Most scams are based off age-old methods of deception. Impersonation, fraud, and unauthorized access are all their own flavor of deception, but (strangely enough) one of the most classic forms of deception might also be the newest: clickbait. Today, we’ll tell you one strategy to stay ahead of a tried-and-true method of turning a small provocation into a big attack: leveraging intrigue and incomplete information to make us click a bad link without thinking twice about it.
A world full of salacious headlines…
…has turned a lot of the internet into a series of clicks taking us from one outrage to another. Since the 2010s, rising popularity of less-informational websites (like Buzzfeed) and opinion-based social media has changed the way that a journalist or advertiser would write a headline. Back in the old days a headline or a title was supposed to inform and prepare you for longer-form content or signal the value in reading further. Today, though, the click and the impression (viewing the content) is what is valued by publishers, platforms, and websites, all because of how advertising revenue works.
What this incentivizes, generally, is headlines or social media posts that are intriguing or pique your interest. The perfect headline today is the one that gets you to click because it has incomplete information, not because it appeals to you. If you think about it, the partial information of a headline (“You’ll never believe what this person said…”) is its own kind of deception, but probably one that’s not worth getting upset over. Living in a world with so much connectivity also requires that we think of how to protect our personally identifying information and reputation.
Turing intrigue into exploitation…
…is pretty simple: a bad actor uses a successful phishing or social engineering scam to gain control of a legitimate email address or social media profile, then makes the same kind of incomplete statement we would see on a clickbait headline:
“Who passed away?” we might ask, especially if we see a family member or friend post this to their Facebook page. The URL here looks like it comes from a URL shortener, a kind of redirect used to shorten a long or complex URL into something short or human readable. Since short URLs obscure what site you’re actually going to, they can link to any page. From there, maybe the attacker has a lookalike page where it seems like you were logged out of Facebook, then when you go to log back in, you upload your login and password to the attacker. With that in mind, it makes it pretty obvious how the owner of this account got hacked in the first place. Connecting to attacker’s server could also lead you to download malware.
Tempering your intrigue…
…is the key to staying ahead of these attacks. Another is to think critically about how to engage with content online. It’s one thing if you use a relatively well curated feed to look at headlines (like Google Discover, or the mainstream parts of Reddit, for instance), but another thing if you’re on a social media platform, responding to text messages, looking at your email inbox, or even answering the phone. Even well known platforms have their own problems with promoting scams.
A client recently reached out to us about a Dropbox link that was sent to them, for instance; since the email is really sent from Dropbox, it can be delivered even if the attachment is malware. These attachments can be named something generic but intriguing, as if it’s an important tax document. For this reason, the best practice is to simply not click anything that you aren’t explicitly expecting, even from a trusted source.
How we communicate with one another matters…
…but the tricky thing is that the media and social media landscape shapes the way people communicate with one another too. To build a defense against scams, we need to think less about what people want (including ourselves) and more about the risks—and rewards—inherent in digital communications.
Could there really be a high reward when clicking on something that doesn’t give you all the information about what you’re clicking? The text message version of these scams can help us establish what to look for when we’re communicating digitally. Often, scammers will start out simply by texting you a “hey…” or make it look like you already know the person you’re texting with. At best, it’s a lost long friend or old flame trying to reconnect, but at worst, it can be the start of bigger scam. A few that I’ve seen personally are about whether “this is your number or not,” but without someone introducing themselves first.
It might be helpful to remember that this technique isn’t new, but the way it gets to us (and the amount of scammers trying to use our curiosity against us) is. Clicking on a link or responding to a text message are things that we should understand as signs of trust that have already been established for a contact or a platform, and that trust needs to be earned. And of course, if it’s something important, people will always find a way to reach out to you with more complete information to let you know that you can trust them.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team