You click on a link in a tweet, or a post on your social media or video hosting site – or in a direct message – either advertising a gift or special offer… or, ironically, warning you to take action to avoid some kind of financial loss. This could appear to be from anybody – including a trusted contact if their social media account has been compromised or identity spoofed.
- The link takes you to a website which requests confidential details or causes your computer or mobile device to be infected with malware.
- Alternatively, the post, tweet or message may instruct you to make a phone call to a specified number. This can either result in confidential details being requested, or be to a premium rate number resulting in exorbitant charges being added to your phone bill.
- The criminal creates a convincing but fake Twitter customer service account with a handle similar to the bank’s real one. They wait for you to tweet at the bank’s genuine handle with a help request, then hijack the conversation by responding with a fraudulent support link sent from the fake support page. This will direct you to a convincing but fake login page designed to capture your confidential detail.
Like fraudulent emails, texts and phone calls, social media phishing plays on your basic human emotions and needs, such as trust, safety, fear of losing money, getting something for nothing, eagerness to find a bargain or desire to find love or popularity/status. They also generally state or imply the need for your urgent action to either avoid an issue or take advantage of an offer.
How to avoid becoming a victim of social media phishing
- Do not click on links in posts, tweets or direct messages unless you are 100% certain that they are genuine and well-intentioned.
- Take time to consider your actions before responding to approaches on social media.
- Ask yourself if somebody genuine would really contact you in this way with this information.
- Recognise threats of financial issues or offers that seem too good to be true, for what they really are.
- If in doubt, call the correct number of the organisation or individual from whom the post or tweet claims to be from, to check its authenticity.
- Even if the post or tweet seems to come from someone you trust, their account may have been hacked or spoofed.
- If the approach is via Twitter, note that accounts of legitimate businesses usually feature blue ‘verified’ tick to indicate that the account is authentic. They will also never request login credentials.
- Also, check for the number of followers on the account. Genuine organisations – including their customer support handles – are likely to have a much larger following.
If you have been a victim of social media phishing
Report it to the social media network via the reporting mechanism on the site or app
If you have lost money as a result of social media phishing, or via any other fraudulent activity
Report it to Action Fraud, the UK’s national fraud reporting centre by calling 0300 123 20 40 or by visiting www.actionfraud.police.uk