Recognizing and Preventing Social Engineering on Social Media

To connect with friends, family, and coworkers, it’s likely that we have all overshared our personal information on social platforms more than once. Unfortunately, the ease of access to an individual or company’s information has made social media an easy target for threat actors. 

According to Comparitech, threat actors “leaked more than 300 million Facebook User IDs, names, and phone numbers on the web,” within the last three years. Given the global impact these threats have had on online communities, we’re going to discuss scenarios of social engineering attacks on social media platforms along with how you can protect yourself, your organization, or both.


Successful Social Engineering Attacks Explained

Although social engineers — threat actors who use social engineering as part of their cyberattacks — have been using phishing and other attack types for decades, these tactics are becoming more and more common across social media platforms. 


Social Media and Social Engineering

The Research


Less targeted attacks — such as posting infected links as part of fake advertising — require very little research. However, if a threat actor wishes to target specific social media accounts, they will crawl the profile pages and gather information about their targets. 

Business executives may be targeted on social media platforms so the threat actor can gain a foothold to a valuable company’s internal networks and systems. The social engineer may go as far as to impersonate an executive or an entire company. The threat actor will extensively research the “bigger fish” to successfully carry out their attack. 

Methods Used

This stage is typically called the investigation stage because the threat actor will use whatever means necessary to gather the needed information. Threat actors may use bots to scrape the needed personal information to carry out the next stage of the attack. 


The Relationship

Once a threat actor has information on a target, they may try to build rapport, offer help, or scare the target to more easily trick their victim. For example, a threat actor could:

  • Reference a “mutual friend” so you’ll accept their friend request on Facebook.
  • Offer to help you resolve issues with your account.
  • Exploit or abuse services of the platform to impersonate someone they are not (i.e., Twitter Verified Account scams).
  • Assert that your account needs verification or a password reset.

Methods Used

This stage is known as the hook because the threat actor provides a tempting offer or information that the target wants. Some threat actors may use phishing attacks or other methods in this stage to get what they need so that they can then build a relationship with their main target. They may then attempt to tell a story or provide information that the victim would want. 


The Exploitation

Once the social engineer has set up the pretext, all they have to do is convince their victim to act. For example, if the threat actor claims that a prize has been won, they would then provide a seemingly innocent link that would take their victim to a page outside of the social platform to claim their “prize.” 

Methods Used

This stage is known as the play because the threat actor is fooling — or “playing” — the innocent social media user. Several types of attacks may be used here, such as SMS phishing, pretexting, and baiting.


The Attack and Beyond

Once the target performs the desired action, the attack has been launched. The threat actor will steal the data, infect the victim’s computer or network, or steal the victim’s social account or other accounts. For example, the victim may click on an infected link that installs malware onto their system. Once the attack is complete, the social engineer will attempt to finish their attack and end the engagement without drawing suspicion. 

Methods Used

Known as the exit, this last step uses a variety of tools and techniques — malware, bots, and more — so that the threat actor has what they want and no one's the wiser. Frequently, the threat actor is after more than one target or more than one goal, so this process repeats itself. 


Even the World’s Most Famous Hacker Has Been a Subject of Attacks

Founder of Mitnick Security, Kevin Mitnick has experienced both sides of the attack. Kevin Mitnick’s Instagram and Twitter accounts have been impersonated more than once. Threat actors will often choose well-known people of interest to impersonate in the course of launching a social engineering attack on social platforms. In these situations, the fake Kevin account would promise cybersecurity services to individuals and ask for payment. Unsuspecting victims would follow through because they were unaware that the real Kevin was not involved at all.


Prevent Social Engineering on Social Media

Don’t Overshare Personal Information

Adjusting your social media account settings and being more careful with what information you share online can be an effective defense against social engineering. To protect yourself, your family, and your organization, avoid sharing personal information such as:

  • Private and business email addresses.
  • Any account log-in details.
  • Your physical address.
  • Your phone number

You can also customize your privacy settings across your accounts so that only people you know can see your personal information.


Use Multi-Factor Authentication

Multi-factor authentication (MFA) requires the user to provide at least two methods of identity verification before granting access. MFA can help protect your social media accounts, business accounts, and more. 


Beware of Suspicious Messages and Links

Even if the message and actual link look valid, it’s best not to click on anything unless you have done your homework. You can use Google Search to validate the company or research typical company processes and promotions. You can also contact the company using the company website or follow other security awareness training tips.


Avoid Using Public Wi-Fi

Public Wi-Fi is commonly used by threat actors to place themselves between their target and the connection point. In this scenario, you are not connected to the hotspot directly. Instead, the threat actor is collecting your user data or redirecting it to another source. Some signs of threat actor involvement include frequent disconnections, strange web addresses, and network delays. Always use a VPN and avoid connecting to strange or unfamiliar public Wi-Fi networks.


Avoid Attacks on a Personal and Organizational Level

Social engineering on social media channels is here to stay. Partly due to past successful social engineering attacks on most social networking sites, threat actors see these platforms as prime opportunities for attacks. Since social engineering involves the human element, it’s crucial to educate yourself, your family, and your team on security best practices both in and out of the office. To discover what you can do to keep threat actors at bay, download your free guide, “Learn to Avoid Cyber Threats in 5 ½ Easy Steps.”


New call-to-action

Topics: Social Engineering, social engineering attacks

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Red Team Testing vs. Penetration Testing

As the cost of cyber attacks continues to grow — in 2023, the worldwide cost of cyber attacks reached $8 trillion and, by 2025, the total cost is esti..

Read more ›

What Is Credential Harvesting and How Do Threat Actors Pull It Off?

Credential harvesting, otherwise known as credential compromising or credential theft, can be a highly devastating cyber threat. It also happens to be..

Read more ›

How Threat Actors Bypass 2FA and What Preventative Steps You Can Take

Two-factor authentication (2FA, or MFA) is a security layer designed to verify the identity of those logging in to accounts. By sending codes to the p..

Read more ›