Many of us live out whole lives on Facebook, Twitter, Instagram and LinkedIn, publicising our thoughts, interacting with friends, strangers and businesses, and keeping abreast of current affairs.
But all that activity has made social media a breeding ground for a new form of cyber attack known as angler phishing.
What is angler phishing?
Angler phishing is a specific type of phishing attack that exists on social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts.
This is how it works: cyber criminals are aware that organisations are increasingly using social media to interact with their customers, whether that’s for marketing and promotional purposes or to offer a simple route for customers to ask questions or make complaints.
Here’s an example:
Making complaints on social media puts pressure on organisations to resolve the issue promptly.
Organisations often respond more quickly to issues raised on social media, as it provides an opportunity for good PR.
Most responses are along the same lines as our example: the organisation asks the customer to provide their personal details, so it can verify the issue and respond appropriately.
Unfortunately, cyber criminals have exploited this by spoofing corporate accounts and intercepting customer queries.
They use account handles that mimic legitimate sites – like ‘@dominoscustomercare’, for example – search for customer complaints directed at the legitimate site and respond.
Eagle-eyed individuals might notice that the response came from a different account than the one they messaged, but it’s not uncommon for a big company to direct customer complaints to a dedicated account.
But more often than not, people see that the response comes from an account with the organisation’s name and logo and don’t notice the difference.
The fraudster will then ask the customer to direct message them their account details (as many genuine organisations do) or direct them towards what is supposedly a customer support page but is in fact a malicious site, which steals personal information or infects the customer’s device with malware.
Phishing email protection
Many social media users know very little about angler phishing. That’s bad news for organisations, given how often employees browse social media during their lunch breaks or quiet periods.
After all, it only takes one person clicking a bogus link to infect the organisation’s systems.
That’s why it’s important to teach your staff how to spot scammers’ bait. Our Phishing Staff Awareness Course teaches you everything you need to avoid every type of attack, from social media scams to email- and SMS-based threats.
A version of this blog was originally published on 19 June 2017.