How To Identify and Avoid Social Media Phishing Attacks
Written by Savino Dambra, Research Specialist for NortonLifeLock.
These days many of us are active on multiple social media platforms. As you're probably aware, that means we could all be targets for social media phishing attacks, designed to steal our private information.
Why target social media?
More than 4 billion people worldwide use social media, sharing their personal info, location, likes and interests, and who they interact with. This user data provides social media companies with info that allows advertisers to target audiences with specific offers. For these same reasons, threat actors like social media, too. These platforms represent a low-effort way to target billions worldwide.
The most common social media phishing attacks
Norton Labs analyzed a full year of phishing attacks against platforms such as Facebook, Twitter, Instagram, LinkedIn, and TikTok. Among the study's key findings:
- Phishing campaigns often use diverse stories to trick users.
- Social media attacks have become much more sophisticated, aided by tools that make the attacks more convincing and easier to unleash.
Here are the top eight social media phishing attacks Norton Labs found in their study. Be aware of all of them so you can stay safe in today's digital world!
1. Classic Login Phishing
The creation of a fraudulent website that looks like the real deal is the most common and widespread scheme. Designed to fool users into believing that it's legitimate, and then stealing their credentials once the user tries to access their profile.
2. Locked Account Notices
Exploiting our fear of losing access to our social media account. These websites scare users to reveal sensitive info by reporting a fake unauthorized new login into their account, the presence of outdated info that must be updated, or the need to go through a security checklist to keep the account secure.
3. Copyright Violation Notices
Social media platforms aren't allowed to post material without permission from the copyright holder, and have stringent rules to restrict users from posting someone else's material. This is leveraged in attacks designed to deceive people into thinking their account has been locked because of copyright rule violation. You're then directed to a fraudulent website where it asks for your credentials.
4. Verified Badge Scams
These icons appear on some platforms to indicate that the platform has confirmed an account is being run by a public/popular figure, celebrity, or brand (i.e. Twitter's blue checkmark). Generally, these accounts are more trusted. Phishing campaigns can use the promise of getting a verified badge by directing users to a fraudulent website to once again enter their credentials.
5. Profile Hacking Services
These attacks are malicious campaigns that pretend to offer users a way to hack into someone else' profile or reveal information about them such as email addresses or lists of interactions. These attacks are not designed to steal credentials, but rather to direct victims and monetize from other services such as ads or surveys.
6. Follower Generator Services
Some want to take shortcuts to increase follower count by paying. This desire is leveraged by another scheme that promotes such a service at a low cost or for free. Unsuspecting users are directed to fraudulent websites to enter credentials or asked to install software that ends up being malicious.
7. Two-Factor Authentication Interception
While many of us are aware of Two-Factor Authentication (2FA), it may surprise you to learn that these codes from an app or SMS can also be captured via phishing. These sneaky campaigns aim to intercept temporary codes to break into 2FA protected profiles. These tokens are generally tied to a victim's phone number or a code generator app on their device and are typically required to login and make changes to an account.
8. Payment Fraud
These attacks are designed to steal financial information from users with malicious websites that exploit known social media brands and ask for credit card details from victims by simulating a problem with their account.
According to the FTC, consumers reported an astounding $770 million in losses from social media scams in 2021 alone. While not all of that amount is related to phishing scams, it highlights why scammers are trying so hard to get people to reveal their login details, and why you should be on the lookout for these cams as well as whatever scams appear in the future!
Editorial notes: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the Lockman Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.