Social media-based phishing attacks have taken off in a big way.
According to some estimates, social media now accounts for as much as 5% of all phishing attacks globally. When you consider that phishing volume has grown consistently every year for more than a decade (up 40% last year alone), that 5% constitutes a lot of attacks.
This increase is no coincidence. Social media phishing attacks are highly effective, with spear-phishing campaigns seeing much greater open rates when delivered via social media compared to email.
As we explained in the last post, social phishing threats go way beyond the big platforms (Facebook, Twitter, and Instagram) and can include everything from YouTube videos and forum posts to malicious entries on paste sites and job boards.
While techniques and platforms vary, the threat to organizations remains consistent- threat actors have the ability to abuse your brand and trademarks to target your customers, employees, and company assets.
In this post, we're going to look at some of the key terms and concepts surrounding social media phishing. We'll also cover some best practices you can incorporate into your cyber risk management program to mitigate potential threats to your organization.
Key Terms and Tactics
If you've followed our content for a while, you should already have a good understanding of how phishing works, what it involves, and the different types of threats it can pose to organizations.
While social media phishing is in principle a similar beast to traditional phishing, its dangers are often quite different and tend to revolve around a loss of brand value and damage to customer/brand trust.
Here are some of the key terms and tactics to watch out for:
Account Takeover: a threat actor or group obtain login access to a social media account, typically changing the password to ensure the account's real owner can no longer access it. Account takeover is usually achieved by tricking a user into giving up their login credentials, often using a fake website (a.k.a. phishing site) that resembles the login page for the relevant social platform.
Impersonation: the creation of fake accounts that appear (and claim) to be official accounts for an individual or organization. These accounts are often created on social platforms where the victim is not active, making them more difficult to identify and report.
Credential Theft: this is a common tactic used in social media phishing, and is often used to gain access to legitimate social media accounts for the purpose of impersonation or info gathering. So-called “password reuse attacks" are also common, where compromised credentials are used to gain access to other accounts like, for example, a user's workplace email account.
Info Gathering: as with email-based phishing, targeted social media phishing attacks generally require an element of research on the part of the attacker. Since organizations and individuals routinely make a great deal of information publicly available via social media, threat actors often research their targets using these platforms and use any information they acquire to craft highly convincing spear-phishing campaigns.
Fake Customer Support: a common form of impersonation, fake customer support accounts are created and used to reach out to customers who complain about an organization's products, services, or activities on social media. This tactic can be used to harvest login credentials, distribute malware, and gather information.
Three Best Practices to Defang Social Phishing Threats
There are three simple steps organizations can take to keep themselves safe from social media phishing:
To keep your organization safe from social threats, you need a mechanism to help you identify and shut down fake accounts that impersonate or abuse your brand. You should also be on the lookout for potential slip-ups on the part of your employees, and for any mention of your brand or trademarks on social media.
To achieve all this, you'll need a formal monitoring program that includes social media. Typically, this involves a combination of automated systems and human expertise.
Did you note how we said you need a way to identify and shut down malicious accounts? This second part is critical. Once a malicious page or account has been identified, it must be taken down ASAP to minimize the threat posed to customers, employees, and your brand.
Have a process in place to inform social media providers and web hosts that a malicious account or page is active and needs to be shut down immediately.
Lastly, users must understand the implications and potential threats posed by social phishing both for themselves and for the organization. For example, how might they be targeted? What signs can they look for that a social account or communication may be malicious?
Similarly, users should be trained to take basic precautions when interacting with social media. Setting more stringent account privacy settings is an essential first step, but there's a more important message to impart: By default, be skeptical of social media.
Cover topics like why they shouldn't accept friend requests from people they don't know or why they shouldn't assume that unsolicited messages are legitimate. Ultimately, the goal is to train users to be more discerning (and less trusting) when using social media.
The Importance of Human Expertise
Automated systems can only do so much scanning, monitoring, and risk assessing. Ultimately, in order to determine whether an account, page, or incident truly represents a threat to your organization (and needs to be acted on accordingly), there must be some form of human involvement.
Skilled analysts are equipped to analyze these potential social phishing threats and determine what actions need to be taken. Similarly, human relationships are essential to having malicious accounts and pages taken down promptly.
Whether you handle these threats in-house or outsource them to an expert provider, the bottom line is that you must make sure there is an expert human element to the solution you depend on.
How Much of a Threat Does Social Media Phishing REALLY Pose?
If your organization is considering taking action to fight social media phishing, you might be asking yourself: Is this really a serious threat?
Quite simply, the answer is yes.
In our next post, we'll look at how much damage a threat actor can cause if they successfully take over a social media account.