Phishing is the easiest way for hackers to steal sensitive and personal data via the Internet. Hackers and scammers use phishing scams to trick users into divulging personal information—like full names, birth dates, login credentials, and bank account numbers—with the use of survey forms and fake websites or through direct communication.
Proofpoint researchers revealed that social media phishing grew by 500% in 2016, with fake customer support being the most common tactic used to steal people’s information. Proofpoint’s data also showed that fake accounts increased by 100% from the third to fourth quarters of 2016. Meanwhile, a 2017 report by the Internet Crime Complaint Center showed that there have been over 20,000 victims of some form of phishing scam. The same report also indicated that victims of phishing lost more than $29 million in 2017.
Phishing puts everybody at risk of becoming a cybercrime victim, especially when the criminals use the acquired sensitive information for personal, financial, and other unscrupulous gains. While it is usually done through email, hackers now target trending websites and interactive social media platforms where they can easily reach millions of unsuspecting victims on a daily basis.
It’s virtually impossible to become invulnerable to these attacks, given the fact that the Internet has become a part of our daily lives. Social media phishing is popular among scammers because of the number of people they can target: Facebook has over two billion users, and Twitter has more than 300 million users. And with these numbers, different types of phishing tactics can be applied to a huge number of users. Therefore, it’s important for every one of us to at least be able to tell when we’re being scammed.
Fortunately, some social media websites have developed security layers to help protect users against phishing attacks.
Types of Social Media Phishing Attacks
Scammers create fake accounts that duplicate another individual’s profile: they grab their photos, copy their information, and send requests to the victim’s friends. Phishers do this to make their targets think that they’re getting friend requests from people they know. Once they have access to someone’s profile, they can phish for information and send out more scams.
Comments with Malicious Links
Social media scammers like to exploit the comments section of popular posts. Fake Facebook accounts, for example, use click-bait titles that redirect to a malicious site for credit card phishing attacks. Thankfully, these types of phishing tactics are easy to identify. These comments are often unrelated to the original post and the links are posted by an obviously fake profile. Still, there are some comments with malicious links that can seem authentic.
Phishers also post links on sports pages to fool people into believing that they can watch a live stream of a game with no charge. Victims are redirected to a fake site that requires them to answer personal questions to access the live stream. Yet, more often than not, these sites don’t have any live stream videos at all.
Disguised Twitter Bots & Customer Support
Scammers can disguise themselves as Twitter bots that send private messages along with a link. This can lead to dangerous malware that steals computer data or even a fake website that requests for payment details.
Fake Twitter customer support profiles are also created by scammers to phish for passwords and bank details. These accounts are often duplicated from real companies with slight alterations to the characters. When users fall for this tactic by tweeting a question, scammers can reply and send a link to a fake site that may steal the victim’s confidential information.
Fake Games & Online Surveys
More complex phishing schemes can involve a lengthy game: hackers use fake profiles to build rapport with a potential victim and hopefully gain enough of their trust to coax them into supplying useful information. Scammers may also use online surveys to lure victims into answering personal questions. These scams are posted on social media pages by profiles that appear authentic and entice people to answer their surveys so that they can sell the acquired information.
Fake Celebrity News
False reports about celebrities are sure to gain traffic, which is why it’s one of the most common types of social media scams. Phishers understand that gossip is hard to resist, so they bait users to click on hoax reports about a famous person. This phishing strategy often involves a click-bait title and an accompanying image of a celebrity. Once a victim clicks on the link, their device gets infected with malware and allows the hackers to access that victim’s personal information.
Protecting Social Media Users Against Phishing
Direct Message System for Twitter
Twitter has developed a personal messaging feature that allows its users to receive direct messages (DMs) only from accounts that they choose to follow. This feature greatly eliminates the chances of a person getting spam emails and security attacks from people they don’t personally know. Twitter’s Trust and Safety Council also works overtime to identify and contain suspicious accounts daily.
Facebook’s Partnership with Web of Trust
Facebook has been working with Web of Trust, a free tool that enforces safe web surfing by helping evaluate which links and websites are spammy or malware-infected based on a collective rating given by other Web of Trust community members, including participating Facebook users. Anybody can be a part of the community and leave their own ratings to help filter out dangerous websites and eliminate the chance of people clicking on them.
Clickjacking Protection for Facebook
Scammers use clickjacking to entice and trick users into clicking links that they may not want to click on. They usually do this by hiding a suspicious link—which can lead to anything from phishing sites to malware, or even infect your computer with viruses—under a tempting offer. The social media service has built defenses against the use of the Facebook Like button for clickjacking and has been keeping users safe by asking them to confirm seemingly suspicious activities before allowing them to post anything on their profile and News Feeds.
LinkedIn has joined the Domain-based Message Authentication, Reporting, and Conformance (DMARC) in battling phishing and spam attacks. They now integrate the use of a security footer in their emails, which is basically a digital signature that proves the authenticity of an email sent by LinkedIn. This way, hackers can’t fake an email from LinkedIn for their phishing purposes.
Login Approval & Verification for Twitter & Facebook
Enabling login approval and verification for your social media accounts helps keep them secure, especially when your login information has been compromised by a previous phishing attack. Enabling this feature on Twitter will first require the user to provide not only a password but also a mobile number, to which the site will send an SMS with a 6-digit code for logging into the account.
On Facebook, verification will be required whenever an unfamiliar device is used to log into your account. Like Twitter, Facebook will ask the user to go through a similar process with a verification code. On top of these security measures, the websites will also notify their users via email whenever they detect several failed logins into their accounts.
Customize Privacy Settings
Avoiding the chances of scammers and hackers obtaining private information involves making sure that you don’t provide them anywhere online. Protect yourself by getting to know more about the social media sharing platform you plan to be on and modify your privacy settings, so you don’t share your personal information to the general public and rule out the chance of becoming a victim of a phishing scam.
Spot Poor Spelling & Grammar
Messages from official and reputable accounts are likely to be free from basic spelling and grammatical errors. On the other hand, those sent by amateur hackers and spammers are usually inconsistent and unnatural, more so when they use an online translator to compose messages from their own language. Read the emails and messages thoroughly to check whether or not they are authentic.
Double Check URLs
Hackers use a shortened and more official-looking link or a similar variation of an official web address to hide their malicious links. The best way to avoid clicking on fake links that could lead you to dangerous websites or malware is to hover your mouse pointer over a link and check its actual web address. When in doubt about the authenticity of a website link, you can do a Google search for that particular organization or company’s official website to compare. It only takes a few extra seconds to protect yourself from this frequently used phishing method.
Look for Sender Information Consistency
If the scammer is an expert in distributing malicious messages with links, the fault may be found in the sender address and sender account name. While the sender’s account name bears the official institution or company name, it may not be consistent with the email address. Scammers usually use an email that slightly varies from the original, so potential victims may not always be able to notice the difference unless they make it a habit to check and verify.
Don’t Supply Personal Information
Many phishing scammers use scare tactics to threaten victims into supplying personal information, such as usernames and passwords. Such tactics include notices of account termination and fake security verifications, among many others. While messages like these can really trigger panic, it’s always better to remain skeptical.
First, try closing all of your browsers and emails to clients and open new browsers to get rid of possible malicious scripts. Then, visit the company’s website as you normally would to check for official notices or call the company to verify whether or not there’s actually a problem with your account.
Be Wary of Permissions
Facebook has long been offering on-site connections to third-party websites and services, but not without allowing the user to first accept the terms and conditions for their own protection. These third-party websites usually require access to personal information, such as your friends list, listed preferences, full name, and birthdate. Some even gather IP addresses and device information from users. Before accepting, make sure that you are not compromising any personal information that can be used against you.
Practice Safe Password Management
It may be convenient to use the same password for all of your social media channels, but this makes it easier for phishers to infiltrate your accounts. The best way to secure your accounts is to use different passwords for each one. Create long passwords that have symbols, numbers, punctuations, and letters that are spread out from each other to make them more complex. After three months, set a schedule to change your password and create new ones that you’ve never used. This becomes a necessity when you’ve already clicked on a malicious link because your social media activity could be tampered with by hackers.
To further increase the security of your account, enable a two-factor authentication process when you have the option. This allows you to receive a code on your phone whenever your account is logged in on a new or unfamiliar device. This code can only be used once, and the whole process makes it harder for phishers to hack your account.
Be Updated about New Security Tools
Being informed about new types of phishing attacks reduces the chances of falling for one. Scammers always find new ways to do phishing attacks. If you are an IT professional, continuous training for phishing scams is important to prioritize your organization’s security.
Be updated about new technology and ways of fighting against phishing attacks. Learn to secure your confidential documents on the Internet by incorporating passwords, install anti-phishing applications on your web browser to verify notorious phishing websites and alert you when you are entering one, and use both desktop and network firewalls to decrease the risk of hackers compromising your computer and network.