Social Media "Angler Phishing"

What is angler phishing?

This attack is named after the anglerfish, which uses a bioluminescent lure to entice and attack smaller prey. In this case, the glowing lure is a fake customer support account that promises to help your customers but secretly steals their credentials instead.

How does it happen?

Fraudsters create highly convincing fake customer service accounts and then monitor social media channels for customer support requests. Angler phishing hackers often wait to strike on evenings or weekends when your brand is less likely to monitor social media interactions. When the hacker sees a customer contact your brand, they hijack the conversation by responding directly to that customer using their fake support page. 

Example 1: Fake customer service accounts on Twitter

Online criminals set up fake customer service accounts to phish for bank login and password information and other sensitive data. These imposter accounts look very similar to that of real businesses, but are often one character off -- or they include an extra underscore or other keyboard character.

When someone tweets at their bank or example, scam artists will intercept the conversation, and reply to that message with what seems like an authentic answer.

Let's say John Smith tweeted his request to @mybank, the hackers were able to intercept his tweet and respond using their fake account @askmybank. The link in the fraudulent response will lead John to a perfect replica of the bank’s login page. There the hackers can steal his online banking credentials, ATM pin, security questions and answers, and more.

Example 2:  PayPal fraud

In this attack, an angler phisher targeted PayPal users from two fake PayPal Twitter accounts. The tweet encourages recipients to click over to the actual PayPal Twitter account, @PayPal, for assistance in an urgent matter. However, the fraudsters are monitoring the replies on the official PayPal Twitter page in order to sweep up replies to exploit for their attacks.

In addition, when victims receive a reply from the phony PayPal Twitter accounts, they're fooled again as the reply has the PayPal logo emboldened as an account image, and the handle seems official, except it amends the word “Ask” at the beginning of the handle.
Targets are lured into entering their PayPal credentials into the seemingly legitimate, but fake page. The bad actors are thus provided with the personal information they need to gain access to accounts and transfer out funds held there.

Who is at risk?

Fraudulent customer support accounts are a problem for any business that provides customer service on social media. However, 2016 research from the Anti-Phishing Working Group shows that more than 75% of phishing attempts target financial service and ecommerce organizations to steal banking credentials and make fraudulent purchases.

How can I stop angler phishing attacks?

For Consumers:

  1. Never LOGIN to an account if the link is provided to you through email or social media.
  2. If you are unsure about a link in a social media post, do NOT copy and paste the link in your web browser. You could still end up at the malicious site and potentially load malware on your computer or network. If you are unsure whether a link you received in a post is safe, it is not safe to copy and paste the link in the URL section of your web browser.
  3. Access web sites through your web browser.  Typing the address of a web site directly into your Web browser will ensure that you are going to the legitimate Web site and not a phishing site that was designed to mimic the look of the real thing. Unless the site was hijacked or your computer has a virus, typing the web address yourself is the best way to guarantee the authenticity of a web site.
  4. Technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication will NOT prevent social engineering fraud. No matter how much security technology you implement, you can never get rid of the weakest link - the human factor. A social engineer is someone who uses deception, persuasion and influence to get information that would otherwise be unavailable.
  5. Use caution when you click links that you receive in messages from your friends on your social website. Treat links in messages on these sites as you would links in email messages. 
  6. Don't trust the sender information in an e-mail message. Even if the e-mail message appears to come from a sender that you know and trust, use the same precautions that you would use with any other e-mail message. Fraudsters can easily spoof the identity information in an e-mail message.
  7. Know the social media account handle for the company you are dealing with.  Make sure you communicate only with the legitimate account.
  8. Look closely at the reply you receive and be skeptical.  Look for misspelled Twitter handles, email addresses, etc.

For Businesses:

These types of attacks will be a problem for any business that provides customer service on social media. The following is a list of some key actions an organization can take to help prevent angler phishing attacks:

  1. Identify your organization’s social media platforms, accounts and key individuals.
  2. Document who is responsible for the corporate accounts. These accounts should have strong passwords that are continuously being changed every few months.
  3. When applicable, use verified accounts. Twitter and Facebook offer an option for verified accounts to help ensure authenticity.
  4. Continually monitor for fraudulent accounts. Make sure you take down any suspicious activity and report it to your IT team or service provider.
  5. Enhance your security by leveraging email security solutions.