Social Media Scams

Social media is defined as “interactive computer-mediated technologies that facilitate the creation or sharing of information, ideas, career interests, and other forms of expression via virtual communities and networks.” Users create service-specific profiles and may generate content such as text posts, photos, and videos. Shared content may include personally identifiable information (PII), which can be used to target individuals in social engineering schemes that contain lures such as account issues or offers that are “too good to be true.” Cybercriminals will attempt to convince their target to divulge sensitive or financial information, or perform a task such as clicking on links or attachments in order to gain unauthorized account or device access and commit further scams or other malicious activity. Although social media can be used as an effective communication tool, these platforms and the information contained within them can also be used by cybercriminals for nefarious purposes.  

Phishing

Cybercriminals use social engineering schemes to steal information and compromise accounts. Users may be subjected to phishing scams purportedly sent from social media platforms, such as requests to reset their password and notices of copyright infringement detected in their photos. These scam messages may include links or attachments that, if clicked, redirect users to spoofed websites to enter account credentials, which are then captured by the cybercriminals. Copy/paste surveys may also be used, in which a trusted friend shares a post containing responses to a variety of statements and then requests the user to answer and post the same statements. This innocent game of posting and sharing personal information may give cybercriminals hints about passwords or security questions. Cybercriminals may also use stolen profile information and images to create fake accounts to promote and share fraudulent websites with trusted friends and family members, as evident in fake porn scams. Once cybercriminals steal information and create fake accounts or compromise real accounts, they have the opportunity to reach out to trusted family and friends in an attempt to convince them to divulge information and perpetuate this vicious cycle of malicious activity. The NJCCIC recommends users establish strong, unique passwords for each account, enable multi-factor authentication where available, exercise caution with links and attachments received from unknown/known contacts or suspicious messages claiming to be from social media platforms, and verify the legitimacy of the request via a separate means of communication.

Advertisements

Social media platforms provide another way for businesses to advertise their products or services. While many of these ads link to known and legitimate vendor websites, some ads may direct users to malicious or otherwise suspicious websites that could be used to install malware, steal credentials, or sell counterfeit products and services. Some ads may entice users by claiming the products support charitable causes, while others may make empty promises of product or service delivery. Cybercriminals may employ URL shortening to trick users on social media sites by hiding the true destination of a link. The NJCCIC recommends using a URL expander to reveal the true destination of shortened URLs prior to visiting websites and verifying websites are legitimate prior to making any purchases. We also advise users to inquire with vendors about their return policies, make purchases with credit cards as they often have better consumer fraud protections than debit cards, and maintain records of receipts.

Giveaways 

Cybercriminals may use social media platforms to offer free stuff or goodies, and claim that such items may require completing additional tasks, such as signing up for costly goods, services, or subscriptions. Users may also need to fill out surveys requesting personal information, such as email addresses, telephone numbers, and dates of birth. Several scams have circulated on multiple social media platforms, including those offering free chocolate and free groceries. Cybercriminals may also try a technique called “like-farming” to convince users to like or comment on a post; however, after so many likes or shares, they edit the post and add a malicious link. The NJCCIC recommends users exercise caution when interacting, clicking on links, or sharing personal or financial information in social media posts, even those that appear to be legitimate. It is important to research businesses in question and look for trusted marks to indicate pages from legitimate brands or entities have been verified before liking and sharing information. Instead of clicking on links in posts, navigate directly to authentic vendor websites by typing the legitimate URL into the browser. For giveaways, legitimate businesses may ask for personal information such as email addresses, but they will not ask for financial information.

Tickets for Events

Cybercriminals may offer goods and services at discounted prices, such as tickets for events, claiming they cannot attend an event or there has been a death in the family. They may attempt to promote and sell tickets to events with the hope to convince their targets to pay before their competition does and before verifying event details and status. This deal may convey a sense of urgency to convince users to score the amazing deal in a limited time. However, these scams may be for events that were free or were canceled and the deal or tickets do not exist. The NJCCIC recommends users refrain from booking such deals and instead navigating directly to authentic vendor websites by typing the legitimate URL into the browser, and we advise confirming event details and status before responding and providing any personal or financial information.

Gift Exchanges

Many people enjoy participating in group gift exchanges, such as Secret Santa and Secret Sister, which relies on the recruitment of individuals to buy and ship gifts to unknown individuals with the hope of the favor reciprocated; however, this fun exchange can turn into a scam, robbing users of their money and personal and financial information. The convincing invitation requires users to sign up for the gift exchange by providing their name and address and personal information for several additional individuals. Some gift exchanges promise participants the receipt of many gifts in exchange for sending one gift. Other variations of gift exchanges include “pay it forward” schemes by sending money to strangers and “Secret Santa Dog” by sending $10 gift cards to secret dogs. These scams are considered an illegal pyramid scheme in the US. The NJCCIC recommends users participate in gift exchanges with individuals you know personally. We advise users to safeguard personal and financial information to help prevent identity theft or the opening of other accounts in their name.

Other social media scams include gift card scams, charity donations, romance scams, lottery scams, loan scams, fake job scams, false investment scams, advanced fee/inheritance schemes, paid subscription fraud, and access token theft. If an offer is “too good to be true,” it probably is!

Recommendations

The NJCCIC recommends users practice good cyber hygiene, remain vigilant online, and protect their information, especially when interacting on social media platforms.

• Use unique, complex passwords for all accounts. Unique passwords for each account prevent password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• Enable multi-factor authentication (MFA) where available. MFA is the use of two or more factors to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed.
• Refrain from sharing login credentials or other sensitive information. Login credentials and other sensitive information should not be shared with anyone or saved on your computer or other platforms.
• Update passwords immediately following a data breach or potential compromise. Use a resource, such as haveibeenpwned.com, to determine if your information, such as an account password, has been revealed in a public data breach. Change exposed passwords for every account that uses it to protect against account compromise.
• Keep devices up to date. Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
• Secure physical devices. Safeguard devices and ensure a password/passcode is enabled for all devices to prevent unauthorized access in the event a device is lost or stolen.
• Use the NJCCIC instructional guides to implement security and privacy controls for Facebook, Instagram, and Twitter, and configure similar settings on all other accounts. Tightening security and privacy settings will help to prevent account compromise and the unintended sharing of sensitive information, including PII, photos, and videos.
• Understand your digital footprint. Review and apply recommendations found in the NJCCIC product How Big is Your Footprint? The smaller your digital footprint, the less publicly-accessible information is available for threat actors to more effectively target you.
• Connect only with people you trust. Ensure your connections are limited to people you know and trust and limit the information shared with them. Look for trusted marks to indicate pages from legitimate brands or entities have been verified.
• Do your research. Perform a quick search for businesses in question and search for previous complaints, reviews, or scams.
• Navigate directly to websites. Instead of clicking on links in communications, navigate directly to authentic or official websites by typing the legitimate URL into the browser.
• Use secure websites. When sharing personal or financial information, ensure you are using verified, secure, and encrypted websites.
• Make online purchases with credit cards over debit cards. Credit cards offer better consumer fraud protections than debit cards. If a purchase was made through a social media ad and deemed a scam, request a new credit card number from your bank, monitor your accounts, and check and freeze your credit.
• Review policies and report violations. Review social media policies and report any policy violations, including suspicious or harassing behavior, to your social media platform, such as Facebook, Instagram, and Twitter. You may also report cyber incidents to the NJCCIC via the Cyber Incident Report form.

Resources

• CISA Social Media Cybersecurity
• NJCCIC How Big is Your Footprint?
• NJCCIC Compromised PII: Facilitating Malicious Targeting and Fraudulent Activity