For many, social media is one of the main ways to keep up with friends and family, get the news, and connect with the world. Businesses will also use social media to relay information about products, keep followers informed in a specific topic, and many other ways for marketing and attracting new business. You may have connections on social media, credit card information, and personal information about yourself. All these things and more makes your social media account an attractive target for a phishing attack.
Instagram is a photo-sharing platform used as a sort of photo album of everyday activities and moments. Usually, a phishing attack on Instagram will begin with a fake login page created by the hacker. This fake login page is crafted to look as similar as possible to the real Instagram login page. Hackers will create this copycat page with the hopes that a user will unknowingly enter their credentials thinking they are signing into their account. The attacker captures the credentials as the user enters their information. The attacker can now use the credentials that they have collected to sign in to the user’s Instagram account. If these same credentials are used for other social media accounts, or even worse, your financial accounts, the hacker will now have access to those accounts as well.
Hackers in Instagram will often use a stolen account to spy on the user and pose as the user themselves to request and collect personal information from the user’s friends and followers. The attacker will often delete messages that they send in order to cover their tracks and keep the user unaware that their account was hacked. When an attacker steals the credentials to your account, they can even take ownership of the account from you by changing your personal information and preferences, and even changing the password to lock you out.
LinkedIn is a popular social media networking platform for business professionals. Hackers can send emails, LinkedIn messages, and/or links to trick you into giving up your login credentials. Once they have your credentials, they can use that to log into your account and pose as you. They will likely send your connections phishing messages from your account to collect personal data from them.
Hackers can also send out emails pretending they are LinkedIn. One of the red flags to check for when getting an email requesting information is usually to check the sender’s email. You’ll often be able to tell if the email is fake by looking at the domain of the sender’s email. However, in the case of LinkedIn it can be a little tricky to tell if an email is fake since LinkedIn actually has several legitimate email domains, including @e.linkedin.com and @el.linkedin.com. This makes it a little difficult to keep up with which domains are real and which are fake.
A typical phishing attack for a Facebook phishing attack will likely come through the Facebook Messenger platform from someone on your friend’s list, or through an email that appears as though it’s coming from Facebook but is actually not. The hacker hopes that an unsuspecting user will be tricked by a message coming from someone on their friend’s list. Most of the time a link in a message will usually lead to a fake login page where the user will be asked to enter their login credentials. Once the hacker has their credentials, they will then be able to log in to your account and pretend to be you. They will often send phishing messages to your friend’s list from your profile. They will also most likely try and steal personal information the could be kept on your account number, like your date of birth, credit card information, etc. It is hoped that data found on your social media profile could be used later to gain access to accounts with more pay off like financial accounts.
Unlike LinkedIn and Facebook which are mainly used as platforms to connect with people you know in the real world, Twitter encourages interactions with people that you do not know from the real world. This interaction with people you don’t know becomes more and more comfortable and in turn, it becomes easier to trust a stranger. Hackers who operate in Twitter will use similar tactics that hackers in other platforms use. Whether that is in a direct message form, through a post (or “tweet”), or in an email. These messages will usually attempt to trick the user into clicking on a link where they will be asked for their login credentials or other sensitive data.
Every time you receive an email from someone claiming that they are Twitter (or any other social media platform for that matter), make sure you check that it’s coming from a legitimate domain. For example, Twitter says that they will only ever send emails from two domains: @twitter.com or @e.twitter.com.
The “pay for followers” scam is also popular. In this type of phishing, the hacker will send a message to the user promising followers for, let’s just say, $5.00. The unsuspecting user will go ahead and give their online acquaintance their credit card information for “payment” and other personal information. This will of course open the doors for the threat actor to withdraw funds from your financial accounts and/or use your credit card information to purchase things.