What are Enterprise Threats from Social Media Phishing?
Social media phishing refers to a cyberattack executed through social media platforms such as Instagram, Facebook, LinkedIn, and Twitter. The purpose of social media cyberattacks are to steal personal data or to gain control of social media accounts. Social media phishing cyberattacks are a type of social engineering cyberattack, which are types of cyberattacks that use manipulation to trick people into giving up personal and/or corporate information that can be used to commit further cyberattacks. Another social engineering technique is called spear phishing, a cyberattack by which cyberattackers target individuals via social media, often by leveraging information obtained from personal social media accounts.
Social media platforms encourage users to share information on their profiles that may be viewable to the public. Some users, who may not understand or utilize all of the tools available to ensure that their private information is not viewable by the public, may often overshare without even realizing it. Cyberattackers attempting social media phishing and spear phishing cyberattacks with the goal of attacking an organization can use personal information obtained from employees’ social media accounts to impersonate their classmates, neighbors, colleagues, coworkers, or even family, in order to gain entry into their accounts and/or wallets, and to obtain passwords, usernames, and other sensitive information that will allow them to gain access to the targeted company’s accounts and sensitive data.
While social media use by employees is difficult/impossible to regulate from an enterprise standpoint, employers can educate employees on the threats to themselves and enterprise from social media, and how to protect themselves.
Instagram phishing. Instagram is a popular platform for sharing photos and texts. An Instagram phishing attack can be conducted by creating a fake Instagram login page that captures a victim’s credentials when they type them in. The cyberattacker can then use those credentials to access the victim’s account, log in to other accounts with the same credentials, to spy on the victim, to pose as the victim to extract personal information and money from their friends, family, and colleagues, and they can lock the victim out of their account. If they cyberattacker obtains enterprise information and login credentials during this cyberattack, this puts the company’s security at risk.
Facebook phishing. Facebook phishing cyberattacks are often conducted through a message or link, supposedly from a known contact, that asks for personal information. The personal information that is acquired is used to lure the victim to a fake Facebook page where their credentials are harvested and their accounts can be compromised, similar to an Instagram phishing cyberattack.
LinkedIn phishing. LinkedIn phishing attacks use LinkedIn messages prompting a user to share sensitive information to compromise their personal and, potentially, corporate accounts. It is often difficult to distinguish authentic messages from the inauthentic, as the official LinkedIn website has several legitimate domains that appear quite different, such as email@example.com and firstname.lastname@example.org.
Twitter phishing. Twitter phishing uses the same tactics as other social media phishing cyberattacks, but it is exceedingly popular among cyberattackers since Twitter users routinely interact on this platform with people that they have not met in real life.