19 November 2023
Incorporating social media monitoring and enforcement into brand cybersecurity strategies is of paramount importance due to the extensive reach and influence of social platforms. In this blog, we look at the problem and some of social media phishing attack methods phishers use to scam brands and their clients.
Social Media is a growing area for phishing attacks
Phishing on social media platforms like Facebook, Instagram, Twitter, and LinkedIn represents a significant cyber threat. The number of phishing attacks on social media increased by 200% in 2018 and today represents almost 12% of all phishing attacks . This form of cyber attack aims to scam unsuspecting customer, pilfer personal data or seize control of social media profiles.
Facebook is by far the most popular social media platform among cybercriminals. Between April and September 2020, there were over 4.5 million phishing attempts on Facebook and the number of scammers impersonating Facebook increased by 175.8% in Q2 2019 (Phishlabs). Attackers often use messages or links, appearing as benign requests for information verification, to deceive users into visiting counterfeit sites resembling Facebook. Users are then prompted to log in, unwittingly giving away their login credentials.
Reports of the Twitter user base vary from 450M to 1B active monthly users, with some analysts suggesting that just almost 20% of these accounts were fake or spam accounts. The most common scams on Twitter typically involve phishing attacks, where scammers use deceptive tweets or direct messages to lure users into providing personal information or login credentials. Impersonation scams, where fraudsters create accounts mimicking brands to solicit money or personal details are what we see a lot of, and investment scams promising unrealistic returns on stock market or cryptocurrency investments are widespread as well. These scams exploit users’ trust and curiosity, often using urgent language or offering exclusive opportunities to trick them into falling for the scam.
Instant messaging platforms, particularly WhatsApp and Telegram, have increasingly become hotbeds for phishing-based attacks and scams. WhatsApp, with its vast user base of approximately 2.78 billion in 2023, is a prime target for scammers due to its global reach and popularity. The platform’s end-to-end encryption, while providing privacy, also offers a veil for fraudulent activities, making it challenging to track and prevent scams. Telegram, boasting 700 million monthly active users as of early 2023, has also seen a surge in its use for phishing attacks The 800% increase in the use of Telegram bots for phishing in 2022 highlights the platform’s vulnerability to such exploits . These platforms’ ease of use, wide reach, and perceived security make them attractive for scammers to conduct phishing schemes, often through deceptive messages and malicious links, targeting a vast and diverse user base for personal and financial information.
Phishing methods on social media
Impersonation: The largest share of threats are cybercriminals is social impersonation where bad actor pretend to be a famous brand or an individual. Impersonation scams make up nearly half of them. According to Tripwire, Impersonation scams account for 40.7% of all such schemes on social media. Setting up impersonation accounts is free, quick and can be deployed in bulk. Often fake accounts will interact on the target brand’s official social or IM to engage and lure victims into their scam.
Fake Customer Support Scams: In these scams, fraudsters set up fake customer service accounts (see Impersonation), seemingly associated with well-known brands. They interact with customers by sending direct messages, commenting on posts, or replying to complaints and inquiries. The aim is to appear helpful while actually attempting to obtain sensitive data or login details from unsuspecting users.
Phony Giveaway Scams: These scams involve messages advertising a chance to win attractive prizes such as lavish trips, gift cards, high-end gadgets, or monetary rewards. Participants are usually asked to provide personal details or pay a nominal fee to enter. The scammers, however, abscond with the collected money or information, leaving participants with nothing.
Fake Ads: Scammers use real product photos from businesses in fake ad campaigns on Facebook. Customers are misled into purchasing what they believe are quality products from the business but receive cheap knock-offs, leading to negative reviews and reputation damage for the businesses.
Platform phishing scams: Businesses may receive messages with links that compromise their accounts when clicked. Once the scammer gains access, they can post on behalf of the business, send spam to the audience, or trick them out of money, all of which can harm the business’s reputation.
How brands can protect their business and customers from phishing attacks?
Social Media Monitoring: Brands should actively monitor social media platforms for fake accounts or posts that impersonate their brand or misuse their intellectual property. This can be done using specialized software that scans for brand mentions or logo use.
Rapid Enforcement and Reporting: Once a fraudulent account or scam is identified, brands should have a process in place to quickly report these accounts to the respective social media platforms for removal. They may also need to inform their customers about these fake accounts through their official channels.
Collaboration with Legal and Cybersecurity Teams: Engaging legal and cybersecurity experts can help in not only taking down fraudulent accounts but also in pursuing legal actions against the perpetrators if necessary.
Customer Communication: Regularly updating customers on how to identify legitimate communication from the brand and educating them about prevalent scams can help prevent them from falling victim to these attacks.
By focusing on vigilant monitoring and prompt enforcement, brands can effectively mitigate the risks of phishing scams targeting their business and customers. It’s essential for brands to integrate social media into their cybersecurity strategy. This integration is crucial not just for protecting the brand’s reputation but also for safeguarding customers against the growing threat of phishing and other cyber attacks. Proactive monitoring, rapid response mechanisms, and customer education on these platforms are key components of this strategy. By treating social media as a critical part of their cybersecurity landscape, brands can better defend against these evolving threats, maintaining trust and integrity in the digital ecosystem.
brandsec is an Australian domain name management provider that offers online brand management solutions to corporate and government organisations.
Our services include domain name management, domain name security, domain name policy development, dispute management, monitoring, and enforcement services. Additionally, brandsec offers a comprehensive online brand protection service that covers various platforms such as websites, social media, email, and online marketplaces. The service addresses issues related to counterfeiting, fakes, copyright infringement, intellectual property (IP) matters, piracy, and other intellectual protection-related issues.