Understanding Social Engineering on Social Media

Hacking is often understood as a heavily sophisticated practice that requires in-depth programming knowledge and tech skills. In reality, most cyberattacks utilize social engineering methods, which exploit human error and may require only basic IT know-how.

Social engineering heavily relies on personal information. Before the World Wide Web boomed, cybercriminals used the telephone to trick people into giving away their bank account numbers or transferring a sum of money to solve an urgent situation. They rarely used anything more than the first and last name and other information that could be found on public records.

Right now, social media is one of the main channels to drive more authentic details to social engineering attacks. To avoid becoming a victim of numerous scams, we have gathered the most common social media exploits and tips on protecting yourself online.

1. Angler Phishing

Angler Phishing is named after a fish that emanates light from an antenna-like rod and eats the prey that swims nearby (we don’t recommend Googling it.)

In hacking, this method describes a social media exploit that targets public user posts asking for help from official business support. For example, if someone has trouble with PayPal, they may post on their official support site asking for assistance. 

A cybercriminal jumps in and answers the question pretending to be an official representative. They often post a shortened link to establish a direct chat, but clicking on it either infects users’ devices with malware or leads to a fraudulent website asking for more personal information.

Like the Angler fish, the hacker pretends to shed some light on the situation, tricking the user into malicious activity. Here’s how to spot the scam:

• Inspect the shortened link. Please hover your mouse over the link (don’t click it!) and inspect the full address path at the bottom of the screen. It is most likely a fraud if it leads to some unrecognizable domain. Direct contact with official business support usually happens on the same platform where the complaint was made, without needing to go anywhere else.
• Inspect the representative’s username. A hacker has created a fake account that resembles authentic customer support. However, they cannot use the same name. Check the account name for grammatical errors or suspicious elements. Remember that after Twitter changed its verified handle policies to issue them to whoever pays the monthly subscription cost, Angler Phishing increased on Twitter because many fake accounts can pose as legitimate.
• Beware of information requests. The end goal of Angler Phishing is to extract confidential data. If you are lured into sharing much more details than the problem requires, the chances are high that you are being scammed. Instead, contact the official company via other means and verify whether the person you’re communicating with is their direct representative.

2. Pretexting

Like Angler Phishing, Pretexting attacks rely on a carefully crafted disguise. However, this time, the hacker initiates a conversation with specific instructions. For example, they can send an email with a fraudulent backlink that guides the user to a cloned website asking for a password change. The email is smartly stuffed with legitimate details, such as a first and last name, company details, spoofed sender’s email address, and more.

It asks to follow the typical procedure: insert the old password, then choose a new password and verify. They extract the old password to take over the targeted account. Moreover, such attacks are often launched when the account in question cannot be accessed for some reason (a server crash, temporary social network downtime, etc.), tricking the user into thinking the situation requires immediate action.

As with the previous method, verifying the representative’s identity and backlink inspection should reveal the scam elements.

General Social Media Protection Tips

Before deploying time-consuming social engineering attacks, hackers will attempt more basic methods, like brute-forcing passwords.

We recommend using additional password protection software like password managers to prevent unauthorized access. Combining it with two-factor authentication will significantly improve your social media account safety.

Do not trust your social media account with most personal information. Whether it’s your business or personal account, most social media information can be accessed by third parties. If you require continuous cross-platform access to specific data, use secure online Cloud storage services with strict protection against unauthorized access rules.

Lastly, do not overshare online. People fill social media accounts with the most intimate details, but even the smallest information can be damaging. Criminals use this information to forge extremely convincing Phishing letters, or they may use it to impersonate you. Limit what you share online and tweak the social media account privacy settings to limit access to your private information.