As cyberattacks continue to rise, phishing remains one of the most prevalent ways for attackers to break past small and medium business (SMB) defenses and compromise an organization. According to the Verizon Data Breach Report for 2021, phishing remained the top vector of attack for organizations, present in 36 percent of breaches (up from 25 percent in the prior year).
In addition to the prevalence of phishing continuing to rise year over year, we’re also seeing attackers leverage new digital channels to reach their target victims — such as social media. One recent example for SMBs to pay attention to is the recent phishing campaigns to steal passwords from Facebook users and administrators.
According to a recent cybersecurity research report, attackers have been pretending to be Facebook team members and emailing users that their account has content that has been reported by other users. As a result, their “account may be disabled.” The email says that they can appeal the decision by clicking a link and stopping their account from being deactivated. However, in reality, the email is a phishing email trying to steal their account information and leverage it to compromise their account and steal personal information such as name, email address, and password.
There are many reasons users might fall for this type of phishing email. First, it looks like it is coming from the company itself and presents itself as an authority figure (the Facebook team) looking for information. Second, it impresses on the victim a sense of urgency, where if they don’t take immediate action, they will lose access to their accounts. Both are common tactics used by attackers looking to trick even educated users into clicking on nefarious links.
There are several reasons an SMB should be worried about this type of attack, even though it targets a user’s personal Facebook page. First, administration for Facebook business pages is typically handled through integrations with a user’s personal Facebook page, and an attack like this could compromise that business Facebook page. Additionally, users often, unfortunately, leverage the same passwords across multiple accounts, which means attackers could try to use the same password and email combinations to compromise other more sensitive accounts (such as banking or business systems).
There are a number of things that an SMB can do to help protect its users against this type of attack. First, they should take steps to educate their employees on how to identify the signs of a potential phishing attack and to avoid clicking on any links without knowing the source. This education should also include ongoing updates on new attacker tactics, such as this Facebook phishing campaign, to ensure they are always on the lookout for the latest threats and password best practices. In addition, an SMB can leverage tools to improve the security of their employees against phishing, such as email monitoring software and multi-factor authentication (MFA).
Cyberthreats are not going anywhere any time soon. SMBs and every size of business need to keep pace with the latest advancements in attacker tactics, both phishing and otherwise, to ensure they can best protect their organizations, employees, and customers today and into the future.