According to Verizon's 2020 Data Breach Investigations Report, 22% of data breaches in 2019 involved social attacks. The most common, by far, are phishing emails based on socially engineered data. Although users have become more familiar with these techniques, phishing continues to be lucrative for hackers.
Threat actors are always looking for new ways to trick users into falling for scams, so it's no surprise that they're turning to one of the most popular segments of the internet—social media. Social media phishing makes up just 5% of all phishing attacks, yet more than three-quarters of all US companies experienced social phishing attacks last year.
Understanding social media phishing
Phishing via social media is a bit different from other types of phishing. While email and text message phishing are essentially passive attacks sent to a user who then must decide whether or not to take action, social media phishing actively encourages the user to click on a link or open a video based on their interests. Of course, social media sites rely on algorithms to put the things that interest you most in front of you, usually in the form of ads. But threat actors also take advantage of algorithms and user behaviors in the hopes that someone who loves cat videos, for example, will click on their malicious link.
The threat actor's objective is to reel you into their trap so that they can gain access to your most valuable assets. Social media account takeover is popular and is often tied to impersonation; either scenario can result in phishing. If an attacker takes over your account, for instance, they can use it to send phishing messages or friend requests. Or if someone you know is being impersonated with a fraudulent account, you could receive dangerous private messages requesting you watch a video or open a link.
Quizzes have proven to be a successful way to harvest credentials; any time a link is clicked, a third-party site can access a social media account, creating the risk of the password and username being handed. Innocent scrolling through Twitter or Instagram may lead one to a malicious link in a post. Hackers depend on users to feel safe on their social media accounts—they are among "friends" on trusted websites, after all—and let down their guard and loosen up on normal security behaviors.
A threat to businesses
Social media is a valued business tool, as organizations rely on popular websites to interact with consumers. In addition to the workers responsible for managing social media accounts, employees often access their social media accounts on their work devices. And with so many employees still working remotely, the line between business and personal has blurred even more.
Social media phishing opens the business up to the risk of malicious software on the network, as well as stolen business credentials, if users use their company email address on social media websites. Being connected to a social phishing scam can also lead to reputational damage.
To protect users and businesses from phishing attacks on social media:
- Set strict rules about using work credentials for personal social accounts, as well as for accessing personal accounts on work devices.
- Institute security awareness training educating employees on how to detect a social media scam.
- Monitor for accounts impersonating your business.
Everyone, even the experts, can fall prey to phishing, especially on social media. Encouraging users not to let their guard down and to always be aware of scams can help protect against these types of attacks.
Learn how Verizon's DNS Safeguard can help protect your company from phishing scams and other threats.
The author of this content is a paid contributor for Verizon.