Will Your Next Cyberattack Come from Social Media Phishing?

April 16, 2021

Today’s biggest threat is phishing. Among the many types of phishing attack that businesses face these days, social media phishing or angler phishing has become a special menace. This tricky scam combines social media, social engineering and phishing in unexpected ways that employees are likely to find enticing. It can wreak havoc on your business through ransomware, credential compromise, malware, brand impersonation, business email compromise and more.  

Social media phishing scams (angler phishing) are thriving these days. Social media accounts associated with angler phishing increased by about 40% in the last 12 months. During the first half of 2020, there were nearly 25 million complaints about angler phishing made to the Federal Trade Commission total with $117 million in losses – more than all of 2019 in just 6 months.  

Is Your Email Security Up to the Test of Angler Phishing? Find Out with This Checklist. DOWNLOAD IT>>

Cybercriminals are having increasing success luring in executives and professionals on LinkedIn, Facebook and Instagram. A little over 85% of organizations were targeted or hit with social media phishing scams in 2020. Every employee needs to be aware of the danger posed by angler phishing and impersonation scams from the interns through the C-Suite – angler phishing scams are almost as likely to target low and mid-level employees as they are executives.   

Cybercriminals Love LinkedIn

When considering the social networks that employees and executives can expect cybercriminals to be impersonating, LinkedIn is the king of the castle. One of their most effective ruses to get that click is to generate faux system and notification messages. Experts say that emails with “LinkedIn” in the subject line led the list of most opened social media phishing emails again for 2020, marking its third year on top. LinkedIn phishing emails had a 47% open rate. 

Popular cybercriminal tricks to use on LinkedIn vary, but they all include a compelling message that seems harmless created through social engineering.  Phishing emails including subject lines like “You appeared in new searches this week!”, “People are looking at your LinkedIn profile”, “Please add me to your LinkedIn network” and “Join my network on LinkedIn” simulate commonly received platform messages. Targets can also be lured in with an email alerting them to a “contact request” that’s actually a phishing email leading to a fake LinkedIn login page.  

These unexpected threats can be very complex. Bad actors often accomplish their goal by creating fake accounts and sending connection requests to legitimate profiles. This ruse is a win-win for cybercriminals: if unsuspecting people accept the requests, the cybercriminals gain access to all of the information in that person’s profile to use for impersonation scams while building credibility on their sock account that can be used to harm your connections.  This has been especially effective with remote workers.  

While LinkedIn is the cybercriminal go-to, Facebook, Twitter, WhatsApp and Instagram aren’t any safer. The number two most opened social media phishing email at businesses of any size is a Twitter-related lure. Emails with the subject line “Someone has sent you a direct message on Twitter!” had a 15% open rate. In third place is Facebook – emails entitled “Your friend tagged you in photos on Facebook” had a 12% click rate. Email spoofing WhatsApp appeared on the list as well, with an open rate of 5%. WhatsApp phishing emails tried to entice people with the subject line “You have a new WhatsApp message”. 

See 5 Reasons Why You’ll Want to Retire Your SEG for Graphus. DOWNLOAD INFOGRAPHIC>>

Social Engineering Tricks Lead to Trouble

Cybercriminals have remained creative in their lures on less business-focused social networks. The most perpetrated phishing scams on these networks include “Blue check” Instagram scams that send users an email offering them a certified badge, but a click on the enclosed “Verify Account” button, takes them to a phishing page. Another popular lure is sending emails to users warning them of a security alert, like a login attempt from an unknown device, but the link really takes them to a fake login screen. In a well-constructed Instagram scam, targets receive a message that informs them that they’ve committed copyright infringement and need to speak to customer service to keep their account from being locked with a link that goes to a credential stealing page. 

All of these scams have social engineering in common to make them more tempting to employees. Security awareness training goes a long way toward helping users resist the draw of phishing lures, but even well-trained employees can be fooled. In a recent study, one-fifth of the surveyed employees fell for phishing tricks and interacted with spurious emails, with more than two-thirds of those who interacted with the messages going on to enter their login credentials. That works out to one in ten employees supplying their login credentials to cybercriminals – and the survey set was made up of employees that had gone through security awareness training.  

That’s why combining effective security awareness and phishing resistance training with automated email security from Graphus is the perfect pairing to mitigate the danger posed by today’s biggest threat, phishing. There are myriad reasons why Graphus is a great idea for every business, but it really boils down to this: an employee can’t click on a phishing email that they don’t get. Graphus spots and stops social engineering threats but using more than 50 points of comparison to adjudicate the content of every incoming message, not just the subject line like traditional email security. AI phishing protection doesn’t fall for tricks, get stressed out or become too distracted to make careful judgments. The smart AI does sniff out unusual communications that could be phishing threats and use that information to refine your protection, catching almost 50% more threats than a SEG. 

Don’t wait until a social media phishing threat has caught one of your users. Contact the experts at Graphus today to start protecting your business with smart automated email security.