Scam Of The Week: Tech Support Via Social Media

Reposted from Knowbe4

Proofpoint just blogged about the risks of (mis)using social media for technical support purposes.

It’s a simple, brilliant scheme. The bad guys set up a fake PayPal Support page on Twitter, and then monitor the real PayPal Support page on Twitter for potential marks.

When users experiencing problems with PayPal hit the real Twitter PayPal Support account and their cries of woe appear, the bad guys swoop in and respond to these users from their fake PayPal Support account with a social engineering attack.

The response is a classic phish, pointing would-be victims to a fake PayPal support site where users are asked to log in with their PayPal credentials.

And once they do that they’ve handed over their PayPal credentials to malicious actors, effectively guaranteeing that whatever problems they were experiencing with PayPal will be nothing in comparison to the misery the bad guys will now inflict.

Social media: “That online space where you can not only waste endless hours of your precious time but also advertise yourself to fraud artists as ripe for the picking.”

I suggest you send something like this to your employees, friends and family. You’re welcome to copy/paste/edit:

“A lot of companies have support pages on social media. A good example is PayPal that has a Twitter support page. You need to watch out for bad guys who are tricking people with fake support pages. Here is how this scam goes down:

1. The bad guys set up a fake PayPal Support page on Twitter.
2. They monitor the real PayPal Support page on Twitter for potential victims.
3. A PayPal user reports a problem on the real Twitter PayPal Support account.
4. The bad guys swoop in and respond to that user from their fake PayPal Support page and tell the user to log in on a fake PayPal support site with their real PayPal username and password.
5. Game over. Bad guys now own your account and steal money.

What To Do About It: If you have problems with a vendor, do not use social media to complain and/or resolve the issue because everyone else can see this including the bad guys. Go to that vendor’s website and use their existing support webpage to create a trouble-ticket — not their social media pages.