BLOG

What is the cost of a fraudulent account on social media?

targeted phishing

The past few years of online chaos have proven a few important things for brands growing their presence on social media. The first is that fraudulent accounts happen. Whether this means a campaign directly targeting your brand or a fake brand account intended to scam your customers, there’s no way to avoid a malicious actor creating an account in the image of your business, exec or VIP.

There are two ways a fraudulent account might damage your brand. First, an attacker posts malicious comments, perhaps scams or phishing links, to your page or posts, thus turning your own social media presence into a watering hole attack for your customers. Second, fraudulent accounts might impersonate a brand in the hopes that a customer mistakes them for the real brand. These two types of attacks can be described as inbound risk and external risk. Both attack methods can be extremely detrimental to brands and their cost and implications can be felt long after the attack occurs.

Inbound risk of a fraudulent account

Highly followed accounts like celebrities and major brands have a high chance of having malicious content posted to their accounts. This content can come in several forms, either to an actual page like Facebook, Instagram or YouTube in the form of posts or comments, or directly referencing the brand’s handle, such as on Twitter.

To assess the likelihood of these kinds of attacks, let’s consider the following scenario. A typical user that is interested in a brand will most likely look through roughly 100 pieces of content that the brand has shared, give or take. If you think 100 pieces of content sounds like a lot, take a second from reading this post and open your own Facebook and Twitter feed. A few scrolls on most networks show at least 100 pieces of content right? Based on alerts we’ve seen in the ZeroFOX platform for our customers’ own major brands, within a span of 100 pieces of content, we’ve found that there is roughly a 15-40% chance that a user will encounter malicious content (spam, phishing, malware or otherwise).

For accounts that get tens of thousands of inbound posts and comments daily, this can pose a massive problem for user engagement. This notion also serves to undermine the value of your hard-earned social media community. Large brands can have hundreds of pieces of malicious inbound content posted daily. To really pin down this number, it would require a full audit of that brand’s social media presence.

External risk of a fraudulent account

For many brands, the risk does not end at malicious comments and posts. Malicious actors often operate in the social landscape before you even know they’re there and without coming in direct contact with your brand. With these external risks,  the cost of such a fraudulent account can be primarily measured and combatted at the profile level, instead of the individual post or comment. Fraudulent accounts are the currency of malicious actors on social media and combating fraudulent activity by going after profiles, rather than posts, does more to target the problem at its root.

The goal here is to raise the level of effort for the adversary even a little bit, thus encouraging them to move on to other targets. From an attacker’s perspective, we must realize that possible target accounts are so numerous and commoditized that the elasticity is very high. In other words, the economics of attacking your brand doesn’t make sense for an attacker if you can raise the level of effort even a fraction. The attacker will simply pick a different brand to target. After all, their roster of potentially lucrative targets is as deep as social media itself.

As social media marketing has grown into a major lead-generating tool, customer loyalty, in the form of follows, likes and shares is more important than ever. We now know that this loyalty can be largely (and quickly!) won and lost on social media. However, in such an elastic market, modern shoppers can shift their brand loyalty very easily. According to Accenture, 78% of consumers report they are retracting brand loyalty at a faster pace than three years ago. McKinsey reports that only 13% of customers are loyalists that don’t shop around.

Let’s use online clothing shopping as an example. North Dakota State University states that the average US household spends $2,000 on clothing per year, which we can then assume to be the annual value to a retail brand for per loyal customer. At the scale of social media, a single impersonation scam can engage with thousands of followers per month. Let’s conservatively assume an average of 1,000/month or 12,000 followers annually. Even if a single scammer is successful 1% of the time (about 1,200 victims annually), and even if a fraction of those 1,200 customers leave or stop engaging (assume 1%, or 12 customers) the average annual cost of losing customer to a single fraudulent account is as high as $24,000.

What can we do about these risks?

The first step to combatting both inbound and external risks brought on by fraudulent accounts is to recognize the impact they can have on your brand’s online identity. The second major step is to learn how to identify a fraudulent or malicious account, post and comment. Take stock of your owned social accounts to help identify potential imposters and establish a strategy for monitoring your social media pages, posts and engagements for potential malicious activity. Or even better, invest in a social media security tool that can do the hard work for you.

Summary

In summary, brands, whether large or small, can expect to see a volume of inbound risks posted to their corporate/brand social media assets, and external risks targeted at the fraudulent account level. Luckily, social media security tools like ZeroFOX can remediate these issues in real time. ZeroFOX provides comprehensive solutions no matter how the problem is sliced and protects brands both where they’re most vulnerable and where they see the most value: social media.