Phishing is one of the most common social engineering techniques attackers use to lure people into divulging their information. The CISCO 2021 Cybersecurity Threat Trends reported that phishing accounts for 90% of data breaches.
Phishing attacks can take many forms, depending on how advanced the scammer is. One of the newest techniques is angler phishing.
Like a typical phishing attack, angler phishing aims to trick victims into divulging personal details, financial data, and other sensitive information.
But instead of targeting email users, an angler phishing attack targets social media accounts. However, organizations can counter these attacks with in-depth awareness and good security practices.
So what is angler phishing?
How do you avoid angler phishing emails? These are the questions we’ll tackle in this article. Read on!
What is Angler Phishing?
Angler phishing is a new scam technique where cyber actors masquerade as customer support staff using social media platforms and accounts. The mission is to trick dissatisfied customers into revealing personal details.
An angler phishing attack got its name from an aquatic creature, the angler fish – a fish that hunts other fish. It has a luminescent fin ray that lures prey in before devouring them.
Angler phishing attackers use the same tactics to fish for their prey. They create false social media accounts of top companies, particularly financial institutions.
Dissatisfied users trying to contact companies via Twitter, Facebook, or Instagram are captured by angler phishers. They ask victims to complete specific tasks to redirect them to malicious, attacker-controlled sites.
How Does Angler Phishing Work?
Angler phishing targets disgruntled customers of a company’s products or services. The attack begins when a customer complains about the services of a financial institution or company on social media.
A good example of an angler phishing attack is when customers complain about access issues regarding their bank accounts. When a customer mentions the company’s name, the attacker quickly creates a fake profile and then contacts the target, posing as a customer care agent and offering assistance.
During their interaction, the attacker might request the customer to provide personal details or click a link to resolve the issue. Once the victim clicks the link, they’re redirected to a fake site asking them to input their banking details.
If the victim doesn’t realize the scam and unwittingly inputs their details, the attacker succeeds, using the sensitive info to carry out their dubious plans. In other cases, clicking the link can infect your system with malware.
Who is Targeted During an Angler Phishing Attack?
Attackers execute angler phishing on all social media channels. Very much like in the case of phishing, anyone can become a victim of this attack. If you’re using a service and voice your opinion about it on social media, you can become a target. Financial institutions are the most common among impersonated companies.
Why is Angler Phishing Effective?
Angler phishing is effective because most social media users expect their company’s customer representative to contact them when they complain online. Often, the real customer agent takes time before contacting the customer. Anger phishers leverage this to lure their victims into their trap.
Another reason why customers fall prey to these attacks is the “human factor” of simple anger or frustration. They fail to check the profile for the official logo, the “verified” checkmark, or service history. Even if they do, they might miss something. The combination of anger and not being observant enough is a direct path to revealing personal information.
This leads us to the question: What are the clues to avoid phishing? Let’s talk about how you can avoid angler phishing.
How to Avoid Angler Phishing
Now that you know what angler phishing is, it’s time to turn to the methods of protection from it. Angler phishing attacks are so successful because they use social engineering tactics. Most people are unaware that hackers lurk around on social media, gathering any bits of information they can use against you. This attack type is a bit different; that’s why not all email phishing attack defense techniques work. Here are a few specific best practices to avoid angler phishing.
Verify the Company Account
Before replying to anyone who contacted you, confirm that the account is legitimate. Most social media accounts on platforms like Instagram and Twitter have a blue checkmark next to the account name, confirming its legitimacy.
Check the profile for spelling mistakes and the number of followers. A customer support account of a reputable institution should have many followers. Also, check the profile history to confirm whether the account has successfully assisted a customer before.
In addition, visit the company’s official website and check its “Contact Us” page to see if the account is mentioned as a point of contact.
Tag Specific Support Accounts
Most people turn to social media because it’s one of the fastest ways to answer queries. Attackers leverage this to scam impatient customers with angler phishing attacks.
Contacting business pages is efficient, but larger organizations have individual accounts that specifically handle customer complaints. You can tag these official accounts when complaining on social media platforms like Twitter and Instagram. We recommend that you only respond to these accounts once they reply to you.
Contact the Company on Other Channels if You’re in Doubt
Don’t be quick to reply to anyone that contacts you online. If you’re in doubt, reach out to the company directly. Taking extra precautions before any damage is done is vital. This way, you won’t need to worry about being disrespectful to the agent that contacted you.
Avoid Clicking Links
Links are one of the many ways scammers execute phishing attacks. So don’t click on links from unverified sources. Also, never send sensitive information like your login details to anyone, even if it’s a customer care agent. Most attackers create a sense of urgency to make you feel you have no other option but to do what they say.
Check our safe link checker to find our if a link is safe to click on.
Report Fake Accounts to the Authorities
If you notice a fake social media account of your business, report it to social media support immediately. Also, notify your customers so they won’t fall victim to the scam. Encourage them to report any copycats to you and your community as well.
Educate your users on how to avoid phishing email scams and offer them alternative contact channels. If you’ve had a change or an update in customer service procedures (moving to live chat from email or a contact option on social media), inform your users immediately.
Don’t Stop Contacting Proper Channels on Social Media
You might think that it would be best to stop mentioning your service providers on social media at all, right? Wrong! You shouldn’t stop talking to your favorite brands on your favorite channels because of the dangers of being victimized. These channels are extremely efficient in getting the community involved and sometimes even pressuring businesses to solve issues that bother many people.
The only thing you need to worry about is ensuring you’re speaking to the right person.
Final Thoughts
Now that you know what angler phishing is and how powerful it can be, it’s easier for you to notice them. Angler phishing attacks leverage customer queries to request sensitive data, which is used for identity theft and other fraud. Therefore, you need to ensure that you only answer customer service agents you contacted personally and turn to official contact methods before you share personally identifiable information with the customer service representative
While the success rate of angler phishing is alarming, social media remains one of the most effective communication tools for both organizations and customers.
With proper awareness of how to avoid phishing emails, you can prevent these attacks effectively and even improve the lives of fellow users, creating a sense of community by gathering around a specific pain point.