What is social media phishing?

With more than 5 billion social media users that each visit an average of 6.7 platforms every month, the amount of information criminals can exploit for such attacks is immense.

How does social media phishing work?

Fundamental to social media phishing is the idea of social engineering. This practice refers to manipulating human behaviour such that victims act in ways that compromise their security.

To achieve this, various tactics exploit trust, social norms and emotions to deceive individuals. Fraudsters also incorporate personal information the victim has shared on social media to make the attack more convincing.

For example, an attacker may impersonate someone the victim knows by creating a fake profile in the contact’s name or hacking into their account. Then, they exploit the trust and familiarity of the contact when messaging the victim.

These messages invariably contain malicious links or requests to provide sensitive information such as passwords or bank account details. Since the request appears to come from someone the victim knows, they are more likely to comply.

Common social media phishing tactics

The tactics attackers use on social media are diverse, but most share a common objective: to exploit human behaviour for personal gain.

Fake profiles

Here, fraudsters create profiles that mimic legitimate brands or individuals and entice users to click on links or enter their credentials on fake websites. To build credibility, both the profile and website may incorporate logos and branding from reputable companies.

In 2022, for example, 45% of individuals who lost money to social media scams were online shoppers. These individuals had purchased items via fake social media profiles that impersonated real brands.

Fake job offers

Fake job offers alert victims to the presence of fictitious employment opportunities.

This is a particularly deceptive and pernicious form of social media phishing because it often takes advantage of economic hardship.

Scammers typically have two aims when employing this tactic:

1. Financial gain. Victims are asked to pay upfront for tools, training or equipment related to the fake job (but receive nothing in return).
2. Identity theft. Victims are asked to provide their name, address and other sensitive details. Ostensibly these details are part of the job application, but the information is used to make fraudulent transactions or carry out other illicit activities.

Quizzes and games

Seemingly harmless quizzes that ask social media users for personal information may also be a phishing scam.

These questions – which are identical to those used by banks for identity verification – may prompt the individual to reveal the make of their first car or the name of their pet.

Answers are then combined with other stolen information and used to breach bank and email accounts.

Brand ambassador scams

In a brand ambassador scam, influencers are approached by what appear to be legitimate brands. The brand typically offers an ambassador deal in exchange for the influencer’s personal information.

Other influencers will be asked to buy the product upfront with a discount code and then promote it on their accounts. However, neither the brand nor the product exists.

The impact of social media phishing on individuals and businesses

For the victims of social media phishing attacks, impacts include identity theft and emotional distress.

Financial loss is also common and widespread. Between January 2021 and June 2023, the FTC reported that financial losses to social media scams were $2.7 billion. However, the body conceded that the actual cost was much higher since many instances of fraud are not reported.

The impact on businesses can also be substantial:

1. Financial loss – scammers often trick employees into transferring funds to fraudulent accounts, which costs businesses millions each year.
2. Reputational harm – when companies are impersonated on social media with fake profiles and pages, the conduct of fraudsters can harm their brand or reputation.
3. Data breaches – attackers may obtain access to sensitive corporate data such as customer information, intellectual property and financial records.
4. Compliance risk – when data is stolen, companies may face fines or legal action for failing to adequately protect customer and employee information.
5. Loss of productivity – social media phishing attacks necessitate that affected systems be shut down for investigation. The interruption of services (and the diversion of resources away from key business functions) may cause a loss in productivity.

How can businesses protect themselves from social media phishing?

To conclude, let’s look at two ways businesses and employees can protect themselves from social media phishing.

Employee training

Employees are often on the frontline of social media cyberattacks, so they must be trained on how to recognise a phishing attempt before it has a chance to cause damage.

Phishing awareness programs can help employees spot unusual links or requests for sensitive information. Employees should also be aware of social engineering and its power as a tool for psychological manipulation.

Social media habits are also important. Employees should be wary of allowing third-party apps on social media accounts as these provide another entry point for cybercriminals.

Similarly, individuals should never save their username and password on a public device and always log out after each session.

Multi-factor authentication

Multi-factor authentication is one of the easiest (and most effective) ways to add extra security to social media accounts. MFA blocks up to 99.9% of all automated cyberattacks and reduces the number of account hacks by 50%.

Note, however, that not every MFA technique is effective at combatting phishing attacks. Some techniques are susceptible to push bombing, for example, where attackers flood victims with numerous fraudulent requests to authenticate until they comply.

Authenticator apps are a relatively cheap and easy form of MFA, but to avoid push bombing, it is important to find apps that utilise rolling codes and not push notifications.

Otherwise, the most effective defence is a hardware-based security key such as WebAuthn and FIDO2. These keys combine the security of a physical token with biometric verification.

Summary:

• Social media phishing is a type of cyberattack where fraudsters use social media platforms to deceive users into sharing personal information such as login credentials, credit card numbers and other sensitive data.
• With billions of users on social media, the scope and opportunity for social media phishing is vast. Many phishing strategies involve fake job offers, fake profiles, brand ambassador scams and quizzes.
• Social media phishing is effective because it exploits trust, social norms and emotions to induce human error. The best defence involves educating employees on common phishing tactics and secure social media habits. Robust MFA procedures are also vital.