It’s upsetting when bad actors turn the good things in life against us. We use social media daily to celebrate, learn, keep in touch, fall in love, and buy things that satisfy our needs and wants. Unfortunately, hackers exploit that information to execute phishing attacks.

Social media platforms did not only experience more attacks in 2022, but it’s also become the fastest-growing attack surface. Organizations rely on social media to connect with employees and customers and promote their goods and services. Employees spend hours on social media platforms for work and personal activities.

Social media is a constant in our lives. Scammers exploit that ubiquity to gather information about individuals and launch social engineering tactics against them. Everyone is a potential target.

At its core, phishing is deception that relies on impersonation and fakery. Social media is free to use and open to all. This means fake profiles are shockingly easy to create.

Since social media platforms are all slightly different, attackers have developed niche tactics specific to each site to help evade detection. Users are far more likely to trust a profile on a social media site they know and love than an email from an unknown person.

The best way to counter a phishing attempt is to notice it while it’s happening. Be aware of these common phishing schemes and look out for them on social media.

1. Email Notification Phishing

Social media revolves around real-time information, and platforms need user contributions to keep things interesting. Platforms send email updates to users to tell them what’s happening and bring them back to the platform.

Social media sites also use email to communicate with users about security updates or account information. When notification emails come from well-known social media sites, users trust them. The template is standard, rarely questioned, but easily spoofed.

Users receiving these email messages often click links or buttons in the message body without paying attention to the rest of the design. Hackers rely on this behavior to take users to fraudulent sites behind those buttons. Scammers then use these sites to steal sensitive information. They might set up a fake password reset scam or initiate a malware download.

Thankfully, users can prevent most email phishing attacks by simply doing a safety scan of the incoming email. Look closely at the email address and domain. Email phishing attacks always come from bogus email addresses or addresses with incorrect domains. The design, logo position, and language used may be slightly off-brand and can tip you off to a phishing attempt.

2. TikTok Phishing

TikTok had 755 million global users in 2022 and is projected to have one billion by 2025. Sadly, as people join the popular site in droves, so do scammers.

Similar to other phishing schemes, TikTok fraudsters target people through emails and texts. Many TikTok users prize popularity, so scammers tempt them with likes, verified account status, and TikTok sponsorships. Some promise TikTok coins, an in-app currency typically earned through live streaming. When users click the links, they visit bogus sites that try to steal information or take over their accounts.

TikTok is a beloved platform for following celebrities and influencers. It’s also rampant with imposter accounts. Many are run by bots that can appear remarkably lifelike. Fake accounts draw in adoring fans, who then make the mistake of sharing sensitive information through illegitimate links.

TikTok has great, distracting entertainment value, so users should use vigilance when they connect with other accounts or open messages from purported TikTok staff. The site makes it clear that it never asks users for identifying information or credit card details. To be extra safe, TikTok users should enable two-factor authentication on their accounts.

3. LinkedIn Fake Job Scam

In a hot job market, employees and employers often use social media to discover that next great role or talented new hire. LinkedIn has streamlined the recruitment process and made it easy for workers and organizations to connect. However, the platform also lets scammers create fraudulent company pages and run fake job scams.

The typical scam starts with a phony job posting. Attackers use it to collect job applications or lure potential applicants through private messages. The process gives cyber criminals sensitive information to use in later phishing attacks.

Some attackers go further. After awarding the victim the non-existent job, they mail them a fraudulent first paycheck and make up a reason to request a portion of the money back. The check bounces, and the scammer escapes with the victim’s money.

If a situation feels strange, that’s a clue that something’s wrong. It’s unusual for an employer to ask an employee to send money. Slow down and investigate.

Before getting into that situation, avoid fake job scams on LinkedIn and other job sites by verifying that the employer is legitimate. If a recruiter asks you for personal information, ensure you understand why they need it. Lastly, always share your information through secure communication channels.

4. In-App Phishing

All social media platforms provide some form of direct messaging between users. This functionality lets scammers create fake profiles and impersonate a victim’s friends or family. Fraudsters exploit the direct channel and the user’s trust to make up a phony situation and ask for help. Common requests include money to cover an urgent payment or a password to a private account.

Fake social media profiles can be hard to spot. Scammers may use previously collected information, such as employment details and city of birth, to make the profiles look genuine. When scammers add recent photos to fake profiles, they look even more real.

The biggest tell is the language, sentence structure, and expressions used by the scammer. The communication will feel “off” in some way. Even proficient scammers have difficulty sounding like the strangers they’re trying to impersonate.

Another tell is asking for money to be sent in a complicated way. Fraudsters don’t operate using simple and legitimate means like bank transfers. To be untraceable, they resort to alternative money services like Western Union or gift cards.

5. Fake Customer Support

Many people use social media to get direct support from companies. Online chats are instant and more convenient than phone calls. Younger consumers prefer getting text replies to being on hold. Many companies are expanding their service options with dedicated support accounts.

Unfortunately, scammers only need a stolen logo and company description to trick people. They create fake accounts that mimic the company and reach out to people requesting help. They direct targets to fake login pages and steal their login information. More brazen scammers even get their victims to pay upfront for repair services that will never materialize.

The best way to detect these scams is by examining the URL of any website they send you. It won’t contain the correct primary domain name of the company you think you’re interfacing with. The grammar and sentence structure often sound overly casual for a business and may contain sentence structure and spelling errors.

The Rules of Phishing

Social media phishing is much like phishing through other channels. The threat is the same, but people need to know where and how scams are happening to spot them. As we spend more time on social media, it’s essential to apply the same level of caution to our security and personal information as we do in the real world.

Remember to always look for the source of the message. Check identifying information like URLs and sentence structure. Never share sensitive information online in an unsafe manner. Applying these three simple rules will prevent most phishing attempts on social media.



Cyber Security Hub: Access Exclusive Cyber Security Content

As always, the best defense against data breaches is a cyber aware culture. Check out our Cyber Security Hub for free and shareable content on how to keep your private information private.