Social Media Phishing: Staying Safe in the Age of Social Engineering
The hyperconnected modern society sparked by social media platforms comes with arguably as many downsides as upsides. One of these drawbacks relates to cybercrime and how threat actors increasingly exploit trust in social media to conduct phishing attacks. This article delves into the specific threat of social media phishing and highlights some strategies for users to avoid taking the bait of these phishing attacks.
Understanding Social Media Phishing
Social media phishing is a type of cyber attack that targets users on platforms like Facebook, Instagram, and LinkedIn through the use of deceptive social engineering techniques. Typical attacks involve directing users to malicious links that ostensibly seem to relate to enticing offers, urgent notifications, or seemingly harmless friend requests. In reality, however, these links are baits designed to redirect users to fraudulent websites or prompt them to download malicious software.
It’s important to understand that social media phishing is not restricted to targeting individual users in their personal lives. Professional social networking platforms like LinkedIn are a potential avenue for threat actors to target company employees with deceptive links or downloads. With 930 million worldwide members on LinkedIn alone, there are many potential employees to target in these attacks and eventually exploit corporate networks.
The psychology behind these social engineering tactics is deeply rooted in manipulating human behavior and leveraging emotions. Threat actors capitalize on innate human tendencies like trust, fear, urgency, and curiosity. To fully understand social media phishing, some common examples further shine a light on how fraudsters target people on platforms such as Facebook, Instagram, and LinkedIn.
Common Social Media Phishing Examples
One common social media phishing example is receiving a message from a friend who appears to be in distress. Threat actors might compromise that friend’s Facebook account or simply create a lookalike account with the same name and profile picture. The message alludes to some kind of financial emergency and asks the recipient to send some funds. Not having much reason to be suspicious, the recipient sends the money without second-guessing.
In a corporate environment, consider a hypothetical example where the HR manager at your company scours LinkedIn for potential candidates to fill various roles. One day, she receives a message from a seemingly reputable headhunter who claims to represent several high-profile tech specialists looking for new opportunities.
The message contains an attachment that the headhunter describes as a consolidated PDF of resumes for several candidates that might be perfect fits for some of the company’s current openings. Seeing an opportunity to get ahead in her recruitment drive, the HR manager promptly downloads and opens the file.
Unknown to her, the file actually contains malicious code that provides a backdoor into your company’s network. Threat actors use this backdoor to monitor keystrokes, capture more login credentials, and eventually access sensitive company data.
Risks and Consequences of Social Media Phishing
As the hypothetical examples indicated, social media phishing is more than just a deceptive link or a crafty message; it’s a gateway to a slew of potential dangers for both individuals and companies.
For Individuals:
- Identity theft: By gaining unauthorized access to personal profiles, malicious actors can gather a wealth of information, including full names, birthdays, addresses, and even family members’ details. With such information in hand, they can impersonate victims, commit fraud, or even sell these identities on the dark web.
- Financial loss: Social media phishing attacks often have financial motivations. For instance, a scam message might lure users to a fake banking portal and trick them into entering their credentials. Once captured, these details can be used for unauthorized transfers or purchases.
- Emotional trauma: Falling victim to a phishing scam can result in significant emotional distress. Knowing that one’s personal details are in the hands of malicious actors can lead to anxiety, paranoia, and loss of trust in digital platforms.
- Loss of digital assets: Personal photos, documents, or any digital property are sometimes at risk. Cybercriminals might use stolen content for blackmail or character defamation.
For Companies:
Financial repercussions: Beyond the immediate financial implications of stolen data or assets, companies can face regulatory fines if these attacks result in customer data compromise. The added costs of damage control, including IT interventions, public relations efforts, and potential lawsuits, can also be significant.
Reputational damage: In the digital age, trust is a company’s currency. A phishing-related breach can erode customer trust and lead to decreased sales, or a tainted brand reputation. Rebuilding this trust is usually time-consuming and costly.
Loss of competitive edge: Stolen company secrets, strategies, or intellectual property can be sold or leaked, which might give competitors an advantage. This loss of competitiveness also comes with long-term implications for market positioning and profitability.
Operational disruptions: Malware introduced through phishing schemes can disrupt business operations. These disruptions may lead to service outages, loss of data, or compromised internal communication that impacts productivity and/or business continuity.
Recognizing Social Media Phishing
The far-reaching consequences of social media phishing attacks underline the importance of constant vigilance and education. In the always-on maze of social media interactions, it’s important that users are able to spot some of the following prominent red flags associated with social media phishing attacks.
- Exercise skepticism when receiving a message from someone unknown to the user or that the user wasn’t expecting communication from.
- Social media phishing scams are sometimes less professionally conducted than email scams, so obvious grammar or spelling errors are worth looking out for.
- Users should be wary of social media messages that offer money, freebies, exclusive deals, or job offers that sound too lucrative.
- Before clicking on any link, users can hover over it (or long-press on mobile devices) to see the destination URL. Some red flags worth looking for are misspelled domain names, unfamiliar domain extensions, or URL shorteners that obscure the actual link.
- Phishing attempts often use language that creates a sense of urgency, like or limited time offer to prompt impulsive actions.>
Users should also use any two-factor or multi-factor authentication options available on social media platforms. In a business context, encourage employees to switch on these options for common services or apps they use. Since many phishing attempts steal login credentials, this step provides an extra layer of security against account compromise.
Lastly, it’s worth double-checking communication with known contacts when the message appears out of the ordinary. If users receive a suspicious message from a friend or colleague, they can contact them through another method, like a phone call, to verify the message’s authenticity.
Recent Examples of Social Media Phishing
Recent real-world examples of social media phishing are worth highlighting so that users are aware of the kinds of tactics scammers resort to on these platforms.
Facebook Messenger Attacks, 2023
A large-scale phishing campaign in 2023 targeted marketplace sellers and businesses via Facebook Messenger. The campaign in question sees over 100,000 phishing messages being delivered to different Facebook accounts via Messenger each week. Security researchers report a 1 in 70 success rate for the attacks.
Most take the form of a prospective client or customer asking a Facebook business account about a specific product or service. When the business replies, the scammer sends a ZIP or RAR file that apparently contains further info on the desired product but in reality is a malicious attachment that works as infostealer malware.
X Customer Service Scams
A news story broke in August 2023 about X (formerly Twitter) users being targeted by customer service scams. This particular phishing campaign hones in on customers of banks or airline companies who complain on X about poor service. Scammers then respond to these complaints posing as customer service agents of the companies and promising refunds.
The purported customer service agent sends a direct message to the potential victim. The message informs that refund requests can only be processed by downloading a third-party app. This third-party app is malware that could steal information from users’ smartphones.
As far as the statistics on this type of social engineering go, here are two notable numbers:
- A 2022 reportfound that 12.5% of all phishing attacks target social media sites and the users on them.
- One survey found that 56 percent of businesses globally experienced at least one LinkedIn scam in 2023.
Reporting and Responding to Social Media Phishing
Getting scam accounts banned is a step worth taking if any user either notices or falls victim to social media phishing. On platforms like Facebook, Twitter, Instagram, and LinkedIn, you can often find a “Report” option by clicking on the three dots (or an equivalent menu) next to a post, profile, or message. Social media sites usually present users with several reasons for reporting, so they can choose the one that best describes the suspicious activity, like “it’s spam” or “it seems suspicious”.
Some platforms may ask users to provide more information about the nature of the threat or why they found the content suspicious. It’s worth being as detailed as possible in descriptions. The social media platform’s security team then reviews the report and takes appropriate action.
Staying Educated and Informed
Phishing scams on social media don’t exploit technical vulnerabilities; they exploit vulnerabilities in human psychology. Staying educated and informed is a great way to develop a security-aware mindset that thwarts these attacks.
Websites like KrebsOnSecurity, DarkReading, and the Cybersecurity and Infrastructure Security Agency (CISA) provide timely updates on security threats. Platforms like Reddit’s r/netsec or cybersecurity forums often have discussions on the latest threats and scams. Regular cybersecurity awareness training that includes mock social media phishing exercises is helpful for testing and training staff.
Conclusion
As users continue to integrate social media platforms into their daily lives, the consequences of falling victim to social media phishing attacks can range from identity theft to significant financial losses and even compromised company networks.
The most robust defense lies in the hands of the users themselves. Vigilance combined with a keen awareness of the telltale signs of social media phishing attempts is essential.
With any type of social engineering threat, layering defenses with stronger authentication is an easy win in safeguarding accounts against compromise. Companies can consider next-generation authentication solutions that don’t even rely on passwords so that phishing attacks that target login credentials are useless.
This is exactly what Kelvin Zerodoes, building next-gen authentication and trust solutions to secure our most critical organizations.
>Book a demotoday to learn more about our flagship solution, Multi-Pass, and how we are replacing passwords with enterprise-grade, phishing resistant passwordless MFA.