The Art of Deception in Social Media Phishing

Adrien Gendre

October 10, 2019

4 min

The growth of social media phishing can be largely attributed to the broadening reach of social media companies like Facebook, Instagram, and LinkedIn. All have branched out considerably, with expanded features and integration with third-party applications. To a phisher, social media offers not only a large pool of victims but also an endless array of entry points.

The connection between social engineering and social media phishing

Social engineering is the process of using psychological manipulation to encourage a victim to disclose confidential information. For social engineering to be effective, a cybercriminal must have personal information about his or her victims. What better platform to find this information than on social media?

3.4 billion of the world’s population uses social media. Despite warnings to secure our accounts with strong passwords and avoid revealing overly personal details, we continue to ignore best practices and open ourselves to attack. We share our whereabouts, political affiliations, financial hardships, health issues, and career ups and downs. This information is all a cybercriminal needs to socially engineer and hit us where it hurts.

[Infographic] Learn How to Spot a Phishing Email

Facebook phishing

It’s no surprise that the largest and most influential social media company in the world would also be the most impersonated by phishers. In Q2 2019, Facebook phishing URLs increased by more than 175%, making Facebook the third most impersonated brand in phishing attacks.

This increase comes after a significant slow-down between Q2–Q4 2018. To understand the spike, consider how Facebook became the behemoth it is today. In 2007 Facebook had only 20 million users. After opening its platform to outside developers, Facebook grew by an average of 200 million users per year.

The apps that those developers integrated with Facebook stored data—lots of it—on Facebook users. Eventually, the data wound up on the black market, fetching around $5.20 per record as of 2017. With that data in hand, cybercriminals were free to carry out any number of crimes on its victims.

Stories about data leaks have continued to plague Facebook. As a result, Facebook users are accustomed to receiving updates from Facebook about the company’s privacy initiatives. In some cases, however, it’s not Facebook that is sending those emails but phishers impersonating Facebook. With users on heightened alert from a constant stream of negative news stories, they react quickly when phishers direct them to update their Facebook passwords, unknowingly divulging the very data they were trying to protect.

In other cases, phishers directly exploit the third-party app relationship to steal user data. Facebook's universal login API allows users to log in to tens of thousands of apps directly from Facebook. Phishers exploit this by building phishing pages designed to look like Facebook Login. A user tries to log in to a popular app but actually divulges their login credentials to the phisher.

Instagram phishing

Once known for being little more than a selfie database, Instagram has become an advertising giant and a career springboard for the internet famous. Instagram phishing and spear phishing attacks have picked up steam in recent years as the platform has grown to 1 billion users.

Instagram attacks run the gamut from password-update requests sent via phishing email to multi-phase attacks that begin with phishing and evolve into spear phishing attacks that occur inside Instagram. In these attacks, the cybercriminal harvests a user’s Instagram credentials on a fake Instagram login page, then they phish and spear phish the user’s followers from the compromised account. In other cases, the hacker might compromise the account via phishing and then demand a ransom to avoid release of compromising information and images.

In one highly effective phishing campaign, a phisher preyed on its victims by exploiting one of the deepest desires not only of high schoolers around the world but also adults: the need for validation. The Instagram verified badge is more than a little blue check box—it’s validation that a user is a bona fide celebrity, influencer, or brand. Cybercriminals impersonating Instagram send phishing emails to victims asking them to log in to Instagram to activate their verified badge. When they do, their credentials are harvested.

Not everyone is interested in the little blue checkbox, but you’re more likely to trust a user if they have one on display—this is true across social media platforms. The little blue badge is more than a symbol of influence but a symbol of trust that a phisher can use to manipulate victims.

[eBook] SC Magazine Expert Focus: Defending the Inbox

LinkedIn phishing

Recruiters are always on the hunt, so it’s not surprising for recruiters to reach out to LinkedIn users via InMail. Phisher’s exploit job hunters by impersonating recruiters and asking victims to either divulge personal information on a phishing page, pay for training and/or the recruitment service, or even download a job application or description. Often, these are in the form of PDF and Word docs with macros that unleash malware. In other cases, the link leads to a website that unloads the malware.

A recent trend in LinkedIn phishing is the connection request scam. Phisher’s create fake LinkedIn emails asking the user to accept a connection request, when the victim logs into LinkedIn to accept, their credentials are stolen. Like the Instagram examples above, this is the perfect way for a cybercriminal to take over a LinkedIn account. Impersonating other users and sometimes influencers, the phisher is free to make new connections and connect with other users via InMail, whether to phish or spear phish. They can also freely share content and engage with millions of other LinkedIn users, ruining reputations in the process.

Protecting yourself from social media phishing

Most social media phishing emails are sent to individual rather than corporate email accounts. However, phishing email subject lines are engineered to deceive (Security Alert!), and phishers will target corporate mailboxes. Victims who are vulnerable to phishing will react emotionally and quickly—clicking the phishing link without recognizing the anomaly.

Strong email security with time-of-click anti-phishing technology is essential to protecting your business and your clients from social engineering and phishing. And don’t underestimate the importance of phishing training. Phishing attacks are highly sophisticated, and an occasional threat has the potential to slip through. Users who are trained are less likely to fall victim to attack, and users who are alerted immediately if they click on a phishing link are far less likely to do so in the future.

Can you spot a phishing email? Take the phishing IQ test to find out.