The growth of social media phishing can be largely attributed to the broadening reach of social media companies like Facebook, WhatsApp, Instagram, and LinkedIn. All have branched out considerably, with expanded features and integration with third-party applications. To a phisher, social media offers not only a large pool of victims but also an endless array of entry points.
The connection between social engineering and social media phishing
Social engineering is the process of using psychological manipulation to encourage a victim to disclose confidential information. For social engineering to be effective, a cybercriminal must have personal information about his or her victims. What better platform to find this information than on social media?
4.2 billion people use social media. Despite warnings to secure our accounts with strong passwords and avoid revealing overly personal details, we continue to ignore best practices and open ourselves to attack. We share our whereabouts, political affiliations, financial hardships, health issues, and career ups and downs. This information is all a cybercriminal needs to socially engineer and hit us where it hurts.
It’s no surprise that the largest and most influential social media company in the world would also be the most impersonated by phishers. In 2021, Facebook phishing increased 71 percent YoY, making Facebook the most impersonated brand in phishing attacks for the year.
To understand the spike, consider how Facebook became the behemoth it is today. In 2007 Facebook had only 20 million users. After opening its platform to outside developers, Facebook grew by an average of 200 million users per year.
The apps that those developers integrated with Facebook stored data—lots of it—on Facebook users. Eventually, the data wound up on the black market. In 2021, personally identifiable data on 1.5 billion Facebook users were discovered on the dark web. With that data in hand, cybercriminals were free to carry out any number of crimes on its victims.
Stories about data leaks have continued to plague Facebook. As a result, Facebook users are accustomed to receiving updates from Facebook about the company’s privacy initiatives. In some cases, however, it’s not Facebook that is sending those emails but phishers impersonating Facebook. With users on heightened alert from a constant stream of negative news stories, they react quickly when phishers direct them to update their Facebook passwords, unknowingly divulging the very data they were trying to protect.
In other cases, phishers directly exploit the third-party app relationship to steal user data. Facebook's universal login API allows users to log in to tens of thousands of apps directly from Facebook. Phishers exploit this by building phishing pages designed to look like Facebook Login. A user tries to log in to a popular app but actually divulges their login credentials to the phisher.
WhatsApp phishing has steadily increased since Q4 2020. By Q1 2021, it increased by 441 percent, making WhatsApp the 3rd most impersonated brand in phishing attacks of the quarter. In 2021, WhatsApp was the 4th most impersonated brand of the year, representing nine percent of all phishing pages analyzed by Vade. WhatsApp security vulnerabilities may have been the driving force toward the increase, with a Pegasus spyware attack targeting journalists and human rights groups hitting 1,400 users in 2019.
Instagram, which came in at #21 on the list of most impersonated brands of 2021, has become an advertising giant and a career springboard for the internet famous. Instagram phishing and spear phishing attacks have picked up steam in recent years as the platform has grown to 1 billion users.
Instagram attacks run the gamut from password-update requests sent via phishing email to multi-phase attacks that begin with phishing and evolve into spear phishing attacks that occur inside Instagram. In these attacks, the cybercriminal harvests a user’s Instagram credentials on a fake Instagram login page, then they phish and spear phish the user’s followers from the compromised account. In other cases, the hacker might compromise the account via phishing and then demand a ransom to avoid release of compromising information and images.
In one highly effective phishing campaign, a phisher preyed on its victims by exploiting one of the deepest desires not only of high schoolers around the world but also adults: the need for validation. The Instagram verified badge is more than a little blue check box—it’s validation that a user is a bona fide celebrity, influencer, or brand. Cybercriminals impersonating Instagram send phishing emails to victims asking them to log in to Instagram to activate their verified badge. When they do, their credentials are harvested.
Not everyone is interested in the little blue checkbox, but you’re more likely to trust a user if they have one on display—this is true across social media platforms. The little blue badge is more than a symbol of influence but a symbol of trust that a phisher can use to manipulate victims.
Recruiters are always on the hunt, so it’s not surprising for recruiters to reach out to LinkedIn users via InMail. Phisher’s exploit job hunters by impersonating recruiters and asking victims to either divulge personal information on a phishing page, pay for training and/or the recruitment service, or even download a job application or description. Often, these are in the form of PDF and Word docs with macros that unleash malware. In other cases, the link leads to a website that unloads the malware.
A a common LinkedIn phishing tactic is the connection request scam. Phisher’s create fake LinkedIn emails asking the user to accept a connection request, when the victim logs into LinkedIn to accept, their credentials are stolen. Like the Instagram examples above, this is the perfect way for a cybercriminal to take over a LinkedIn account. Impersonating other users and sometimes influencers, the phisher is free to make new connections and connect with other users via InMail, whether to phish or spear phish.
Protecting yourself from social media phishing
While social media phishing often targets individual rather than corporate email accounts, businesses spent $154 billion on social media advertising between 2021 and 2022, making businesses targets for attack. Victims who are not trained to recognize to phishing will react emotionally and quickly—clicking the phishing link without recognizing anomalies.
Strong email security with time-of-click anti-phishing technology is essential to protecting your business and your clients from social engineering and phishing. And don’t underestimate the importance of phishing training. Phishing attacks are highly sophisticated, and an occasional threat has the potential to slip through. Users who are trained are less likely to fall victim to attack, and users who are alerted immediately if they click on a phishing link are far less likely to do so in the future.