Social Media Phishing: A Primer
September 17, 2018 | Katie Crodelle

What is Social Media Phishing?

Scams have been around since the dawn of man. Way back before the Internet, a time known to historians as the Jurassic Era, scammers used primitive analog methods, such as stealing credit card applications out of your IRL mailbox and calling you on the telephone to trick you into giving out your credit card number or other personal information—enough to commit identity theft.

Phishing is a form of fraud in which attackers email you posing as a real business to lure people into giving sensitive information such as personally identifiable information, banking and credit card details, and passwords.

Social Media Phishing is when attackers use social networking sites like Facebook, Twitter, and Instagram instead of email to obtain your sensitive personal information or click on malicious links.

Who would have known back then how far we’d progress in a few short years? One day the Internet came along and nothing was the same. Not only has it opened our world to 24-hour-a-day online immersion, it’s also opened up a new world for scammers, some of who have become known as “phishers.”

Social media phishing is a type of fraud in which users receive an enticing invitation to click on an infected link or provide personal information. While the primary attack vector for “regular” phishing is through email, social media phishing, is – you guess it – primarily perpetrated through social media sites. And as social media replaces email – at least in our personal lives, if not at work—social media phishing is becoming the greater danger. Make sure you know what to do if you click on a phishing link.

Fraudsters can use social media to target hundreds of thousands of people at once while blending in with the crowd. What makes social media so attractive to phishers is the sheer number of people on social media:

• Facebook – 2 billion users
• Instagram – 700 million users
• Twitter – 328 million users
• Snapchat – 150 million users (most likely your kid is on this one)

SOCIAL MEDIA PHISHING SCAMS BY THE NUMBERS

This incredible volume of social media users is now being reflected in social media phishing attacks. Here are some more numbers:

• Instances of social media phishing jumped 500% by the end of 2016.

• Fraudulent accounts across sites like Twitter and Facebook increased 100% from the third to fourth quarter.

• 20% increase in Facebook and Twitter spam from Q3 to Q4 2016.

• Over the past year, the number of phishing attempts on social media networks like Facebook, Twitter, Instagram and LinkedIn has exploded 150%.

EXAMPLES OF SOCIAL PHISHING SCAMS

Here are some of the most common social media scams circulating today:

• Fake customer service accounts on Twitter (also known as “angler phishing”)
• Fake comments on popular posts
• Fake live-stream videos
• Fake online discounts
• Fake online surveys and contests

Last year, a particularly successful Facebook scam cost an Australian woman $450,000. The team of scammers created a Facebook profile of a nonexistent doctor – complete with a profile picture stolen from an actual doctor – and sent the victim a friend request, which she accepted. After gaining her trust, the “doctor” claimed that while traveling, he had inadvertently tried to enter Australia with $1.5 million that was being held by customs. He urgently needed $3000 to have the money returned to him. She agreed to pay, which started a string of subsequent payments she made to cover additional fees. By the time she realized she was being scammed, she had made 33 payments, which law enforcement was powerless to retrieve.

TIPS TO AVOID BEING A VICTIM TO SOCIAL PHISHING

Fortunately you can prevent falling victim to phishing scams by following these best practices:

As with emailing phishing, the best prevention tip is to think before you click. There’s a reason for the term “clickbait.” The best phishers hone their craft to try and bait you with links that not only grab your attention, but urge you to click immediately.

Whatever you’re using to access your social media accounts, update it! This applies to Web browsers, firmware, apps, antivirus software, operating systems, and iOS. The reason this is so important is because developers provide patches and updates as they discover vulnerabilities. Unfortunately, hackers seek to exploit these same vulnerabilities as they’re discovered. Failing to download updates puts you directly in the line of fire.

Regularly review your privacy settings. Social media sites have a way of quietly changing privacy settings without you noticing. Remain aware of how your profile and the content you upload is being seen by others.

Never download unsolicited software, click on URLs in e-mails, or click on popups that appear while you are browsing. Social networks don’t usually need extra bits of software to be downloaded on your computer.

Look for the secure address of the web page with the HTTPS to keep user communications, identity and web browsing private. And pay particular care to shortened links (through services like Bit.ly, or Tiny.cc, etc.…), commonly used by scammers.

And what about your kids who are probably on every social media site, including a bunch you’ve not even heard of? You must educate them in these best practices too, so they don’t get phished.

WHAT TO DO IF YOU ARE A VICTIM OF SOCIAL PHISHING

If you have been hooked by some clever social media phishing, then you need to do some damage control. Start by treating this as a case of identity theft, mainly because that’s what it can lead to if you don’t act.

• Shutdown your computer immediately.
• Change your passwords, using a different computer.
• Put a fraud alert on your account at Equifax, Transunion, and Experian.
• Call your bank and report if you gave out your debit or credit card information.
• Report an account hijacking immediately if you cannot log in to any of your accounts.

Lastly, if you are a victim of social media phishing, let others know. Don’t be embarrassed! You’ll be a hero by raising awareness within your social media circle, which will hopefully reduce the amount of successful hacks. And if you still have the original phishing email, forward it to the Anti-Phishing Work at reportphishing@apwg.org. And when you come across a website you believe is spoofed, such as a Facebook ‘clone’ account, take the time to report it to sites like the antiphishing.org or to the Google Safe Browsing team. Doing so, you will contribute to helping keep the web safe from phishing sites and fellow cyber surfers safe.

Let the experts at TAG Solutions put your employees through cyber security training & phishing awareness training to keep your business safe and secure.