Contact us: +45 32 67 26 26

Angler Phishing: Be Conscious of Social Media Phishing

Stine Erna Nielsen
By: Stine Erna Nielsen Cyber Security | 2 August

Is your company and colleagues present on social media? If you answered “Yes,” then you need to be aware of the cyber criminals that want to damage your brand reputation. The report from Vade, amplify that the social media platform Facebook is the most used platform for IT criminals to impersonate companies. The scammers mirror the identity of the company’s customer service account and target users that reach out for support; This is angler phishing.

What is angler phishing? 

Angler phishing operates on social media. Here cyber-criminals make a fake social media account on e.g., Facebook, Twitter, or Instagram, where they pretend to represent a company and most often disguise themselves as customer service agents. Angler phishing has the same purpose as ‘ordinary’ phishing, which is most commonly known as deceptive emails to lure you into giving away sensitive information.

Who are the victims of Angler Phishing? 

Normally, the victims of angler phishing are unsatisfied customers, and the attacks begin when a customer complains on social media. The attackers will answer people who are raising complaints on social media with the disguise of pretending to be the company. The fake accounts will mirror the identity of the attacked company e.g., they make use of the same name and pictures. The hope is that the people who are upset won’t realise that it isn’t a valid account they are communicating with.

What about your organisation?  

Angler phishing poses threats to both individuals reaching out to customer service accounts on social media, and to the companies who have customer service accounts on social media.  

When the customer take contact to the targeted company on social media, the cyber-criminals will receive a notification through an alert system. The cyber-criminals don’t hack the official accounts of your organisation social media accounts, but the attack will compromise the legitimacy of your company and trick your customers.

Smart CTA_phishingcase EN

Angler phishing is social media phishing 

Fraudulent social media accounts are on the rise. Complaints made via social media put a company in the spotlight (in a bad way) – so, there is a belief that going onto social media, e.g., On Facebook and Twitter to get an issue resolved might be faster than talking to a representative on the phone. Thus, social media phishing is extremely rewarding for cyber-criminals, as the numbers of potential victims are ever-growing.

How does angler phishing happen? 

The fraud happens through various methods, and it can be hard for users to avoid. When the attacker initially writes to the customer, the message will contain a link that they claim will take them directly to an agent ready to help. Clicking that link will either download malware to the users’ device or direct them to another website, where the user is encouraged to insert their credentials, in order to get help. If you insert your credentials the cyber-criminals can gain access to your account or gain further access to more personal information that can be misused.

An example of angler phishing 

The fake accounts use account names that mimic legitimate sites, while also imitating the original company layout. The cybercriminals search for customer complaints directed at the legitimate site and respond with a fake account.  

Would you know which of the following usernames is correct? 

  • @FacebokOfficial_helpservice  

  • @facebookcustomercare 

  • @Helpdesk_Facebook

The answer is none of the above. However, it can be hard to verify. Thus, you must take certain precautions into consideration in order to avoid a social media attack.

How to avoid angler phishing 

By now, most people know to be careful with links and attachments in emails and are capable to spot a phishing email. But fewer people use the same caution on social media. A few ways customers can protect themself from angler phishing are to: 

  • Verify that the account is real before responding or clicking a link– see if it has the blue verified check mark to certify that it is real (on Twitter & Facebook). 

    • Even though the description of the page might say “official account” it might not be that official.  

    • Check the account name for any irregularities or spelling errors.  

    • See if the business’ official account mentions a specific account that is responsible for customer service issues.  

  • Review the company’s history on the social media site. A newly created account is probably fake. 

  • Don't click on links or send personal information to an account that initiates a conversation with you.  

It is highly important that your organisation and colleagues are prepared to answer customer complaints and have several ways to get in touch, so they don’t get attacked. Because if customers still doubt the authenticity of the social media account, it’s better to contact the company directly through their trusted website or phone number.

An infographic showing 5 ways to protect your company against Angler phishing

5 ways to protect your company from angler phishing attacks 

Social media phishing will be a problem for any business that works on social media.  However, as an organisation you can take action to help prevent being the target of angler phishing attacks and avoid bad brand reputation. Lost business and customer trust are some of the biggest costs associated with data breaches.  

  • Document who is responsible for the corporate accounts. These accounts should have a strong password. 

  • Identify your organisation’s social media platforms, accounts and key individuals. 

  • When applicable, use verified accounts.  

    • Twitter and Facebook offer an option for verified accounts to help ensure authenticity, which will make it easier for customers to trust you and help them avoid the attacks.

  • Continuously monitor for fraudulent accounts and report the possible attack to your IT team or service provider. 

  • Publish an alarm on your social media account for your customers.  

    • Explain to them the details about the phishing threat and offer them alternative channels to communicate with you

Protect yourself from phishing 

We hope this blog post has given you an idea of the possible cyberattacks that can happen on social media, like angler phishing and how to avoid it. If you want to learn more about phishing or test your own organisation’s preparedness against phishing, the next step could be to implement phishing training, so, that all your employees know what to look out for.