Social media phishing: Attack tactics and mitigation strategies

Scams existed long before the internet. Criminals used phone calls and in-person techniques to steal credit card information or other sensitive information for financial gain. However, following widespread digital transformation and increased dependence on internet technology for conducting business, especially online banking and e-commerce, scammers have shifted their focus to leveraging the digital medium as their primary attack vector.

Email-based attacks typically come to mind when discussing phishing. However, the proliferation of social media platforms in recent years — with statistics showing that 63.9% of the global population engages with social media platforms — has motivated cybercriminals to execute phishing attacks through social media websites. This evolution has created a new subtype of phishing attacks: social media phishing.

What is social media phishing?

Social media phishing is a specialized form of phishing attack that exploits social media platforms such as Facebook, Instagram, X, LinkedIn, and similar websites. These attacks typically occur through messaging features like Facebook Messenger or Instagram Direct Messages or through shared phishing links in public posts and comments. The attackers aim to steal users' sensitive information, such as banking or credit card information, or to gain access to their social media accounts (e.g., via phishing pages resembling the genuine social media login page).

Social media phishing has become a growing concern worldwide due to the massive user base across social platforms. This article will discuss the different techniques of social media phishing utilized by hackers and suggest countermeasures to stop this type of attack. However, before we begin, let us briefly discuss the phases of social media phishing attacks.

A typical social media phishing attack runs through three phases:

1. Reconnaissance – Collecting information about the target through open source intelligence techniques (OSINT), social engineering, or by using automated scanning tools. This phase involves mapping the target's connections, interests, and behavioral patterns to craft personalized attacks
2. Creating the bait – Developing convincing lures such as urgent messages, promotional offers, or profile interactions that convince users to click phishing links or download malicious software to infect their computing device
3. Execution – Manipulating users to perform specific actions such as entering their account credentials into fraudulent login pages, installing malware disguised as legitimate applications, or granting account permissions to malicious applications

Social media phishing attack techniques 

There are different techniques for executing social media phishing. Here are the most prominent ones:

Fake friend requests

Fake friend requests are a common tactic cybercriminals use to gain access to target users' personal information, spread malware, or commit scams. These requests often originate from legitimate profiles but are either fabricated or created using deepfake AI technology to win the target user's trust quickly. A typical fabricated profile may feature any of the following themes:

• Impersonating authority figures, such as law enforcement officials requesting cooperation to resolve an urgent case or executives from your company seeking help during your vacation for an urgent business matter
• Impersonating well-known celebrities, such as models, travel bloggers, or professionals in glamorous industries like renowned photographers
• Impersonating other individuals' profiles. For example, a hacker may steal personal photos of someone along with their images posted on various social media platforms to create a detailed profile using their name and try to communicate with the target using this highly fabricated persona
• Exploiting current events, such as during political crises or natural disasters, by posing as journalists, humanitarian workers, or crisis response coordinators seeking urgent assistance or information
• Creating fictional romantic interests that share similar interests, experiences, and background details with the target

It is important to note that hackers often tailor their fabricated social media profiles to align with the values or beliefs of the target community. For instance, when impersonating someone on LinkedIn, they may present themselves as a financial advisor when attempting to target someone in the banking industry. These profiles frequently display sophisticated social proof, including fabricated endorsements, recommendations, and activity histories designed specifically to establish credibility.

Direct messages

Social media phishing attacks generally exploit direct messages (DMs) of social media platforms to trick users into revealing sensitive information or downloading malicious programs. A malicious DM may use any of the following themes:

• Urgent authentication requests: The sender often impersonates one of the target's friends or another trusted contact. For example, a user may receive a message claiming to be from their friend who needs help accessing their locked account and request a verification code sent to the target phone number. The attacker may have cloned the account or compromised it and used urgency to pressure the target into giving their two-factor authentication (2FA) verification code.
• Platform security alerts: Messages pretending to originate from the social media platform's support team, notifying the user about account security issues that require immediate action. Examples include: "Your account has been flagged for suspicious activity. Click here to secure it now" or "Your account will be permanently deleted in 24 hours unless you verify your identity here." The embedded links within these messages direct users to phishing login pages designed to steal their account credentials or prompt them to install an info-stealing malware.
• Prize notifications: Messages promising rewards, exclusive limited-time offers, or prizes to convince users to click malicious links. Examples include: "You have won a $300 gift card! Click here to claim your prize" or "Exclusive VIP access granted — claim your premium membership now." These offers typically take the user to credential harvesting pages or malware distribution websites.

Phishing posts or comments 

Phishing posts or comments are another type of social media phishing. These appear legitimate at first glance and use various tactics to convince users to click embedded links, such as:

• Engaging content traps: Cybercriminals create compelling content designed to attract user interaction. For example, a post might state, "Check out this funny video of a cat trying to dance!" with a shortened URL masking its actual destination. Upon clicking, users are taken to a fraudulent login page (mimicking platforms like YouTube) asking users to enter their account credentials or prompting malware installation disguised as a video player. Both methods aim to steal user account credentials or install data-harvesting malware.
• Sensational headlines: Posts featuring dramatic or exclusive content designed to exploit user curiosity. Examples include alleged celebrity scandals ("Celebrity X caught in shocking scandal — exclusive footage!") or breaking news claims ("You won't believe what happened in New York City today!"). These headlines bypass users' normal security awareness by triggering immediate emotional responses.
• Compromised business accounts: Attackers hijack legitimate business social media accounts to exploit established trust relationships with followers. For example, a compromised sports retailer's Facebook page might announce a free shoe giveaway, requiring only shipping payment. The checkout process directs users to fraudulent payment pages designed to steal their credit card information. These attacks are particularly effective because they leverage the business's existing reputation and followers.

Fake job offers

Scammers use fake job offers to exploit job seekers, aiming to steal victims' money and personal information or install malware on their computing devices to execute other malicious actions. Here are the most common fake job offer tactics:

• Fraudulent recruitment messages: Scammers send messages using email or social media platforms' direct messaging features, particularly LinkedIn, to target potential victims. They claim to represent legitimate companies while offering unrealistic job opportunities. For example, a user might receive a message stating, "Hi! We came across your profile and are impressed with your experience. We want to offer you a remote position with a $5,000 monthly salary. No experience required!" Unlike these scams, legitimate recruiters provide detailed job descriptions, company information, verifiable corporate email addresses, and official business contact numbers.
• High-salary offers: Scammers exploit the financial aspirations of job seekers by advertising unrealistic compensation packages. Examples include "Earn $5,000 per week working from the comfort of your home, just 1 hour a day!" or "Start earning $10,000 monthly with zero experience required!" These offers create urgency and excitement, causing victims to overlook red flags.
• Personal information harvesting: Scammers request sensitive data through sophisticated phishing forms or direct communication. They might demand "Required documentation for payroll setup," including Social Security numbers, driver's licenses, passport copies, or banking details. Some schemes involve upfront fees disguised as registration costs, background checks, or training materials, which typically range from $50 to $200.
• Verification scams: A new tactic involves asking targets to verify their identity through specific applications or websites. These platforms often contain malware or are designed to steal authentication credentials from other accounts, such as Google or Facebook. Scammers might say, "Download our secure verification app to complete your application" or "Click this link to verify your employment eligibility."

Defense strategies

To protect against social media phishing attacks, users should implement the following protective measures:

• Strengthen account security: Use 2FA on all social media accounts, and use unique, complex passwords for each account. You can use a password manager to generate online account credentials. Remember not to share verification codes with anyone, regardless of their claimed identity.
• Connection verification: Before accepting friend requests on social media platforms, verify the account's legitimacy by checking mutual connections, number of friends, profile creation date (newly created accounts are a big red flag), and recent activity patterns (accounts with low activity are suspicious).
• Link safety: Never click shortened URLs in social media posts or messages. Hover over links to preview their actual destination. You can use a third-party service to reveal actual URL destinations, such as: CheckShortURL.
• Message authentication: Verify unexpected messages from friends through alternative communication channels, such as email or phone, especially if they request urgent actions or sensitive information.
• Business communication: For job-related communications, communicate only through official company email addresses and verified business platforms. Never pay upfront fees for job opportunities or share sensitive personal information through social media messaging.

As social media platforms continue to dominate online communication, cybercriminals are increasingly exploiting these channels for sophisticated phishing attacks. Understanding these attack patterns and maintaining constant awareness is crucial to protecting against social media phishing threats.