by Jimmy Marks
Growing up in a rural community, you get used to hunting and fishing terms and techniques. Two such techniques I've seen used to great success are decoys and bait.
The decoy is a preferred method of staying out of the sight of waterfowl. Lulling them into a false sense of safety with fake ducks or geese and getting them to draw closer so you can fire is a skill that many successful hunters learn early. Bait, obviously, is a key part of the fishing equation - without tempting bait, it's tough to draw a fish's attention. While these methods are important to hunters, they're even more important to Spammers. Regrettably, they're just as effective online as they are in the outdoors.
A number of credit union and finance Twitter accounts have been compromised lately. Our own Twitter account, twitter.com/DMI_CUSoapbox, received a number of direct messages from our followers/friends imploring us to click links and enter our personal information. Thankfully, we ignored most of these links and paid attention to the Twitter explosion that followed.
"Accounts hacked!" followers exclaimed.
"Do NOT click the link," others noted.
And from one or two Twitter accounts being compromised came three or four. And from all that hubbub came a stinging reminder:
SPAM will always be around to ruin the party.
Jeffry Pilcher - marketing specialist, financial industry trend-watcher and Editor-in-Chief of The Financial Brand - saw the potential for SPAM surrounding FI Twitter accounts. He came up with an outline of the major SPAM tactics that FI's should watch for on Twitter. To sum up:
1) "The Decoy" - the Spammer pretends to be the victim or hijacks the victim's resources to deceive the targets
If your bank or credit union is ABC Financial, your Twitter name might be @ABCfinance. The Decoy involves setting up an account similar to that ("@Your_ABCfinance", "@ABC_Finance", "@ABCFinancial", etc.). This can confuse followers looking for your financial institution's Twitter page. As Pilcher mentioned in his blog post:
The profile page for the phony Twitterer could look 100% authentic, and maybe even better than your legitimate account (if you are already on Twitter). The impostor could even swear that they will “never ask for account details over Twitter,” as almost every financial institution on Twitter promises.
2) "The Bait" - the Spammer puts out a link that entices the victim to click
This involves a landing page or redirect that draws you into giving more information about your account to the Spammer. If the Spammer doesn't ask for account information over Twitter, they can find other ways to acquire that information (via phone, e-mail, etc.).
These most recent SPAM encounters combined the techniques. While in the account of the victims, these Spammers are able to send direct messages to followers, encourage them to click a link and enter their Twitter account information, and continue spreading the message around.
How do you combat these invasions and assaults? The best defense, according to the aforementioned blog post, is a good offense. Get smarter about Twitter. Make sure all the accounts that are associated with your business are mentioned somewhere in your business' web site or newsletter. Keep your eyes open for fraud alerts and use the Twitter network as a way of policing for oncoming threats.
For me, personally, one of the things that made the SPAM from the institutions that were compromised the other day so easy to spot was the amount of chatter about it. I contacted the operators of those Twitter accounts and advised them what I'd been sent, and they were grateful to hear from me. It's called "social networking" because we all have a duty to let people know when they've been compromised.
So, remember - be on the lookout for impostors, for teasers, and for what's coming out of your communication channels.