This attack is named after the anglerfish, which uses bioluminescent lures to attract and attack small prey. In this case, the glowing lure is a fake customer support account that promises to assist the customer, but instead secretly steals the customer’s credentials.
How does this happen?
Scammers create compelling fake customer service accounts and monitor customer support requests on social media channels. Angler fishing hackers often wait for strikes on nights and weekends when brands are unlikely to monitor social media interactions. When a hacker sees a customer contacting your brand, they hijack the conversation by replying directly to the customer through a fake support page.
Example 1: Twitter Fake Customer Service Account
An online criminal sets up a fake customer service account to phish bank login information, password information and other sensitive data. These rogue accounts are very similar to real companies, but often contain one letter different, extra underscores or different keyboard letters.
When someone tweets in their bank or example, the scammer intercepts the conversation and replies to that message with a message that looks like a real response.
Let’s say John Smith tweeted a request to @mybank. The hacker was able to intercept his tweet and reply with a fake account @askmybank. The incorrect response link takes John to a complete replica of the bank’s login page. There, hackers can steal online banking credentials, ATM PINs, security questions and answers, and more.
Example 2: PayPal Scam
In this attack, a phishing phisher targeted PayPal users from two fake PayPal Twitter accounts. Tweets encourage recipients to click on the actual PayPal Twitter account @PayPal to get help on urgent issues. However, scammers monitor replies on PayPal’s official Twitter page and collect replies that can be used for attacks.
In addition, when a response is received from a fake PayPal Twitter account, the response highlights the PayPal logo as a photo of the account and the handle is officially displayed except for the word “question” being changed, so the victim Is fooled again. Take care. Victims are fooled into entering PayPal credentials on seemingly legitimate but fake pages. This gives a malicious person the personal information they need to access their account and transfer the funds held there.
Who is at risk?
Fraudulent customer support accounts are a problem for companies that provide customer service on social media. However, according to a 2016 AntiPhishing Working Group survey, more than 75% of phishing attempts target financial services and e-commerce organizations to steal bank details and make fraudulent purchases.
How can I stop an Angler phishing attack?
Do not log in to your account if the link is provided via email or social media. If you don’t know the link for a social media post, don’t copy and paste the link into your web browser. Still, it can visit malicious websites and download malware to your computer or network. If you’re not sure if the link you received in your post is secure, it’s not safe to copy the link and paste it into the URL section of your web browser. Access the website from a web browser. Entering the address of a website directly into your web browser gives you access to a legitimate website instead of a phishing website designed to mimic the look of a real website. Unless your website is hijacked or your computer is infected with a virus, the best way to ensure the authenticity of your website is to enter your own web address. Technology-based security measures such as firewalls, encryption, antivirus, spam filters, and strong authentication cannot prevent social engineering scams. No amount of security technology can eliminate the weakest link, the human factor. A social engineer is someone who uses deception, persuasion, and influence to obtain information that is not otherwise available. Be careful when clicking on the links you receive in messages from your friends on social sites. Links in messages on these websites are treated the same a links in email messages.
Do not trust the sender information of email messages. Take the same precautions as any other email, even if the email appears to come from a sender you know and trust. It’s easy for scammers to forge the identity information in email messages. I know the handle of the social media account of the company you are dealing with.
Make sure you are only communicating with a legitimate account. Look carefully at the answers you get and be skeptical.
Look for misspelled Twitter handles, email addresses, and more. For Enterprises:
These types of attacks are a problem for all enterprises that provide customer service on social media. Below is a list of some important steps a company can take to prevent angler phishing attacks.
Identify your company’s social media platform, account, and key person.
Document the person responsible for your company account. These accounts require strong passwords that change constantly every few months.
Use a verified account if necessary. Twitter and Facebook offer validated account options to ensure reliability.
Continuous monitoring of rogue accounts. Be sure to log any suspicious activity and report it to your IT team or service provider.
Enhance your security with an email security solution.