Skip Navigation
BlackBerry Blog

Protecting Yourself from Phishing Scams on BBM and Beyond

BBM / 05.11.16 / Matthew Talbot

fishhook on the smartphone

BBM has been enjoying a lot of popularity and winning a lot of awards as we continue to evolve BBM from a pure chat platform into an ecosystem bringing together chat, social, commerce and brands.

Unfortunately, this popularity is not without risk. While advanced cyberattacks against IT systems grab the headlines, many modern hackers prefer to target users instead. A system is only as secure as its weakest link, after all; why bother trying to pick the proverbial lock when you can just convince someone to open the door for you?

The people behind such attacks are often very good at what they do. They create false urgency through scare tactics, easily imitate details such as names, pictures, and trademarks, and talk circles around anyone who’s unprepared to deal with their mind games. The good news is that it’s very simple to protect yourself from these criminals.

Let me tell you how.

Learn to Recognize Red Flags

Although different scammers may have different objectives, there are certain commonalities shared between all of them. If you learn to pick up on these, you’ll be better equipped to see a phishing scam for what it really is. There are a few red flags you should watch out for:

  1. You’ve received a BBM message or request from an unknown contact.
  2. A known BBM contact is acting oddly and speaking in a manner that’s out of character for them.
  3. There are spelling errors – either in details like your name or the URLs you’ve received. Weird grammatical errors are also another warning sign.
  4. You’ve received a message that seems impersonal, mechanical or generic. A sure warning sign is that the sender doesn’t address you by name.
  5. The sender has made an unusual or unexpected request – asking for money or for your BBM login details, for example.
  6. You’ve been made an offer that sounds too good to be true, such as winning a sweepstakes to which you never signed up.
  7. The sender has implied or directly stated that you’ll suffer serious consequences if you don’t respond to their requests immediately.
  8. The sender’s profile looks unusual or suspicious (such as being completely devoid of updates).

If Someone Asks for Information, Verify Who They Are

The success of a phishing attack relies upon the target going along unthinkingly with an attacker’s requests. It’s easy to fake things like names and photos, but those are surface-level details. They only look authentic at a glance, and tend to fall apart when you take a closer look.

That’s why it’s important to always double-check that requests for sensitive information are legitimate. Talk to your BBM contact in person, cross-reference their BBM profile against information on their employer’s website or get in touch with one of their friends or other associates.

Always check and double-check if someone contacts you on BBM asking you for something, whether it’s personal information or business documents. If they’re really who they claim to be, it will be trivial for them to answer questions or provide information that might prove their identity – like “What did we do last Friday?” or “Who won the company raffle this week?” If they’re unable to provide the information you ask for, you’ll have dodged a bullet.

BBM-user2Pay Careful Attention to Web Links

If someone sends you a link through BBM, it can be tempting to click on it immediately – especially if you trust the sender. But you need to be careful here, as one of the most frequent tactics employed by scammers is to convince you to click on a link that looks legitimate, but actually redirects you to a site designed to steal your information. A good rule of thumb is to read any links you receive backwards, i.e. from right to left.

Let me explain. The important part of any web address is the right-most portion immediately before .com, .net, etc. That indicates the top-level domain, and for it to be legitimate, it MUST display the actual company name (as well as .com or .net; be leery of sites ending in less-popular domains such as .biz, .cc, etc.). Phishers will try to fool you by using a company’s name in the SUB-domain, such as http://www.google.randomgarbagecharacters.com. Here, the actual web domain is randomgarbagecharacters.com. By reading the URL from right to left, that becomes immediately obvious. If you do click through accidentally, check the site’s home page carefully, as scammers typically will do a good – but not perfect – job trying to imitate a particular brand.

Keep Your Cool

When people are stressed, they make mistakes. That’s exactly what scammers count on. It’s why so many phishing scams involve urgency. If a scammer implies you’ll miss out on an opportunity or wind up in trouble by failing to respond immediately, you’re far likelier to do what they tell you without wondering about the why.

Step back and ask yourself why a legitimate company would use veiled threats, or why someone would immediately need your account details to verify that your account was compromised.

What You Can Do If You’re a Victim

What if, in spite of your best efforts, someone manages to fool you? What measures should you take if your BBM account is hijacked?

  • Change all email, BlackBerry ID, banking and social media passwords.
  • Notify any financial institutions that may be impacted, particularly credit card companies.
  • Using a non-BBM account, inform your contacts that your BBM account’s been compromised, and that they may receive suspicious messages from it the near future.

If you stay alert and take the steps above, you’ll go a long way towards protecting yourself. Happy BBMing!

Matthew Talbot

About Matthew Talbot

I am the Senior Vice President - Emerging Solutions at BlackBerry. I have extensive International Management, Sales and Marketing background in Mobility and Cloud technologies, Financial Services, Telecommunications, and Content in both a “Start-Up” and Public company environment. This includes stints as a senior executive at SAP, Sybase, Mobile 365 and others.