Social media phishing is one of the most common types of cyber-attack. Some platforms are more prone to attacks than others, for various reasons. This article will explain why some platforms are more dangerous than others, how you can tell if you’re being phished, and what you can do about it.
Phishing is a category of cyber-attack, that relies on social engineering techniques to infiltrate the networks of organisations, with the aim of stealing money, data or disrupting normal activity. One of the sub-categories of phishing is social media phishing. This type of phishing usually involves someone setting up fake profiles that imitate an existing business or service, to fool clients or business partners, and usually to steal money or information. As the name suggests, these attacks often occur on social media services.
The most common platforms, that unwittingly host these types of attacks, are three of the most popular social media networks – Facebook, Instagram and Twitter. The focus of attackers on these three large social media platforms is understandable, as they have over 3.7 billion users combined. The huge number of users, makes it hard for the platforms to monitor all the activity going on, and is also very attractive to attackers looking to reach as many victims as possible. The easiness of opening an account and pretending to be someone else also assists the fraudsters.
Fraudsters and other bad guys are constantly trying to use social media platforms for their campaigns, while the companies managing the platforms are forever trying to thwart their attempts. Facebook recently advised that, in 2020 alone, they shut down over 5.4 billion fake accounts, used for both cyber-criminal activities and for phishing campaigns run by nation state actors.
Both sides of this ‘cyber war’ are using advanced technologies, such as artificial intelligence, to benefit their own cause. The platforms use it to help identify fake profiles and pages, while attackers are constantly trying to outsmart the defence tools with it.
A common Facebook scam, for example, consists of a fake profile offering friendship to various people, often using artificial intelligence to generate fake attractive profile pictures. Once the friend request is accepted, a private message is sent from the fake profile about an ‘amazing offer’, with a link that directs the victim to a Facebook phishing page, which asks for their credentials. If filled in, these credentials are sent straight to the attacker.
Here are some warning signs that indicate a phishing campaign is running on one of the three most popular social media platforms:
Facebook – In many cases the fake profiles will impersonate a celebrity or a company, but with slight changes, such as spelling errors or use of similar names (e.g. celebprotection, instead of Celebprotect). Always look out for the blue V symbol next to celebrity profiles. This indicates they have been authenticated by Facebook.
Another tip is that the fake profiles have usually been recently created, so they have a low number of friends.
Instagram – Fraudsters will often send a direct message saying that someone has tried to access your account. They will provide a link to recover it or ask you to confirm your identity. This link will then ask for your Instagram credentials, which will be stolen by the fraudster when you enter them.
Twitter – The use of the @ symbol for Twitter profiles makes things a bit easier for fraudsters, as impersonation options increase tenfold. For example, the use of @Woolworths_AU instead of @Woolworths as the username, can trick many potential victims into thinking this is the original profile for the large supermarket chain.
Below is some advice on what to do if you have fallen victim to a phishing attack on one of the three platforms:
Facebook – You can try and restore your account at https://facebook.com/login/identify. It is also recommended to enable the Two-Factor Authentication option.
Instagram – If you got an email from Instagram advising of a change to your email address, try hitting the ‘undo’ button in the message. If your password has also been changed and you can’t undo the changes, you can report it to Instagram, so they can work on restoring your account.
Twitter – If you’re still able to login, try resetting your password. If not, submit a ‘support request’ form with the ‘hacked account’ option.
The best tips for avoiding scams on all social media platforms are:
- Stay vigilant of any unexpected messages or friend requests.
- Do not click links or open attachments from suspicious sources.
- Check the authenticity of profiles you interact with (including companies).
- Don’t share your personal information unless you’re 100% sure who you are talking to and that the information is legitimately required.
For further queries regarding our specialist online protection please contact us at firstname.lastname@example.org .