As we close out 2023, we at Security Boulevard wanted to highlight the most popular articles of the year. Following is the latest in our series of the Best of 2023.
If your social media networks are anything like mine, you’ve noticed an uptick in people getting “hacked” lately. Maybe you’ve gotten a weird Facebook message from someone you hadn’t spoken with in a while. Maybe your least tech-y friend is suddenly talking about crypto on Instagram. Or maybe you’ve seen post after post on your timeline of someone saying something like, “Sorry everyone, I got hacked!”
So what’s the deal? Why are your aunt and your favorite podcaster and that girl you went to high school with suddenly getting hacked? Isn’t that something that used to only happen to celebrities??
The short answer is: Every day people are easy and cheap targets for cyber criminals. Now let’s dig into the long answer.
First things first: Your aunt wasn’t hacked. She was phished, which is a different type of cyber crime. Hacking is defined as “the application of technology or technical knowledge to overcome some sort of problem or obstacle.” Hackers can have good intentions (like the ones we work with here at Avast) or they can have criminal intentions (like the ones who broke into Facebook in 2018). Regardless of intent, hacking requires a deep knowledge of technology and excellent programming skills.
Phishing, on the other hand, is a social engineering technique that manipulates people into voluntarily giving up sensitive information. Phishing scams can be simple (i.e. a message with a link saying “look who died”) or complex (i.e. a tech support scam) but they always utilize some form of electronic communication to trick and defraud people.
Importantly, phishing relies on the victim trusting the scammer and taking an action — like clicking a link or sending bank account information — in order for the scammer to get what they want. Unlike hacking, phishing does not require advanced tech skills.
It’s not your imagination — social media scams really are on the rise. According to the Federal Trade Commission (FTC), social media scammers stole a total of $770 million from Americans in 2021. That’s almost three times more than 2020, when they stole $258 million. In fact, social media has become the number one most profitable method for scammers to scam. That’s because it’s not only cheap but social media offers the number one thing that a phishing scam needs to succeed: personal information that can be manipulated.
“The reason they target legitimate accounts instead of creating new fake ones is that there is an existing level of trust in the connections network,” Avast Global Head of Security Jeff Williams says. “If you and I are friends on Facebook, for example, and you send me a private message, I naturally assume that it is really from you and not spam. As a result, I’m much more likely to follow a link.”
So what types of social media scams should you be looking out for? Here are some of the top ones.
Direct message (DM) scams are a vector for a variety of phishing-based social media scams. Scammers will send a direct message from the account of a friend of the victim saying something like “is this photo of you??” or “look who died” with an attached link. The link will then bring the victim to a false sign-in site, in order to steal their credentials, or ask for money to view the aforementioned image or video. The scammers are relying on peoples’ trust of their social media friends and natural curiosity to trick victims into thoughtlessly clicking and then handing over private information.
Crypto scams are blowing up right now, especially on social media. I personally have seen multiple friends’ Stories on Instagram talking about crypto investing — and it’s never my techie friends. These scams use phishing techniques, usually in the form of a malicious link, to get someone’s account credentials and take over their account. They then use that account to spam the victim’s friends and, in the case of many of the ones I’ve seen, take over their Stories and posts to talk about crypto and further spread the scam. The goal is to get you to “invest” in cryptocurrency on their fake investment sites or give over your existing crypto credentials, so they can steal your money.
Catfish and romance scams are, in my opinion, some of the most diabolical. These scams rely on people’s genuine desires for connection and love in order to defraud them of money. Romance scammers create fake profiles on social media sites like Facebook or Instagram — and, increasingly, on legitimate dating sites — and then connect with intended targets. They come on fast and strong, creating a romantic and/or sexual bond with their victims, and eventually ask for money for an “urgent” reason. Be extra aware of the fast-growing trend of crypto-romance scams, which take the age-old catfish method and add a layer of untraceable money via cryptocurrency.
Sugar daddy scams are kind of a crossover with romance scams and DM scams. The scammer poses as an older, wealthy man looking to pay a younger woman (aka the sugar baby) for her time. But, surprise! He’s not really a sugar daddy. He’ll ask the young woman to send over money (often via gift cards, which are the favorite payment method of online scammers) in order to “verify” their payment information. In the end, the “sugar baby” ends up being the one who pays, not the other way around.
Have you ever seen an ad purporting to reveal who viewed your profile? Don’t click on it. Those adds are a form of phishing that prey on peoples’ natural curiosity and vanity. Their only goal is to steal your social media credentials in order to either, a) gain access to your accounts or, b) sell them on the dark web.
These scams utilize fake advertisements that look like they’re coming from legitimate companies in order to get people to buy non-existent products. Most commonly, people place orders for items that they see advertised online but never receive the items. These types of fake advertisement scams accounted for 45% of all reports of social media scams in 2021, according to the FTC.
Avast Threat Labs detected a fake advertisement scam in 2021 that scammers had used to steal over $100,000 by the time they were detected. The ads promised Amazon cryptocurrency tokens and brought victims through a convincing process to “invest” in this “opportunity.”
This type of social media scam relies on the fact that most people want to be kind and helpful. It usually involves a DM from someone claiming they’ve been locked out of an account and need help getting in. They’ll ask you to click on a link in order to retrieve their password for them but that link will be malicious. That means you’ll either get malware on your device or you’ll be redirected to a site that asks you to enter some type of valuable information — like login credentials or financial information — so they can steal it.
Finally, there will always be scammers who take advantage of tragic situations. That’s been the case with the current war in Ukraine. Avast security experts very quickly detected scammers claiming to be Ukrainians in need on social media and asking for money in the form of cryptocurrency.
Another version of a “please help!” Scam is commonly called a “grandparent scam.” This is where a scammer poses as the grandchild of an intended victim and claims to be in a dire situation — like they’re stuck in a foreign country or got arrested — and to need financial help immediately. These scammers prey on a person’s love for their grandchild and desire to protect them, which is a pretty heinous thing to do.
Especially if they look weird! Ask yourself: Would your friend actually send a link with this subject? And if they would send you a link, would it be a shortened one? Usually the links that scammers send are run through a link shortener in order to disguise what it actually is. So if the link looks fishy, it’s probably phishing.
If someone you haven’t spoken with in years — or someone you don’t even know — randomly messages you, you should automatically be wary. Now, we’re not saying that anyone reaching out on social media is sketchy. But there’s a higher bar to pass for legitimacy, so don’t assume that just because you’re “friends” online that you’re actually messaging with your friend.
Multi-factor authentication (MFA) is a security measure that requires two or more things from you in order to sign in to an account. For example, your Gmail on your computer might ask that you put in your password and then open the Google Photos app on your phone to confirm that it’s you trying to sign in. The idea here is to prevent someone who has gained access your password — like perhaps through a social media scam — from getting into your account. And since data breaches happen all the time, MFA is essential for security these days.
Speaking of passwords, you know the rules by now: Use unique passwords (or pass phrases) for every account. Use a password manager to keep track of them all. Change your passwords frequently. And don’t share them with anyone! Your passwords are for you and you alone.
Since one of the ways scammers utilize social media to scam is through fake advertisements, use an ad blocker. It will keep you from even seeing the ads, which means you’re not tempted to click on them. Problem solved!
Good antivirus software will protect you from all kinds of attacks, including social media scams. Get it; install it; keep it running. It’s like your own personal scam stopper.
If you’ve already been targeted by a social media scammer, don’t fret! There are steps you can take to secure your account (and money) against future attacks.
First, you need to immediately change your password. And if you choose not to change it, they could keep taking over your account and spamming your friends or even lock you out of it.
Then, do some accounting: Did you use that password anywhere else? If you did, then you have to go change it on those logins as well. The scammers could sell your information, which would potentially give other criminals access to other accounts of yours if you’ve reused passwords.
Once you’ve regained control of your account, do a little post informing everyone what happened. Likelihood is a bunch of your friends already clicked on a bogus link from “you,” but it’s common courtesy to warn everyone else, just in case. And throw in a little apology as well for any of those friends who did click. Doesn’t hurt!
If you’ve lost control of your accounts, most social media services have a “recover my account” process now. It’s probably going to be a pain in the butt, but it’s worth it to stop the scammers who are impersonating you and probably bugging your friends.
Social media scams are just one of the many ways cyber criminals are taking advantage of people online these days. Pay attention, stay skeptical, and remember: Don’t click on any links!