Phishing is a popular form of social engineering that typically involves a fraudulent email asking the recipient to either send personal information or visit a malicious website. Like many online threats, people are starting to catch on to these emails. And as a result, the perpetrators of such attacks are having to get creative.
One example of this is angler phishing. Instead of emails, it utilizes social media.
So what is angler phishing and how can you protect yourself?
What Is Angler Phishing?
Angler phishing is the act of contacting people on social media while pretending to be a customer service representative. It gets its name from the angler fish which uses a glowing lure to attract its victims.
Angler phishing takes advantage of the fact that when people want assistance from a company, social media is usually the first place that they go.
The goal of the attack is to find people who are complaining about a business and then respond to their problems before the legitimate company does.
In doing so, they can extract information that can subsequently be used for theft.
How Does Angler Phishing Work?
Angler phishing is easy to do because the attackers don’t even need to search for victims.
Instead, they simply choose a popular business and wait for that business to be mentioned on social media.
Ideally, that business will be frequently tagged online and a little slow to respond.
Afterwards, they will create multiple social media accounts which can be used to impersonate support staff.
For example, if the business were YourBank and the social media platform were Twitter, they might create accounts such as @AskYourBank or @YourBankTech.
Then they wait. As soon as somebody mentions YourBank on Twitter, they will try to reach out to that person before the company does and offer assistance.
For example, somebody might complain that they’re having trouble logging into their bank account. An attacker will then provide a link that can be used to reset their password.
Or somebody might complain that they haven’t received a recent purchase. An attacker will then offer to resend the item; they just need confirmation of the address to send it to.
Once the attacker offers to help, many will be willing to do what is requested.
If personal information is provided, it can be used for identity theft. And if a victim clicks on a link, they can be taken to a fraudulent website where their login details can be stolen.
Why Is Angler Phishing Effective?
Messages on social media might not seem like the best way to steal from people. But it’s actually a lot more practical than sending spam emails.
For a start, the victim is usually waiting to be contacted. And as a result, they are much more likely to enter into a conversation with a complete stranger. Attackers also know exactly what the victim wants because they’ve usually just asked for it.
To further increase the likelihood of success, the accounts used for angler phishing are also designed to look identical to their legitimate counterparts.
They typically have official looking logos, similar content to the real thing and even fake account histories.
It’s worth noting that angler phishing is just one many threats now facing social media users. Social media is also an effective avenue for shopping scams, romance scams, and fake job postings.
Who Is Targeted?
Angler phishing can be found on all popular social media networks. If a platform is large enough to have big companies present, there’s likely to be criminals there too.
Financial companies are the most likely to be impersonated. A study by ProofPoint reported that 55 percent of all attacks involve a bank or other type of financial provider.
How to Avoid Angler Phishing
Angler phishing works because many people let their guard down on social media. Here are a few easy ways to avoid falling for it.
Tag Specific Accounts
People turn to social media because it’s often the fastest way to get a response. But there’s more than one way to do so.
Many large companies have specific accounts that handle complaints. By tagging these accounts and only responding when they do, this attack becomes impossible.
Always Verify Who You Are Talking To
Before responding to anybody online, always verify who you are talking to. Here’s how to do that:
- Read the account name carefully to make sure that everything is spelled correctly. There are a number of tricks that can be used to make you miss it the first time.
- Look for a tick mark that indicates the account is verified.
- Look at the number of followers if applicable. A customer service rep from a popular company shouldn’t have zero.
- Check the businesses official account and see if the account that contacted you is mentioned there.
- Check if they have a history of successfully helping other customers. Keep in mind that this can sometimes be faked.
If in Doubt, Reach Out Directly
If you the slightest doubt about who you are talking to, stop talking and contact the company directly instead.
Don’t fall into the trap of not wanting to insult the person that contacted you. This is a natural reaction to somebody offering to help. But it’s also something that attackers rely on to get what they want.
Never Send Personal Information Regardless
If somebody initiates a conversation with you on social media, never answer questions and never click on a link.
The people who perform these attacks will make it seem like you have no logical choice. But a professional will understand completely why you might refuse to do so.
Don’t Stop Contacting Companies on Social Media
The prevalence of angler phishing is a worrying trend. It takes the legitimate questions of customers and uses them to perform everything from identity theft to credit card fraud.
Despite this fact, social media remains one of the most effective ways to reach a company. And provided you understand how to avoid angler phishing, there’s no reason to stop taking advantage of this fact.