to login. Even if you're convinced an email is genuine, ignore any login links it tells you about. You can't click through to a fake sign-in page if you never click through to sign-in pages at all.
When a user clicks through on the link, they’re taken to a site on a .cf domain name that appears to be identical to the Instagram signup page. “The phishing page itself is a perfectly believable facsimile of the real thing, and comes complete with a valid HTTPS certificate,” the researchers note.
This is not the first phishing or hacking attempt targeting Instagram. As the fifth-largest social network in the world by active users as of July, Instagram is a popular target for hackers.
Users of Instagram were targeted in a phishing campaign that included fake copyright messages in March. In that case, users would receive an email coming from an official-looking URL that reads “we regret to inform you that your account will be suspending because you have violated the copyright laws. Your account will be deleted within 24 hours. If you think we make a mistake please verify, to secure your account.”
As in this new phishing attack, users were taken to a fake Instagram login page where they were prompted to input their Instagram credentials.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
