Phishing Scammers Have Flocked to Social Media

February 17, 2022

When it comes to cybercrime innovation, phishing scammers are the leaders of the pack. Their almost uncanny ability to sniff out new opportunities and meet their targets where they are keeps them at the forefront of cybercrime. That’s why it’s not surprising that bad actors have conquered social media to find new avenues of exploitation. Social media gives them the perfect stage to execute precisely targeted and profitable phishing operations that are dangerous to consumers and businesses. An estimated 70% of phishing targets are found through basic searches using social media and business websites.

AI is the secret weapon you’re looking for to boost business email security. SEE WHY>>

Cybercriminals Love Social Media

The widespread adoption of everyday social media use has been a boon for cybercriminals that has been especially golden during the global pandemic. Worldwide the number of social media users was about 4.5 billion in 2021.  With such widespread use of the medium, there was an enormous rise in social media phishing attacks last year, a great illustration of just how pervasive the problem has grown. In January 2021, organizations experienced about 34 social-media-related phishing attacks per month. That number ballooned by September 2021 when organizations were looking at 61 social-media-related phishing attacks per month – a shocking 82% increase in just three quarters. 

Social media fraud is a growth industry. A recent report from the US Federal Trade Commission dives into the specifics of social media fraud. An estimated one in four people who reported losing money to fraud in 2021 said it started on social media with an ad, post or message. More than 95,000 people reported about $770 million in losses to fraud initiated on social media platforms in 2021. Those losses account for about 25% of all reported losses to fraud in 2021. That’s a stunning eighteenfold increase in the last five years. 

Learn how incident response planning boosts cyber resilience & security. GET THE EBOOK>>

Social Media is the Perfect Stage for Social Engineering 

Social media can make a cybercriminal’s job very easy. It’s ideal for social engineering. People love to share all kinds of personal information on their social media accounts, like where they went to school and where they work. Plus, even unexpected communications that stem from social media encounters seem more trustworthy to people. That makes it very easy for cybercriminals to locate and leverage exactly the information that they need to launch profitable phishing scams. The FTC declared that social media was far more profitable to scammers in 2021 than any other method of reaching potential marks.  

Cybercriminals are going to look for victims for their next attacks in places where the victim feels safe, and social media is one of those avenues. Social media use is now a regular part of just about everyone’s daily life. It’s become a common way to shop and do business. It’s also a perfect environment for phishing. It provides a ready-made foundation of trust that bad actors can exploit, and that can be used to launch devastatingly effective phishing attacks against employees that span business and personal purposes. Researchers found that when an email sent to a personal or business address requested the recipient to connect via a social media channel, roughly 25% of the unfortunate recipients clicked the included link. This led them to a fake login screen where a further 54% of the victims gave their credentials. Adding insult to injury, 80% of those victims then downloaded a malicious executable. That could have devastating consequences for their employers. 

The road to security success begins with 5 Steps to Ransomware Readiness! GET IT>>

Social Media Is Going to Work 

More than 75% of workers use social media at work. Of course, some of that social media use is employees taking breaks or even just wasting time, but many employees use social media for work-related, practical purposes, especially when working remotely. In a survey, 66% of employees worldwide said that they use social media to talk to their colleagues at work. Breakdowns vary by country. In the US, about 27% of workers use social media for work or official business, a number that is steadily growing as companies look to social media advertising and customer service in the future. However, using social media for work purposes is especially prevalent outside the US – 47% of Indian workers, 31% of Canadian workers and 30% of Australian workers use social media at work.    

These days, thanks in part to the rise of remote work, the line between work and personal use technology is almost non-existent. Employees who are using social media at work to do seemingly harmless things like listening to webinars, chatting with colleagues or researching products are often doing it on work devices. That can bring major problems to their employers. Researchers estimate that one in four transactions on social media platforms is actually a cyberattack. When those phishing attacks are perpetrated successfully on people using social media on their work devices, that exposes the companies that they work for to a host of dangers like ransomware, credential compromise and account takeover (ATO).   

Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>

Specialized Phishing Scams Are Especially Dangerous 

But average employees aren’t the only folks bringing social media phishing threats to work. Phishing scams that are more often targeted at executives are also all over social media. Investment scams accounted for the largest financial losses of any social media scam in 2021 (37%), despite making up just 18% of all social media scams. Plus, social media investment scams are another vector for cryptocurrency risks to threaten a business. Cryptocurrency was used in 64% of investment fraud scams last year, followed by payment apps (13%) and bank transfers (9%). 

One prominent 2021 social media phishing operation that could be aimed at businesses or individuals was a copyright infringement scam targeting Instagram users. The victims would be sent convincing copyright infringement notices via email, full of scary legal language. In this scenario, bad actors would direct their victims to click a link that would take them to the “official” complaint. The victim would then be told that if they want to challenge the claim of copyright infringement, they should complete an objection form via a helpfully provided link. That gives cybercriminals the opportunity to deploy malware, snatch credentials or gain access to details that can power BEC attacks.  

See how to avoid cybercriminal sharks in Phishing 101. DOWNLOAD IT>>

Social Media Phishing is a Gateway to a Data Breach 

The anonymous digital flavor of social media makes it the perfect tool for brand fraud, and that’s a major data breach driver. The Verizon Data Breach Investigations Report 2021 (DBIR) shows the rapid rise of brand impersonation or fraud as a precursor to a data breach. Bran Impersonation or Misrepresentation scored 15 times higher on the data breach risk chart than it did in 2020. As always, phishing is the biggest data breach danger any business faces through any attack vector, sitting on the top of the tree for a third straight year.  

Another hazard of social media-driven brand fraud is the ease with which cybercriminals can parlay it into a business email compromise attack (BEC), a prospect that no business wants to face. Business email compromise can happen through brand fraud in several ways. For example, a fraudster could trick an employee into giving out information in a chat that enables them to use a brand to carry out cyberattacks. Or a bad actor could represent themselves as a company to contact one of its partners in a direct message about an invoice that requires urgent payment. Much of the information needed to make the sophisticated phishing messages that brand fraud practitioners rely on can be easily gathered with a quick perusal of their intended victim’s social media accounts. 

Still relying on an old-fashioned SEG? See why Graphus is better! SEE THE COMPARISON>>

Are Your Trusted Contacts (and Social Media Pals) Really Trustworthy? 

Can you always tell if an email that you’ve received is actually from a trusted contact? Can your users? Probably not – 97% of people cannot spot a sophisticated phishing email. That’s a dangerous vulnerability for any company. 

Human beings may be fooled by sophisticated phishing messages, but AI-powered, automated email security from Graphus is not. You can rely on the patented Graphus algorithm to spot and stop phishing messages accurately, even zero-day threats, deploying 3 powerful shields to prevent employees from interacting with phishing messages.  

  • TrustGraph uses more than 50 separate data points to analyze incoming messages completely before allowing them to pass into employee inboxes. TrustGraph also learns from each analysis it completes, adding that information to its knowledge base to continually refine your protection and keep learning without human intervention.  
  • EmployeeShield adds a bright, noticeable box to messages that could be dangerous, notifying staffers of unexpected communications that may be undesirable and empowering staffers to report that message with one click for administrator inspection.    
  • Phish911 enables employees to instantly report any suspicious message that they receive. When an employee reports a problem, the email in question isn’t just removed from that employee’s inbox — it is removed from everyone’s inbox and automatically quarantined for administrator review. 


Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus