By some estimates, the number of worldwide social media users reached 4.2 billion in early 2021, and this number continues to grow. Additionally, 91.9% of U.S. marketers in companies larger than 100 employees use social media for marketing purposes. That’s a lot of companies connecting with a lot of people, making social media the largest pool of potential victims at scammers’ fingertips. And that leaves most American businesses open to phishing scams from bad actors.
Indeed, social media threats are on the rise. In January 2021, the average targeted organization experienced nearly 34 attacks through social media. As the year progressed, this number significantly increased. By September, the average targeted organization encountered 61 attacks per month, which is an 82% increase in three quarters.
Unfortunately, it can be extremely difficult to diffuse this rising threat. As digital transformation continues to accelerate — living more and more in a digital world as a means to work, communicate, purchase products, conduct research and find entertainment — our lives are moving into an almost fully digital space. This allows for easier social engineering attacks, selling of personal information, impersonation and general fraud. Identifying, locating and charging scammers through their social media activity is difficult to impossible for most situations.
Let’s start by defining the five key types of social media threats:
- Fraud: An incident designed to deceptively deny a right to a victim or provide illegal gain to the threat actor, including the unauthorized sale of account credentials; exposure of banking details; deposit fraud; providing access to tools designed to commit fraud; and other financial threats.
- Impersonation: An incident including a purposeful spoof of a corporate brand, executive or employee with intent to sway opinion or fool victims into performing an action.
- Cyber threat: An incident that includes an intentional cyber risk to the targeted victim, such as hacking attempts.
- Data leak: A leak or unauthorized share of proprietary or sensitive data such as login credentials, corporate documents or source code.
- Physical threat: A physical threat of harm specifically directed toward an employee, a physical location or an event.
While the percentage of fraud-related social media attacks leveled off in Q3 2021 after a significant increase in Q2, the threat type continued to make up the lion’s share of attacks. Cyber threats experienced the largest increase among all threat types in Q3, growing 5.5% from Q2 and accounting for approximately one quarter of the threats encountered. Employee, brand, and executive impersonations increased slightly as well, making up an additional quarter of the social media threats encountered.
Regarding specific industries, financial services was among the business sectors targeted most by social media attacks in 2021. This industry is a natural target for threat actors because their services are used broadly across several business sectors. The staffing and recruiting sector experienced the steepest increase in attacks, possibly due to seasonality and threat actors preying on job seekers during end-of-year recruiting. Information typically gleaned by hackers includes user and employee login credentials, credit card information and personal information that can then be used to launch other scams and attacks. One more factor contributing to the rise in social media threats include the growing focus on cryptocurrency. Crypto is non-traceable and crypto scams are easy to create, yet difficult to track.
Obviously, as the data shows, there is an urgent need for security teams to more closely monitor and manage social media activity. Here are some standard rules that employees should follow:
- Do not click on links in posts, tweets or direct messages unless you are 100% certain that they are genuine and well-intentioned. Ask yourself if somebody genuine would really contact you in this way with this information.
- Recognize threats of financial issues or offers that seem too good to be true for what they really are.
- If in doubt, call the correct number of the organization or individual from whom the post or tweet claims to be from to check its authenticity.
- Know that even if the post or tweet seems to come from someone you trust, their account may have been hacked or spoofed.
Additionally, security teams need to start implementing procedures such as the following to protect against such threats which are sure to grow in 2022:
- Concentrate on marketing “phishing security awareness.” In most cases, phishing attempts require some kind of user action or response to succeed, so it is obvious that making users aware of the tactics used by scammers and the consequences of certain behaviors is paramount. Consider periodically communicating to your user base about the dangers of phishing and what to look out for.
- Employ experts. Security teams should have mobile experts dedicated to the detection and curation of these types of threats. Active monitoring is necessary and apps and emails should be flagged as suspicious if they reference, impersonate or replicate a brand’s content or images, including unauthorized use of logos, trademarks, content, functionality or appearance
- Make your employees your frontline army. Involve and empower employees to take proactive participation in organization-wide training, as it is important to give employees a sense of their importance as a human barrier against phishing attempts. Make them feel a sense of pride and ownership for the safety of the brand’s customers.
- Account Protections. Always use a company email address to create social media accounts and have at least two “admins” on each account. This prevents someone changing passwords and locking you out. Additionally, each company should employ standard password change protocols and minimum password requirements.
- Verify the C-suite. Create official accounts for your top executives and get them verified (having a verified account or any account helps with mitigation of impersonation scams).
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users brought to you by Security Magazine. Subscribe here.