As previously discussed on this blog, Instagram is now more popular than Facebook when it comes to phishing attacks. As the article detailed, Instagram is popular as a target for phishing attacks because Instagram phishing attacks can so easily go viral, given that every victim can quickly lead to hundreds of more emails to trusted relationships.
Well, the folks at Facebook, the company that owns Instagram, heard the cries for help and decided to do something about it. To that end they are rolling out a new tool to protect Instagram users from phishing attacks. There’s just one problem: it won’t work.
According to an article on The Verge discussing how the tool works, it pointed out that “if you receive an email claiming to be from Instagram, you can check if it’s genuine by heading over to the ‘Emails from Instagram’ option in the app’s Security settings, which lists every email the service has sent you over the last 14 days. The new menu divides your Instagram emails into two categories: security emails and ‘other.’ If you see an email in there then you can be sure it’s legitimate, and you can safely click any links it contains. If it’s not, then it could be a phishing scam.” Got all that?
Phishing scams don’t work because people aren’t aware that phishing scams exists. Phishing scams work because people are too lazy or in too much of a hurry to do all the things Instagram is asking its users to do to check emails.
Most successful phishing attacks are based on either domain name spoofing or display name spoofing. Both of these phishing techniques can be prevented by anyone, without a special tool, by simply taking the time to investigate the “from” address in an email and the embedded links in the email by hovering their mouse over them. But most people don’t, do they? And why not? Because they’re too lazy or in too much of a hurry.
Most users won’t do all that the new Instagram tool requires to prevent phishing, and that’s why it won’t work. Effective phishing prevention accounts for the fact that most users are too lazy or in too much of a hurry to want to check anything about an email. That’s especially true on mobile phones where the screens are small and people tend to be on the move.
If Instagram really wanted to protect its users, it would have created a tool that checks the email for phishing content without the user having to do anything. The bad news is, they didn’t create such a tool. The good news is, others have.
It’s called Phish Protection and it does just the sort of thing the Instagram tool doesn’t. It checks for display name spoofing and domain name spoofing. It checks for malicious attachments. It conducts real-time scanning of every embedded link in an email looking for phishing content. And it does all that without the recipient having to do anything. That’s how you protect users from phishing attacks.
If you use Instagram, or even if you don’t, and you want to protect yourself, your family or your entire company from every kind of phishing attack, head on over to our Advanced Threat Defense plan. It sets up in 10 minutes, cost pennies per month per account and comes with 24/7 live technical support.