your passport to all things web
Security Briefing March 18 2019
What Exactly is Angler Phishing?
Picture this: your bank just bounced a check they shouldn’t have, and now your insurance company is claiming you missed a payment. Understandably, you’re steamed. You tag your bank in a scathing social media post about the terrible service. Next thing you know, the bank’s support account responds inviting you to click a link to chat with them directly to resolve the issue.
Not so fast! What if that isn’t a bank representative at all, but someone trying to steal your personal information? Impersonating a service provider for this purpose is called angler phishing, and it’s rampant on social media.
Steven J.J. Weisman, the cyber security expert behind the book Identity Theft Alert and the blog scamicide.com explains how it works:
“The account name appears to be legitimate and has been set up by scammers well in advance in order to be ready when a potential victim appears.The response from the scammer then lures the now-intended victim to click on a link to be able to communicate directly with a customer service person for the company.Unfortunately, merely clicking on the link can result in the victim downloading malware such as ransomware or keystroke logging malware that can lead to identity theft.
“Alternatively, in some instances, the ‘customer service’ person asks for personal information in order to straighten out the problem and uses that information for purposes of identity theft.”
Make no mistake, this is a carefully thought-out scam. The fake accounts look legitimate, and the fraudsters monitor the company’s real accounts. That way, when a post from a disgruntled customer comes in, the fraudster can respond quickly. Most people are keen to get their issue resolved without having to call and wait on hold, so they’re easy targets.
How Frequently Does Angler Phishing Occur?
It’s hard to say exactly how common angler phishing really is, but we know it’s on the rise.
Proofpoint’s 2017 report The Human Factor explains that the incidence of angler phishing has exploded since first coming on the scene in 2015. According to the report, angler phishing increased by 150% in 2016. While early angler phishing scams usually involved impersonating major banks, fraudsters have now expanded their reach to target customers of a variety of industries. Banks aren’t off the hook, though. The Human Factor report states that in 2015, there were approximately 2-3 angler phishing attempts involving major banks every month. By late 2016, that number was more like 2-3 attempts per day.
In 2018, there’s no reason to believe the situation has improved. It’s important to be aware of angler phishing and take steps to protect yourself.
How to Protect Yourself
Justin Lavelle, Chief Communications Officer for BeenVerified recommends practicing due diligence before engaging with customer service personnel through social media channels.
“Before responding to someone on social media who claims to represent a consumer complaint staff, check that the account is verified,” says Lavelle. “Twitter allows you to do this by checking the account for a blue verified badge checkmark. The checkmark signifies that the account is legitimate. On both Facebook and Twitter accounts, look for the account to say that it’s the “official” or “official support” account of a specific business.”
If the account isn’t verified, don’t engage with whoever’s on the other end. Whatever you do, don’t click any links they send! Instead, call or email the company directly using the contact information listed on their official website. It may not be quite as convenient as a Facebook message or Twitter DM, but it’s definitely safer.
Angler phishing is an increasingly common identity theft scam that targets social media users by impersonating legitimate support accounts. Fraudsters usually invite potential victims to click a link or ask them to provide account details. To protect yourself, ensure the social media accounts representing support teams are verified. If in doubt, don’t engage with them, and never click any unknown links.