As summer unfurls and folks get ready to head to the beach, their guard is down. But cybercriminals are just getting started. Good thing there is a lifeguard on duty.
In this edition of the Consumer Cyber Safety Pulse Report, the Norton Labs team highlights three threats that could not only imperil your security, privacy, and identity, but also wreck your vacation. Here is a quick preview of our spotlights this quarter.
- Spotlight #1: Social media phishing attacks – What you need to know after we studied a year’s worth of phishing lures.
- Spotlight #2: To Zelle and back – Find out why cybercriminals love this money-transfer tool.
- Spotlight #3: Back-to-school scams beckon – Get ready for fraudsters to put you to the test. We did the homework for you.
But first, a look at the numbers.
Spotlight #1 – Social media phishing attacks
The Labs team analyzed a full year of phishing attacks against social media websites, including Facebook, Instagram, TikTok, Twitter, LinkedIn, and Snapchat.
Among the study’s key findings:
- More than 4 billion people worldwide use social media and share information, presenting scammers with a valuable trove of personal information to steal.
- Phishing campaigns targeting social media are booming.
Social media phishing lures can target you by email, SMS, or within a social media platform. Here are the eight schemes we uncovered.
What is the most common social media phishing scheme? The fake log-in page that looks like the real thing but tricks you into providing your login information. This template is used to fool you into believing that the page is legitimate and to steal your credentials once you try to access your profile.
Nobody wants to lose access to a social media account. This attack exploits that fear to steal your access credentials. Phishing websites might intimidate you to reveal sensitive information by reporting fake, non-authorized access to your account and urge you to go through a security checklist.
You probably know social platforms are not authorized to post any material that is protected by copyright. These phishing attacks try to deceive you by pretending your account has been locked due to a copyright violation. The scam requires you to log in and disclose your credentials to unlock your profile.
Verified badges are icons that signify a social media platform has confirmed an account is authentic. Accounts could be for a public figure, celebrity, or brand. These phishing campaigns prompt you to log in to obtain — or not to lose— your verified status on the platform.
Profile hacking services represent a new variant of phishing attacks. Malicious campaigns pretend to offer you a way to hack into a profile or to reveal other customers’ information such as email. Their real goal? To continuously redirect victims and monetize from other services such as ads or surveys.
Generating followers and post interactions is a major goal of content creators and profile holders. This phishing scheme promotes services to do that for little or no cost. Instead, these attacks might redirect you to attacker-controlled websites that display ads, swipe your login credentials, or infect your device with malware.
These sneaky phishing campaigns are designed to intercept temporary codes to break into profiles with two-factor authentication enabled. The tokens are generally tied to your device and allow scammers to modify personal details or login credentials.
These phishing campaigns involve social media platforms and are designed to steal your financial information. Malicious websites often exploit known social media brands and ask you for your credit card details by simulating a problem with your account.
Advice for Consumers:
Cybercriminals are using rich and varied narratives to phish social media credentials. Always be alert of potential scams, no matter how convincing the pages may look or how they are delivered to you.
Check out our full article with screenshots of each lure example here.
Spotlight #2 – To Zelle and back: Financial frauds
Zelle enables fast and free inter-bank transfers between people. Certain characteristics of the service make it especially attractive to cybercriminals. Here is how.
Zelle is owned by a financial services company, and that services company is owned by several large banks. Zelle was originally available to so many customers at those banks, but the service has gained wider adoption by other banks as demand for it increased. As a result, Zelle is now available to more than 100 million people.
Readers are probably familiar with PayPal, which also allows for quick payments, but with an important distinction: PayPal is a third-party service and does not facilitate instant transfers between bank accounts. PayPal payments introduce delays between when a payment occurs and when the money can be deposited into a bank account. However, with Zelle, as soon as you click “send,” then the money is gone and there is little that can be done to get it back.
How it works:
Zelle is typically used on mobile devices or from a bank’s website to send instant payments directly from one bank account to another. No acceptance is required by the recipient, the sender is simply asked to confirm their payment before sending it. Once a payment is sent, there is no guaranteed way to get the money back.
Zelle is not only convenient for paying your friends but also for cybercriminals to trick individuals into draining their bank accounts.
We identified two types of fraud involving Zelle:
- Zelle + social engineering: Cybercriminals send text messages to victims, alerting them to some worrisome activity like a large transfer out of their account (Figure A). The concerned victim responds “NO” and then gets a callback claiming to be from their bank. The attacker then uses an elaborate story to convince the victim to associate their phone number with an account controlled by the cybercriminal. Finally, the attacker gets the victim to transfer all their money to their phone number – which is now linked to a bank account controlled by the attacker – to “secure” their money. The attack is complete, and the attacker never needed to log in to the victim's account. There are other variants of this, where the story is changed, but the results is the same – convincing you to transfer money out of your account via Zelle.
- Zelle as a tool: Using other methods to break into your bank account such as phishing or malware on your device, a cybercriminal can log in and transfer money from your account into an account they control instantly. Zelle is used as a convenient tool to quickly transfer money in a way that makes it hard to claw back.
Although we also identified PayPal scam activity 30 times more frequently than Zelle scams, the ability to instantly transfer money between accounts makes Zelle much riskier.
Zelle is a powerful tool that makes it easy to instantly transfer money out of a bank account. There are some protections for outright fraud related to Zelle. But if the account holder initiates the transaction because they were scammed, not all those protections will apply. The account holder may be responsible for any losses.
Advice for consumers:
Never respond to an email or SMS related to Zelle. If you are concerned or confused, log into your bank directly and look for any transactions related to Zelle. If still in doubt, call the support line for the bank directly — not from a communication that you received in text — and ask an agent for help.
Read more about customer support scams here.
Spotlight #3 – Back-to-school scams beckon
Fraudsters like to tie scams to seasons, and that means they are already pushing back-to-school scams to the head of the class.
Scams can range from bogus offers of scholarships and financial aid to fake offers of “free” back-to-school shopping sprees. This year, back-to-school time is already inspiring a variety of scam tactics.
Here is a roundup of back-to-school financial scams that are rolling out now.
1. Scholarship scams
School can be expensive, especially if you or your children attend private schools or are enrolled in college. Scammers know this, which is why scholarship scams are so popular.
In one type of scholarship scam, the cybercriminals ask for an application fee to apply. That fee might not be large — maybe just $25 or $35 — but if scammers get enough people to pay this fee? The profits can add up.
In another type of scam, you might receive an email or text saying that you have won a scholarship, even if you do not remember applying. But before you can collect your thousands of dollars in free money, you must pay a redemption or disbursement fee. Keep this in mind: Legitimate scholarships do not require you to pay any fee to receive your money.
How do you detect a scholarship or financial aid scam? The FTC (Federal Trade Commission) offers these examples — and warns against similar statements — as sure signs of a scam.
- “The scholarship is guaranteed or your money back.”
- “You can’t get this information anywhere else.”
- “I just need your credit card or bank account number to hold this scholarship.”
- “We'll do all the work. You just pay a processing fee.”
- “You're a finalist [for a contest you never entered].”
2. The student loan forgiveness scam
In these scams, fraudsters send emails or texts to students or parents saying that they can reduce or erase the student loan debt that they owe. Not true. The scammers might ask for a fee, which is likely to disappear into their pockets.
3. The student tax
The student tax scam is a popular one for students, or the parents of students, who are heading to college in the fall. The student or parent receives an email, text, or phone call from someone claiming to be from the IRS. This message says that the student never paid his or her student tax. Of course, there is no such thing as a student tax. It does not exist.
Read more about back-to-school scams here.
Norton Labs continues to track scams and threats targeting the digital lives of consumers. Find out more when we publish our next Consumer Cyber Safety Pulse Report in October. Summer will be over, but holiday scams will be on the way. Until then, remember to always swim with a buddy.
Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.
We encourage you to share your thoughts on your favorite social platform.