Social media phishing refers to an attack executed through platforms like Instagram, LinkedIn, Facebook, or X. The purpose of such an attack is to steal personal data or gain control of your social media account.
Social media has become as ubiquitous as the air we breathe. Individuals use Facebook, Instagram, X, and a multitude of other platforms to keep up with friends and family, stay on top of the latest news, date, and connect with the world.
Businesses also use social media to keep customers informed about their latest product offerings and events, for marketing, and to attract new business. This makes social media an attractive platform for threat actors to execute phishing attacks. Tools such as Hidden Eye or ShellPhish make these types of phishing attacks as easy as running an application.
The information gleaned by the hackers includes social media account login credentials, credit card information, and personal information about you that can then be used to launch other scams and attacks.
Instagram is a popular photo- and text-sharing platform. Instagrammers worldwide use this platform as sort of a video diary to share everyday activities and moments.
A phishing attack on Instagram begins when a hacker creates a fake Instagram login page. To fool you, these sham pages are crafted to look as much like the real site as possible. When you provide an Instagram user ID and password to the phoney page, the attacker captures your credentials. You will usually be redirected to the real Instagram login page for authentication, but the damage has already been done. With your Instagram credentials, the attacker has full access to your account.
If you use those same credentials to log on to other social media sites, or worse yet, your bank account, the attacker will have access to those accounts as well.
After gaining access to your Instagram account, the hacker can spy on you. The hacker can also now pose as the legitimate user and request personal information from your friends and followers. Naturally, the hacker covers any tracks by deleting fraudulent messages.
Taking things to the next level, the attacker can take complete ownership of your Instagram account. The hacker can change your personal information, preferences, and even your password, thus locking you out of your own account.
LinkedIn is the world’s most-used professional networking platform. Hackers send emails, LinkedIn messages, and links to you to con you into divulging sensitive information, credit card data, personal information, and login credentials. The threat actor could hack into your LinkedIn account to pose as you and send phishing messages to your connections to collect personal data.
The hacker can also send out emails that appear to be coming directly from LinkedIn. This is possible due to the fact that the official LinkedIn site has several legitimate email domains, including linkedin@e.linkedin.com and linkedin@el.linkedin.com. This makes it difficult to keep up with the authentic domains versus the bogus ones that may be used by an attacker.
Launched in the early 2000s, and having over 2.9 billion active users worldwide, Facebook is the king of all modern social media platforms. Sites like Friendster and MySpace preceded it, but Facebook has set the blueprint for how people and businesses connect with friends, family, and customers.
A typical Facebook phishing attack is delivered through a message or link that asks you to provide or confirm your personal information. Delivered via a Facebook post or through the Facebook Messenger platform, it is often difficult to separate a prospective friend’s legitimate message from a phishing attempt.
The information gathered via a Facebook phishing attempt gives attackers the information they need to gain access to your Facebook account. You could receive a message informing you that there is an issue with your Facebook account and that you need to log in to correct the issue.
These messages have a convenient link to follow that leads to a Facebook lookalike site. Once you land on this imposter website, you are prompted to log in. From there, the hacker is able to harvest your credentials. Pay careful attention to the URL to be certain you are being redirected to www.facebook.com. Anything else is likely to be a fake.
While Facebook is marketed as a way to keep in touch with friends and family and LinkedIn is used as an avenue for working professionals to connect, X enables you to interact with people you’ve never met in the real world. This level of comfort users adopt when interacting with strangers has made X a popular platform for phishing attacks.
Hackers operating in X use the same phishing tactics and techniques they do for other social media platforms. A threat actor sends fake messages that claim to come from X. These messages attempt to lure you into divulging sensitive information such as login credentials, personal information, and even credit card data. X has made clear that they only send emails to users from two domains: @twitter.com or @e.twitter.com.
These phishing attacks can lead to other related attacks, this includes the “pay for followers” attack. In this method of phishing, you receive messages from hackers claiming to provide you with a specific number of “followers” for the low price of five dollars. Providing your personal information and credit card number opens the door for hackers to withdraw funds from your account and/or to log on to your X account and continue the scam across your list of followers.