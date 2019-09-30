Most people know by now not to fall for promises of grand financial windfalls via email from Nigerian princes. But phishing attacks have only gotten more clever over time, and a local cybersecurity firm says they are increasingly cropping up on social media.

Cybercriminals are catching on that some sites are ripe for abuse, in part because users' guards are down and there are few protections from phishing attacks, according to PhishLabs.

PhishLabs, founded in 2008 by John LaCour, has raised more than $30 million in capital and is based at the Pacific Box & Crate development on the upper peninsula in Charleston.

It offers its clients a broad range of services that can help companies launch defenses to cyberattacks. As the firm's name suggests, phishing is one of the kinds of attacks it tries to prevent. Attackers typically impersonate something or someone legitimate — like a bank or the CEO of a company — and use the disguise to lure people into giving away sensitive information.

The volume of phishing attacks overall increased 41 percent in 2018, according to Phishlabs' latest annual report on the topic. Attacks on social media platforms increased about 200 percent, meanwhile.

Earlier this month, the Better Business Bureau warned of a phishing attack making the rounds on Facebook Messenger. Targets receive a message from a "friend" on the site. The friend sends a message saying they were surprised to see the recipient in a video and offers a link to that video. The attack is dangerous, the BBB wrote, because people usually only hear from people they care about on Messenger, meaning they may inherently trust messages they receive there.

Phishing attacks accounted for roughly 11 percent of the scams recorded by the BBB's tracker in 2018.

LaCour said the most popular social media sites are the most frequent setting for attacks — think Facebook, Twitter, LinkedIn and Instagram. The more users, the more opportunity for cybercriminals to exploit. It's not an exclusive rule, however. Dating web sites, apps that connect neighborhood groups and vacation home rental sites can host phishing attacks as well.

"Any site or app that provides communication between users or something for sale is ripe for abuse," LaCour said. "You have to be careful everywhere."

Sign up for our new business newsletter We're starting a weekly newsletter about the business stories that are shaping Charleston and South Carolina. Get ahead with us - it's free. Email

Sign Up!

The kinds of attacks vary. In a particularly tricky one, cybercriminals set up a fake customer service site for popular banks. Requests for help come to them, and they respond with requests for banking credentials.

Other attackers create social media profiles impersonating a company or its leadership. The people behind those profiles then pump unsuspecting social media users for sensitive information.

Finally, an employment scam advertises a fake “work from home accountant” job, LaCour said. The job seeker is then duped into laundering money for the cybercriminal.

The smaller size of phone screens, where most people access social media, also offers a better battlefield for cybercriminals. Fake web pages created to dupe people can sometimes be identified by inspecting the URL, but LaCour said mobile phones don't have "a lot of screen real estate, and the bad guys know this."

PhishLabs' technology can find scams and get them taken down. More often than not, the threats reach hundreds or thousands of people.