Most people are on some sort of social media platform, whether it's TikTok, X, Facebook, YouTube, LinkedIn, or, we know the list goes on. Like me, many people use social media to connect with others globally, share information, communicate, create content, and more. Unfortunately, with every positive comes a negative, and social media has also become a social engineering playground, as fraudsters have swarmed the social scenes for years.
Social Media Manipulation Techniques
Humans are the primary attack vector for social engineering attacks, and social media has significantly increased the success rate of these attacks by readily providing attackers with a wealth of personal information directly from online profiles.
Personal information available for anyone to find on social media accounts allows malicious actors to manipulate victims using various techniques:
Impersonation
Social engineering relies on several key principles, including trust, authority, urgency, and familiarity. Criminals will often analyze a user's social media platforms to identify their connections and understand the relationships between them (co-worker, boss, mom, old high school friend).
The criminal can then impersonate someone the victim would trust and contact them via text, phone call, or direct message (DM). These messages often create a sense of urgency and unfortunately, that sense of urgency and fear can motivate the victim to act without careful consideration. Impersonation is widespread, so users should always verify the identity of the person they are communicating with before taking any action.
Creating and Spreading Misinformation
Because social media is easily accessible and can reach millions of users, it has become a powerful source for the dissemination of fake news. There are many ways to spread disinformation campaigns or fake news online, and one common method involves social engineering.
According to the World Economic Forum social engineering provides a framework to mischaracterize and manipulate events, incidents, or public discourse in an attempt to sway public opinion in favor of a certain agenda.
We witnessed this during the 2024 elections, where foreign actors spread false narratives and stories about the US election security to try and undermine the election process. To achieve this, criminals attempted to mimic national-level media outlets and create inauthentic news sites posing as legitimate media organizations. In response, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a warning in October about foreign actors spreading disinformation .
In another example, Seth Nielson, President of Crimson Vista, highlighted the vulnerability of businesses to foreign interference. He described how his client faced attacks targeting their reputation. Foreign actors attempted to "start grassroots protests" against the client by spreading false narratives on social media. Nielson emphasized the ease with which such attacks can be automated, as tools can easily identify company profiles and target them based on their industry and even autogenerate the protest content. This demonstrates how easily disinformation can be spread and manipulated, highlighting the importance of critical thinking and fact-checking before believing everything read online.
Romance Scams
This type of scam is not widely talked about, but it's a popular social engineering technique used on social media and involves fraudsters creating fake online identities and often targeting people looking for love, such as those using dating apps.
These scammers will lie to steal a victim's heart and money. They may claim to share the same interests as the victim or mirror the victim's lifestyle to build a romantic relationship. The Federal Trade Commission reported that in 2022 alone, nearly 77,000 people reported a romance scam, resulting in a staggering loss of $1.3 billion.
Nielson, who helped his 80-year-old client escape a romance scam before it was too late, shared a case involving love letters exchanged through a dating app. To demonstrate the ease of this type of scam, Nielson used ChatGPT to write a "love letter" from a woman to a man serving in World War 2, and the AI generated a surprisingly convincing and romantic message. As Nielson stated, “this scam itself is fast, cheap, and easy to execute.”
Protecting Yourself from Social Engineering on Social Media
Individuals can significantly reduce their risk of falling victim to social engineering attacks by following these best practices outlined by Maria Castro, Compliance Director at Crimson Vista.
Be Vigilant: Stop and think before clicking on links or providing personal information. Verify the identity of anyone contacting you, especially if they are requesting sensitive data or making urgent demands.
- Enhance Privacy: Tighten your privacy settings on social media platforms and limit the amount of personal information you share online.
- Employ Strong Security Measures: Enable two-factor authentication for all important accounts and avoid using public Wi-Fi for sensitive activities.
- Stay Informed: Follow trusted cybersecurity sources for the latest threats and best practices.
Organizations can bolster their defenses against social engineering attacks by implementing the following measures shared by Castro:
- Educate and Train Employees: Regularly conduct cybersecurity training, emphasizing real-world scenarios to enhance awareness and response capabilities.
- Foster a Culture of Verification: Encourage employees to verify all requests, links, and messages before taking any action.
- Limit Online Exposure: Minimize the amount of sensitive information available about the organization online.
- Monitor Brand Mentions and Impersonations: Actively monitor social media for any instances of brand impersonation.
- Develop and Practice Incident Response Plans: Prepare for and regularly practice how to respond to social engineering attacks.
- Invest in Cybersecurity Expertise: Engage with cybersecurity specialists to identify vulnerabilities, implement robust safeguards, and provide tailored training for your team.
By implementing these proactive measures, individuals and organizations can significantly strengthen their defenses against social engineering attacks and minimize their risk of falling victim to these sophisticated threats.
Moving Forward: A Call to Action for a Safer Digital World
In the age of hyperconnectivity, social media has become an indispensable tool for communication, connection, and information sharing. However, this digital landscape also presents a fertile ground for social engineering attacks. As Nielson aptly stated, "if you have a presence on the Internet, you will be a target." This stark reality underscores the urgent need for vigilance and proactive measures. By understanding the various tactics employed by social engineers, from impersonation and disinformation campaigns to sophisticated romance scams, and using the best practices above, individuals and organizations can bolster their defenses. Ultimately, navigating the digital world safely requires a multi-faceted approach that combines technological safeguards with a heightened awareness of the ever-evolving threats posed by social engineering. Only through continuous education and adaptation can we mitigate the risks and ensure a safer digital experience for all.
Subject Matter Experts: