‍Phishfort analysts detail the most common social media phishing attacks taking place in 2020. The proliferation of social media platforms has opened countless attack vectors for phishing attempts. We outline the best practices businesses with a digital presence can apply to protect themselves against social media phishing.

TL;DR

• Social media phishing has become a legitimate threat to businesses with an online presence
• Businesses are struggling to quickly identify and take down social media phishing attempts given the vast amount of platforms currently available to attackers
• Common social media phishing attacks include attackers impersonating a brand, gaining access to sensitive customer data, and taking over an account
• A combination of sophisticated technology and trained analysts is currently the most effective way to protect against social media phishing attempts.
  

Social Media Phishing

Since 1909, BP had been building their business and brand into a global oil and gas behemoth. Disaster struck the company in 2010 when an oil rig which BP was leasing exploded resulting in the largest oil spill in American history.

Amid the chaos, a satirical Twitter account using the handle @BPGlobalPR managed to gain twice as many followers as the official BP corporate Twitter account. The fake Twitter account caused a stir in international media, further damaging BP’s brand at a time when effectively communicating with the public was crucial.

The BP story highlights the asymmetry between the time and effort it takes to build a brand and the ease at which an attacker can put that brand at risk. With just an email address, an attacker can impersonate a business brand and even enter into communication with the customers of the brand.

The consequences of social media phishing can go far beyond simple satire. Social media phishing can lead to attackers gaining access to sensitive customer data and executing prolonged attacks against a company’s brand.

However, with security teams overloaded with potential phishing attacks across a variety of social media platforms, the solution to effectively dealing with such attacks is not straightforward. In this article, we break down what exactly a social media phishing attack is. We also detail what the most common types of social media phishing attacks are and the best approach to address such threats.

What is Social Media Phishing?

The primary characteristic of a social media phishing attack is that the victim is targeted through a social media platform. However, social media phishing can take on a variety of forms.

Attacks will typically focus on users who are already aware of the target brand, making these attacks somewhat akin to spear-phishing attacks, where attacks are crafted for specific individuals based on some knowledge of their interests, behaviors, or beliefs.

Attacks are often performed by spoofing an existing account, such as using @AcmeOfficial to target users who follow @Acme. Attackers will also occasionally attempt to compromise a legitimate social media account in order to use it to directly communicate with its users, highlighting the importance of properly securing social media accounts.

Given the abundance of personal information and the popularity of social media, the impact of social media phishing attacks should not be underestimated. In March 2017, a sophisticated attack was launched by Russian hackers targeting US Defense Department professionals.

Over 10,000 Twitter messages were sent which contained a link with information tailored to the individuals’ interests. Each link contained malware which allowed the hackers to take control of the victims’ device.

Most Common Social Media Phishing Attacks

The nature of the current online world means attackers can target your business on a variety of platforms and in a variety of ways. Here are some of the typical social media phishing attacks which can be launched against your business.

Impersonation Attacks

Impersonation can either be an attacker posing as your brand or a person in your business. Such an attack can be extremely straightforward to pull off as highlighted by the BP satire account.

The barriers to entry are low but the attack holds the potential to severely damage your brand. Such fake accounts can often be established on platforms where the company is not present.

Let’s say your company has a large Facebook presence but does not focus on Twitter. This leaves a gap for an attacker to impersonate your company on Twitter which will be more credible to users given that there is no official account.

Credential Theft

While impersonation involves a fake account, credential theft is where an attacker gains access to the company’s legitimate social media account. Credential theft can be much more severe as the attacker can act under the official company’s account until the issue is flagged and addressed.

This enables attackers to communicate with customers. When and if the issue is resolved, the targeted company faces a long uphill battle to restore trust with its customers and users.

In many cases, the attacker may gain access to several other accounts through “password reuse attacks” whereby other accounts are accessed using an identical or similar password. An attacker may even be able to change the password to the social media account if they can also access the email address associated with the account.

A common method to gain credentials is a typical phishing website which tricks users into inputting sensitive details into a fake social media platform that mirrors the legitimate one. Being wary of URLs sent to the workforce is important to prevent such attacks, particularly in large organizations where it only takes one employee to click on a fake URL and input credentials.

Customer Support Phishing

When you’re facing an issue with a product or service, reaching out to customer support can be stressful. It can often be a puzzle trying to find where the contact customer support contact information is.

Customers don’t want to waste any unnecessary time on a product or service which is causing issues. Customer support phishing is a particularly dangerous and subtle form of phishing which is well-positioned to take advantage of this.

Customers in a state of frustration may not take the time to double-check that they have reached out to a legitimate customer support agent. Phishfort analysts regularly encounter such cases when dealing with social media phishing.

Fake customer support profiles can be open to direct messages from customers and can also list fake customer support phone numbers and email addresses. If a customer contacts the listed phone number or email address, they also become vulnerable to future attacks given that they share their own email address or phone number with the attacker.

Data Dumps & Breaches

Attackers who can access the social media account of a business oftentimes gain access to sensitive customer data. Online marketplaces exist on the dark web for the purchasing and selling of such data.

Some businesses have suffered from an attacker dumping datasets on a forum or elsewhere online. Such incidents expose customers' data to the entire web and damage the trust businesses have built with their users.

Don’t think large companies are immune to such incidents because they may have bigger security teams and better security practices. LinkedIn suffered a data dump recently in 2016!

Malware and Targeted Phishing

Social media has changed the messaging landscape. Virtually unlimited messages can be sent on a variety of platforms from anywhere on the globe.

Such capabilities have reduced the friction for attackers to send links containing malware. The result of victims clicking on such links can vary with some allowing the attacker to take control of the victims’ device.

What Solutions Exist for Social Media Phishing?

The typical response by organizations to deal with such social media phishing attacks is to manage the security threat internally. However, security teams are inundated with potential red flags.

The vast number of platforms available to social media attackers has made it nearly impossible for in-house security teams to manage the sheer amount of flagged incidents. Even if in-house teams do have the resources to examine each case, addressing it quickly and effectively is another significant challenge.

The BP story highlighted how a spear-phishing attack can spiral out of control if it is not addressed early. The fake BP account managed to build twice as many followers as the legitimate social media account.

Furthermore, in cases where an attacker has taken over the social media account of a business, they are likely having ongoing correspondence with customers. Social media phishing attempts need to be flagged and addressed before they can reach this stage. If they do manage to progress to this advanced stage, they need to be dealt with urgently.‍

An effective way to manage social media phishing risk is to implement technology designed to filter the legitimate social media phishing attacks from the false-positive flags. Phishfort combines such technology with trained security analysts to quickly and effectively deal with any social media phishing attacks that arise.

Our social media anti-phishing service covers a broad range of social media platforms. To find out more, check out our social media phishing protection service page.

For crypto users, we’d recommend installing our browser extension Protect that helps to protect against common attacks.

With social media becoming an increasingly prevalent part of everyday life, we expect the incidence of social media phishing attacks to continue increasing. If your business has spent years building a trustworthy and reputable brand, risking that hard-earned reputation by failing to protect against social media phishing is simply not worth it.‍