Social Media PhishingOrhan Sari
There are billions of social media users around the world. However, little is known about social media usages and its determinants that conclusively affect users’ vulnerability phishing attacks on social media platforms. Nevertheless, social networking platforms are a popular way used by cybercriminals to swindle their targets. Billions of people logging on to their favourite social media accounts, that is to say, it is a rich source for cybercriminals to gain profit.
- The internet has 4.2 billion users
- There are 3.397 billion active social media users
- On average, people have 5.54 social media accounts
- The average daily time spent on social is 116 minutes a day
- 91% of retail brands use 2 or more social media channels
- 81% of all small and medium businesses use some kind of social platform
- Internet users have an average of 7.6 social media accounts
- Social media users grew by 320 million between Sep 2017 and Oct 2018.
- That works out at a new social media user every 10 seconds.
- A Facebook Messenger and Whatsapp handle 60 billion messages a day
- When asked 81% of teenagers felt social media has a positive effect on their lives
According to the Vade Secure Phishers’ Favorites report for Q1 2019, social media phishing, principally Facebook and Instagram detected the biggest quarter-over-quarter growth of any industry.
“ Facebook phishing increased 155.5% in Q1, propelling the social media giant into the #4 spot. Facebook was actually the #1 impersonated brand in Q1 2018, but then saw three straight quarters of decline, dropping to the #7 spot in Q4 2018”
“It’s hard to know precisely why phishers are suddenly interested in Facebook credentials again. One plausible explanation could be the rise of social sign-on using Facebook accounts. With a set of Facebook credentials, hackers can see what other apps the user has authorized via social sign-on—and then compromise those accounts!”
“Instagram is another interesting example. For three quarters, Instagram phishing was virtually nonexistent. Then suddenly, in Q1, the number of URLs exploded 1,868.8%! “
According to the report, Microsoft continued an easy target for cybercriminals.
We can see that the cybercriminals are now closely familiar with the interaction of both consumer and corporate email users with the internet and are invariably developing their methods to deceive the targets into clicking malicious links in social media platforms. One of the proven reason for the users’ failure to see phishing attacks in their social media platform is their habitual social media use. A study in Journal of Computer-Mediated Communication suggested that “ founded on the individual frequently using Facebook, maintaining a large social network, and being deficient in their ability to regulate such behaviours, is the single biggest predictor of individual victimization in social media attacks” 
When you click on a link in a post on your social media account or in a direct message from a fake entity you haven’t recognised it is fake, your social media account can be compromised or identity spoofed.
- The fake link takes you to a fake website but seems original which requests your sensitive information or causes your device to be contaminated with malware.
- The post, tweet or direct message may direct you to make a phone call to a specified number to get sensitive information.
- The cybercriminal creates a convincing but fake social media customer service account with a handle similar to the bank’s real one. They wait for you to tweet at the bank’s genuine handle with a help request, then hijack the conversation by responding with a fraudulent support link sent from the fake support page. This will direct you to a convincing but fake login page designed to capture your confidential detail.
By using social media phishing method, cybercriminals manipulate the basic human emotions like trust, fear, eagerness, worries, love and abuse them to take advantage.
Fake customer service accounts
Many customers now tend to visit straightly a company’s social media channels for customer support. Therefore, knowing this situation cybercriminals have been taking advantage of this online connection to start fake company accounts. It was revealed that 19% of social media accounts appearing to represent top brands were all fake .
Fake comments on trending posts
A trending, popular post can make a lot of likes and comments. Cybercriminals can take advantage of this by attaching their own comments to the posts with fake links that bring the attention of the others. Once users click on the fake link, they will be directed to a fake website that seems original, or they download malware to their devices
Sometimes cybercriminals create a fake website impersonating a big trademark to offer a discount. In this situation, they target users sensitive data like user names and passwords or credit card information.
Cybercriminals also create catchy videos about celebrities, news and other popular trends to seduce people to click on a video. Once clicking the link, the users required to download an add-in before viewing the video, however, it is a malware that infects users device.
To protect yourself from social media phishing, you can simply follow the steps below:
- Never click on links asking personal information. Prominent social media platforms never ask users to click on a link to update their personal details. If you’ get these types of messages but you are unsure if the demand is legitimate or not, contact directly with the social media platform you use.
- Don’t accept friend requests from people you don’t know. Due to the fact that cybercriminals attack their targets with fake accounts, users should always be attentive while accepting a friend request from people they don’t know.
- Use unique login details for each account. Because, when one of your social media accounts is hijacked, cybercriminals can’t reach to your other online accounts.
- When phishing scams are so rife across social media, it’s always best to use a unique username and password for each site so that in the unfortunate event of being phished, t
- Only enter personal information on a secure website – The URL on a secure site will always begin with an ‘https’. The ‘s’ stands for secure and ensures that all communication between your browser and the website you are visiting is encrypted.
- Install Anti-Virus Software – The installation of anti-virus software will help detect threats on your computer and block unauthorised users from gaining access.
- Keeping operating systems up to date – It’s important to ensure that your software is regularly updated to prevent hackers from gaining access to your device through vulnerabilities in older and outdated systems.