In recent years, social media scams have become increasingly prevalent across social networks. Scammers love these platforms because they make finding and engaging targets trivial, are easy and cost efficient to use, and have mechanisms like hashtags and follower lists to make getting the scam in front of the right group of targets simple. Best of all, they can distribute social media scams at an unprecedented scale and effiency. Scammers have a number of tricks up their sleeves: fake coupons, technical support scams, financial scams, fraudulent promotions and offers, fake gift card generators, pirated content, recruiter scams and much more. In short: be very careful what you click on social media. If it’s too good to be true, it probably is.
Even a non-technical scammer, located anywhere in the world with nothing more than an Internet connection, can create a group of fake accounts that are built to lend credibility to one another and launch a coordinated scam campaign. Given social media’s scale, scammers are bound to tempt some targets to bite.
Scammers have a couple of different tactics to dupe users and proliferate social media scams, mainly impersonation and hashtag hijacking.
- Impersonation accounts are created to look just like a real brand account, using very similarly spelled names and replacing characters with dashes, spaces, and/or homoglyph characters. For example, a scammer might use a zero (0) instead of an O or a number one (1) instead of an l. Additionally they may use one or more of the same logo, a photoshopped version of the logo, photos of products or store locations, and similar or identical bios.
- Hashtag hijacking is the process of piggybackinging trending hashtags and brand hashtags to ensure the scam is seen by the right population and as broad a population as possible. Hashtags are ideal tools for scammers because they can easily ride the coattails of a trend, such as #cybermonday, #aarp or #newiphone to get their malicious post in front of their targets.
Social media scams target any vulnerable users:
- The elderly
- Studies show that retirement-age users are the most targeted group, likely because they are less familiar with the platforms and digital online culture and thus more easily deceived. In particular, scammers target the elderly with technical support scams, claiming their computer is infected or needs to be updated.
- Holiday shoppers
- These users are popular targets because they are eager and willing to spend money, and expect too-good-to-be-true deals to pop up around the holidays. Attackers create fake accounts of popular consumer brands and hide their social media scams behind fake coupons and offers. Holidays also have very specific hashtags, so scammers can append #memorialday or #blackfriday to their scam posts. Moreover, they can tailor the fake coupons and offers to whatever makes sense for that holiday (such as more feminine products around Mother’s Day or barbeque supplies around July 4th).
- Military members
- Military members and their families are particularly susceptible to financial crimes because they are accustomed to wiring money overseas, often receive unique financial packages from financial institutions. They’re also regular social media users while deployed overseas, with social media often their only means of staying in touch with family and friends back home. Scammers impersonate loved ones or military members themselves to request urgent money transfers. Scammers create fake military member profiles to court women online in what are known as romance scams. The scammer earns the trust and affection of someone online and eventually requests money or help purchasing flights home as part of a more elaborate scheme.
- Single mothers or struggling families
- Financial scammers go after anyone in desperate financial situations. They offer fake financial services such as cardcracking or money flipping to make a quick return. They often use hashtags like #singlemom to get the scam in front of their desired target.
- Disaster victims and donations
- Hurricane Harvey and Irma revealed the internet’s darker side once again as scammers set up fake donation sites, launched crowdfunding campaigns and impersonated hurricane victims and nonprofits to swindle generous social media users. The scams thrive on the virality of the disaster and prey on the sympathy of other users.
- Consumers of a specific brand
- Social media allows scammers to target a brand’s followers or a business’ customers because a brand’s follower lists can be easily identified. Scammers can further subdivide a brand’s customers into segments based on the information they share with the social networks, all in the interest of making an attack more specific, and therefore more successful. Customer-targeted social media scams usually tease users with a lucrative reward and use the false credibility of a brand’s logo to indicate that a fraudulent offer is legitimate. By imitating a company, the scammer explicitly targets the company’s current or would-be customers, resulting in missed revenue, support costs, and lost business.
- Job candidates
- With more and more organizations using professional social media sites such as LinkedIn to recruit and engage talent, there is the ability for those with malicious intent to leverage that same medium for financial gain or other types of theft. Pay-to-play recruitment scams are easy to perpetrate and often used to exploit individuals making a career change. As such, scammers often target prestigious, high paying industries such as tech, oil and gas and financial services, pretending to be recruiters from those industries. Fake recruiters will continuously monitor job sites for new targets. Scammers also tend to target individuals that are fresh out of college and eager to land their first job. These characteristics make this group particularly vulnerable since they usually feel pressure to find employment and want to make an engaged, positive first impression with a potential employer. Some social media scams even invoke a student’s loan or offer debt forgiveness to augment the urgency of the offer.
- Companies should be wary of spammy social media surveys and promotions that appear to target their employees. Fraud against employees frequently takes the form of a fake account masquerading as someone else in the organization, often an HR manager or a supposed new hire looking for help. Fake CFO or HR managers ask for SSNs and other confidential or sensitive information and send malware-laced files disguised as W2s or payslips. Even more convincing than a fake account is a compromised legitimate account. In these cases, the fraudulent request or malicious message comes from a trustworthy source that aligns with whatever conversation might have already been taking place.
ZeroFOX recommendations for social media scams:
- Beware of coupons and promotions distributed through sites other than the official retailer.
- Scam websites often lack SSL (or TLS) web site certificates, which is standard for almost every website, especially those asking for credentials or credit card info. This has long been a method by which consumers can be assured that the site is legitimate and safe as demonstrated by the “https” designation and many browser not display that in green. If the site doesn’t have an SSL/TLS web site certificate and is not encrypting your information, it’s probably not safe to trust that site.
- Ensure two-factor authentication is enabled on your social media accounts when available. This provides yet another barrier of protection should a malicious page steal your credentials. Many social networks can now require a code be sent to your phone or via email when they detect a new browser or device attempting to access your account.
- Beware of links on social media. Hover over them to get a preview and look closely for impersonator URLs and characters meant to look like others. When in doubt, copy the link into a free analysis tool like VirusTotal.
- If anyone or anything prompts you to download and install an app or file, stay clear. Mobile apps should only be downloaded from curated app stores such as the Apple App Store or Google Play, any other apps should be not be trusted.
- Ensure that your anti-virus and anti-malware is kept up-to-date on your device, whether it’s a PC, Mac, or mobile device.
- Curate who you follow. Following suspicious accounts increases your chances of being exposed to social media scams, and even benign accounts can be hijacked by or sold to scammers.
- Beware of brand impersonations. Unless it has the blue verified checkmark, do not click anything that accounts posts as it is likely an impersonations of the real profile.
- Above, all be careful what you click on social media! If it looks suspicious, it probably is.
Other ZeroFOX reading on social media scams:
- White Paper: Post Grams Not Scams: Detecting Money Flipping Scams on Instagram Using Machine Learning
- White Paper: Social Engineering in the Social Media Age: Top Fraudulent Account & Brand Impersonator Tactics
- Guide: The Comprehensive Social Media Privacy Guide
- Blog: Military Scams on Instagram: Why Cybercriminals Target the Armed Forces
- Blog: The Knights & Knaves of Instagram: Scammers vs. Vigilantes
- Blog: Social Media Coupon Scams Skewer Food Retailers in Time for Memorial Day
- Blog: Fake Mother’s Day Scam Coupons Spread Across Social Media
- Blog: Social Media Impersonators go Phishing: 3 Emerging Tactics
- Blog: 6 Cyber Security Tips for the Average Joe
- Blog: Beware These 4 Holiday Scams on Social Media
- Blog: 7 Social Media Security Best Practices
- Blog: Recruiter Scams Impersonate Brands, Extort Job Candidates
- Blog: Bitcoin Scams on Social Media: The Dark Side of Digital Currency
- Blog: “Super Mario Run” Scams Run Wild on Social Media
- Blog: ZeroFOX Research Team Publishes Exclusive Research on Instagram Scam Epidemic
- Blog: Where Do Employees Experience the Most Cybercrime?
- Blog: The Year of the Clickbait Facebook Scam
- Blog: 3 Social Network Threats Brands Need to Watch Out For
- Infographic: Cyber Monday Breeds Cyber Crime
- Infographic: Anatomy of an Enterprise Social Media Attack: Customer Scams