<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=919817981998144&amp;ev=PageView&amp;noscript=1">
5 min read

Social Phishing: What You Need to Know

Featured Image

Over the last two decades, phishing has transformed from a spam-like threat into a destructive force, powerful enough to put businesses of all sizes on red alert. 

During that same period, the number of social media users increased by almost 1300%, making these platforms a hot target for phishing attacks. According to Verizon's 2019 Data Breach Investigations Report, 22% of data breaches involved social attacks. 

Every status we update, photos we share, people we tag, and place we check into reveals valuable information about our personal and professional lives. Cybercriminals use this information to engineer targeted and effective social phishing attacks at scale. 

But what exactly is social phishing?

This article will explore social phishing and explain how these attacks happen. We'll also touch on why social media has become a hot target for phishing attacks and what you can do to protect yourself. Let's dive in!

What Is Social Media Phishing?

Social phishing refers to cyber-attacks executed through platforms like Facebook, Twitter, Instagram, and LinkedIn. 

Social media attacks are used to steal personal data to sell on the dark web or gain control of your social media account to launch phishing attacks against your friends, colleagues, and business partners.

With over 80% of users accessing social media via mobile devices, social media has also been linked to increased cases of mobile phishing. Lookout's Mobile Phishing Map shows that 34% of phishing attacks in the US are executed through mobile devices.

How Does Social Media Phishing Happen?

Social phishing is different from other forms of phishing. 

While email and text phishing (smishing) are passive attacks where the attacker masquerades as a trusted entity who then tricks them into taking action, social phishing encourages the user to open a video or click on a link based on their interests. 

Attackers take advantage of algorithms and user behavior in the hopes that someone who loves dog videos, for example, will click on their malicious link. The link takes them to a site that requests their confidential details or infects their devices with malware which could lead to a ransomware attack.

Alternatively, the post or tweet may instruct the user to make a call to a specified number. Upon calling, the scammer may request their confidential details. The call may also be to a premium number, after which exorbitant charges will be added to their phone bill. 

Social media phishing can take many different forms, including but not limited to:

Romance Scams

This type of phishing scam duplicates an account of a real person, usually someone living abroad. The scammer targets the most vulnerable individuals—adults and youngsters—looking for love or companionship. 

Data Gathering

You've probably seen or even played one of those 'fun' quizzes on Facebook that ask simple questions about your first job, name, or even first love. 

These posts are often a form of social engineering attack, and responding to such questions provides the phisher with password hints, among other things. Not every question game you play on social media was engineered for malicious purposes. But these games and questions are perfect hiding grounds for cyber criminals. 

URL Abuse

URL abuse is one of the most common phishing attacks on social media, especially on Twitter. Attackers like to hide malicious links using Twitter's URL shortener. 

Why Is Social Media a Hot Target for Phishing Attacks?

Social media platforms, like Facebook, are a hot target for cybercriminals for several reasons. 

First, most users only see one side of the platform; the fun side where they can interact, mingle and even share memories with their friends. 

But the dark side of social media is scary and is one that's often ignored. Most people often make where they live, work, and go on vacation public. They publicize their names, their children's names, and even the ages and birthdays of their children and friends. 

What they don't realize is that in doing so, they're making it super easy for attackers to structure and launch targeted phishing attacks. Social phishers can use those DOBs (Date of Birth) to crack passwords or their friends' names to launch impersonation attacks. 

Secondly, with more than half of the world (4.62 billion people) using social media, these platforms are a minefield of data. Even a successful hack on big-name companies, like Amazon, can't provide the mountain of data available freely on social media. 

How to Protect Yourself from Social Phishing Attacks?

To protect yourself from social media phishing attacks, follow these "5 don'ts."

  • Don't click on links to update passwords or personal information
  • Don't accept friend requests from strangers
  • Don't share your sensitive information like your Date of Birth (and your kids’) on social media. 
  • Don't ignore prompts to update your OS—many attacks exploit security vulnerabilities that can be fixed with an update.
  • Don't use the same name and password for all your social accounts
  • Educate yourself on how social media works and the purpose of the platforms behind it.

Wrapping Up

Social phishing refers to cyber-attacks executed through platforms like Facebook, Twitter, Instagram, TikTok, LinkedIn, and others. This phishing attack can take many forms, including romance scams, data gathering, and URL abuse. 

While these scams grow and evolve daily, you can protect yourself by exercising diligence when updating personal information, accepting friend requests, sharing information publicly, updating passwords, and always using complex passwords. 

These attacks can spill over into the business world, so it is important to make sure your employees are educated through Security Awareness Training to help protect them and your business. Contact us today to get help with this and other IT or Cybersecurity issues. 

Get Our Free Cybersecurity Checklist