Social Media Compliance Risks
- Blog Star
- Jun 22, 2023
- 4 min read
There are many reasons why people keep using social media even when it’s bad for them, and these reasons vary across individuals and across circumstances. In the process, social media has also become a hotbed for crime. According to the U.S. Federal Trade Commission (FTC), more than 25% of reported fraud in 2021 originated on social media. And the victims are not necessarily who you would expect. It’s not just older people who are falling victim to social media fraud; all demographic groups are affected.
In fact, the FTC reports that people between the ages of 18 and 39 were more than twice as likely as those over 40 to fall victim to social media scams in 2021.
Why social media?
Attackers love social media because most people have at least one social media account. Because social media is informal and part of peoples’ personal lives, many users lower their defenses when using these platforms. And they often use social media at times when they are tired or distracted, such as in the evenings after work or waiting in line. All of this adds up to make social media an easy target for attackers.
Types of social media attacks
Attackers typically use several activities to lure users into providing personal information, credentials or money.
Impersonation
Attackers pretend to be someone a user knows or a representative from an institution they trust, such as the Internal Revenue Service or the Social Security Administration. For example, your employee may receive a message that appears to come from a friend. The friend claims that they are stuck overseas after being robbed. And they need your employee to send money urgently to help them get home. Or your employee might receive a message from the Social Security Administration saying that they have been trying to contact them and need them to take urgent action (such as clicking on a link to log into your account or confirm their address).
Healthcare fraud
These scams use healthcare topics that are top of mind, such as COVID-19 or monkeypox. Users are enticed to click on a link or provide personal information in exchange for:
Testing kits, which fail to materialize or are fake
Fake COVID-19 vaccination cards
Vaccines, treatments and remedies, which are often fake
Attackers will also offer money or gifts in exchange for completing “surveys” about vaccination or treatment. These “surveys” are vehicles for stealing personal data, medical information or financial details.
Phishing
Social media phishing happens in two main ways.
In the first, attackers send emails that appear to come from a social media platform. The email explains that the user’s account password has been compromised. The user is instructed to click on a link to maintain access to their account. This link leads to a fake login page that harvests the user’s credentials. This works because attackers have targeted the user's emotions and a sense of urgency, as the user now feels they have to act fast to restore their social media account to safety.
In the second type of social media phishing attack, users receive friend requests from people that they appear to know. These accounts, which are either compromised or faked, post content with malicious URLs that lead to a fake login page. From a social engineering standpoint, the attackers try to exploit people's basic desire to connect and build social, interpersonal relationships with others. This makes it likely that users will be motivated to click on friend requests quickly and without verifying that person's identity.
Lottery scams
Lottery scams use promises of prize winnings as a lure for users to provide personal or financial information. Attackers know that users will always be interested in the promise of winning money, so they hope that they will appeal to a person's desire to feel excitement and joy to click quickly.
Romance scams
Romance scams are a form of impersonation scams. In a romance scam, attackers adopt a fake identity to foster a romantic relationship with a user, sometimes over a long period of time. Once trust has been established, they usually manipulate the user into sending money.
In September 2021, a former U.S. Army reservist was sentenced to 46 months in prison for his role in a scheme to swindle more than $1.8 of dollars from nearly 70 victims across the country. The scheme created fake identities to dupe older men and women into believing they were in romantic relationship, then exploiting their emotions to get money from them.
Quizzes and polls
Quizzes and polls that appear in social media feeds may seem like a fun and harmless activity. But attackers often use quiz scams to harvest personal information from users, including answers to common security questions.
Tips for your end users
Always treat requests for money and credentials with extreme suspicion, even if they appear to come from someone you know. If you receive a request for your money or credentials, always contact the person through another channel to verify.
Beware of promotions, job advertisements and pop-up messages making promises that seem too good to be true.
Don’t enter your username or password into websites unless you have navigated to the site directly and verified the URL in your browser.
Delete any requests for sensitive data and report them to your security team if you receive them on company accounts.
Only contact social media support and contacts by navigating to the social media website or app directly.
Watch out for messages that ask for money urgently, even if they come from someone you know. Always take your time to check in outside of social media with the person making the request.
If you think your account has been compromised, immediately log in and reset your username or password. If you have trouble, report it to the social media site.
Don’t open social media websites in the same browser window as your banking website or other sensitive sites. Attackers can sometimes capture important information this way.
Comments