Social engineering is a type of cybercrime that involves manipulating someone into taking a specific action or divulging confidential or personal information, often (but not always) in an online setting. This can take the form of a hacker posing as a trusted source, such as a work colleague or a friend on social media. In this way, hackers take advantage of the trust we have in people we know, those in positions of authority, or even trusted institutions. This piece will focus on social engineering in relation to social media.
The way social engineering on social networks can play out is twofold. First, there are the cyber-attacks that are carried on your actual social media account. Second, there’s the matter of information you share on social media being used against you, or someone else you know, in an alternative setting. This is often email, but social engineering attempts can also occur over the phone (which is known as voice phishing, or “vishing”), SMS (smishing), and in messaging apps like WhatsApp.
In this article, we’ll go through the three most common social engineering tactics on social media, what they look like in action, and what you can do to protect yourself. Let’s get started.
1. Account Takeovers and Cloning
This kind of social media hacking usually works by taking over a person’s social media profile and either posting to their profile and tagging contacts or private messaging all their contacts. This is known as contact spamming. Sometimes an account doesn’t even need to be taken over. Clever scammers can create a very convincing copy of your account by simply using your profile picture and other publicly available information.
Contact spamming is a common form of phishing and chances are, you’ve seen this kind of social engineering attack in action. It’s often used via email, too. Although it’s the most basic kind of social engineering attack and is very frequently used, there’s no denying that it’s effective. According to a survey by Proofpoint, 83% of respondents experienced a phishing attempt in 2018.
These types of messages and posts promise something along the lines of a great weight loss solution or a really hilarious video “you have to see”. Whatever the promise is, its aim is to get you to click on a very dodgy link or to download an attachment. This link or attachment may lead to malware being downloaded to your computer (such as a key-logging trojan) or a fake profile login page where you have to “sign in” to the social network platform again, and your profile credentials are stolen. When the latter happens, your profile will generally start making these kinds of posts and the cycle continues.
An alternative version of this type of cyber attack attempts to appeal to your contacts’ goodwill. A common technique is the ”stranded traveller” scam, which involves the compromised account messaging contacts and asking them for money, saying they’re stranded while on vacation and need cash to get home.
How to protect yourself
Generally, these kinds of attacks are fairly obvious, but sometimes you can be taken in if you’re not thinking. After all, most of us don’t think twice before clicking on links sent by friends. In future, if you receive a link from a contact, regard it with a critical eye, particularly if it’s from someone you don’t message normally. If you do communicate with this person often, examine how the message is written. Is this how they would usually write a message or does it seem a little off? If it does, contact them through a different channel and ask them if they meant to send you such a message. If not, they can report it to the social media site in question and change their login details. And definitely don’t click on that link. Likewise, if a Facebook friend who rarely posts suddenly starts posting about supplements, chances are it isn’t them.
As a preventative measure, enable two-factor authentication if possible. If there is a suspicious login to your account, then you’ll be alerted by another means, such as SMS or email, so you can remedy things as soon as they happen.
2. Targeted Scams
Social media scams can take countless forms, from fake fundraisers, competitions, and giveaways to fake Facebook groups, questionable ads, and even catfishing. However, when it occurs on social media they are typically more targeted and align with your interests, so it can be more difficult to spot, particularly if something is posted by a trusted contact, a legitimate-seeming business, celebrity, or influencer you follow.
These kinds of scams can be most convincing when scammers take advantage of current events. A great example of this is when scammers purporting to be Apple following the death of Steve Jobs, claimed to be giving away 1,000 free iPads, Macbooks, and iPhones in his honor. It wasn’t real of course, it turned out to be a phishing scam.
Another recent example is the Twitter spear phishing hack of July 2020, which targeted Twitter employees via a text message (this incident is addressed in more detail in this blog post). Hackers took over celebrity twitter accounts and tweeted fake fundraisers and bitcoin scams, encouraging fans and followers to donate or send a certain amount of bitcoin to receive double in return. The latter kind of scam is known as “money flipping”, which promises the victim a huge sum of money in exchange for an advance payment.
Fake ads posing as popular retailers have also been a problem on Facebook and Instagram over the past few years. According to a report by TRACIT, over 70 major companies, including Ralph Lauren and Microsoft, were targeted. Such ads take unsuspecting social media users to fake versions of a brand website where their credit card information may be stolen or they’re sold a counterfeit version of a product.
As for catfishing, unfortunately, it isn’t just the subject of Internet dating reality shows. A more targeted version of contact spamming which we talked about earlier, a catfisher will construct a profile that appeals to the target’s personal or professional interests based on their public profile or groups they’ve joined. Interactions might start innocently enough through friendly interactions over private messaging, but ultimately end with some kind of request to trick you out of your money or personal data once trust has been built. Also known as “confidence fraud”, the FBI reported 19,473 victims in the US in 2019. So, if you ever join a Facebook group and someone suddenly messages you with an offer that’s too good to be true, like everything else mentioned so far in this article, it probably is.
How to protect yourself
- If a contact or someone you follow shares fundraiser, competition, or giveaway, always verify its legitimacy before sharing any information or handing over your cash
- Remember that just because a social media advertisement or company profile might seem legitimate, it doesn’t mean it is. Do a quick Google search for the official website to compare URLs.
- Treat anyone promising you easy money as a scammer, especially when you have to pay an advance fee for it.
3. Data Gathering
Even if they don’t target you specifically on social media, cybercriminals can use it as a means to an end, gleaning personal information about you to use for malicious purposes. Hackers can use even the most innocuous information and smallest details you share to build a believable profile that can either be used on a social media network (to carry out some of the scams we’ve mentioned already) or elsewhere.
Such information may include the people you socialize with, your personal interests, where you’ve been on vacation, the services you use, and where you live. They can also peruse websites like LinkedIn to find your job information, educational background, as well as your working relationships. This information can be used to create convincing phishing emails or sms messages that align with your interests. It could also be used by a social engineer to approach a colleague or friend via these avenues and very convincingly claim to be you. This is known as spear phishing.
Spear phishing is similar to regular phishing, but works by targeting a specific person rather than sending the same message to a whole group of people. The hacker disguises themselves as a trusted friend, colleague, or even work superior, to get sensitive information they need out of a target, such as bank account details, login credentials, or access to company accounts.
How to protect yourself
While the easiest solution would simply be to delete all your social media accounts, in this day and age it’s simply not realistic. Social media has become an intrinsic part of life for many people, and online connections are more important than ever, particularly for those trying to build a professional profile.
That said, be mindful of the kind of information you share publicly. For Facebook, Instagram, and Twitter, make sure your geotagging settings are turned off, particularly when it comes to local establishments you visit frequently.
With regards to Facebook, make your personal profile completely private and set up a separate public profile if necessary. Ensure your personal profile content is visible to friends only. Speaking of “friends”, do a quick sweep of those, too. If there’s anyone you’re unsure about, err on the side of deletion. Better to offend a person you spoke to for two minutes at a party 10 years ago than potentially put yourself at risk.
Another thing to be wary of is responding to “fun” viral posts or copy-and-paste surveys, where you copy a list of questions from another Facebook page and answer them on your own status. Common questions ask for the following: your first pet; mother’s maiden name; birth city; first teacher; favorite color; and the month you were born. Sound familiar? That’s because they’re common security questions for website logins. While it may seem harmless and fun, sharing such information publicly may leave you vulnerable in ways you hadn’t realized.
This article covers only a handful of forms of social engineering on social media. The unfortunate reality is that attack types are constantly evolving and becoming more sophisticated, so there’s no way of covering absolutely every single possibility.
Fortunately, using a bit of common sense and being mindful about what you share publicly online should go a long way in protecting yourself. To recap the advice given throughout, here’s a checklist for protecting yourself against social media social engineering:
- Treat unexpected messages and posts (especially containing links or attachments) with caution
- Enable 2FA
- Always double-check the source of giveaways and fundraisers
- Don’t automatically trust social media ads, pages, or groups
- Be mindful of what you post on social media
- Optimize your privacy settings
- Check your friend lists
- Don’t unwittingly give away security data on “fun” shared posts
As for general best practices, try to avoid logging in to other sites via your social media credentials. If a social engineer ends up hacking into that particular account, it could result in a domino effect, where several of your online accounts are compromised. Similarly, use unique, strong passwords for every site you use.
For a more general overview of the dangers of social engineering and its effects, check out this blog post. To learn how to protect your website from social engineering attacks, we’ve got a blog for that too.