Social engineering techniques, Social Media scams

Social engineering techniques, Social Media scams


The following article is the fourth of a series of articles on cyber attacks and the last of a series of three articles on social engineering techniques, and focuses on social media scams.

With Facebook averaging 1.71 billion monthly users and rising, Twitter with 313 million monthly users not to mention the other popular platforms, social media is an enormous opportunity for the cyber criminals.

The scams are many and varied, let’s look at them in more detail:

  • The fake customer service account

Social media has become a favoured method for companies to interact with their customers, gaining feedback or resolving customer service queries. Scammers set up fake customer service accounts to try to steal login information and other sensitive data. These accounts will look genuine and the scammers will initiate dialogue with the customer before the bona fide company is aware that they have an issue; the aim will be to gain sensitive information, passwords or card details.

You can often identify these spoofed, fake accounts by paying particular attention to how the name is spelled as they may change a letter in the spelling or add unnecessary punctuation. Many official accounts carry verification symbols, check for these.

You should never give away sensitive information online, it is always better to do a web search and call the customer service number of the company you need to speak to.

  • Fake comments on popular posts

These are usually posted on popular news threads or popular accounts, in order to reach as many people as possible. They often include a link that will download malware or lead the victim to fake websites where they will be asked to divulge sensitive information. You should never click on links from an unknown source.

  • Fake live stream videos

These are often “free” streams of sporting fixtures or other broadcasts that would normally require the user to subscribe to a pay per view service. Of course, the video doesn’t exist and the user may well have downloaded malware to their device. If something is too good to be true, it probably is.

  • Fake online discounts

Great offers and massive discounts designed to look like they come from legitimate companies, but follow the link and the victims will land on a fake web page aiming to steal money or confidential information.

It’s best to go the official company website, if it’s a legitimate offer you’ll find it there and will be able to shop in safety.

  • Fake online surveys and contests

This technique has become very popular with cyber criminals looking to harvest confidential information to use for further scams, identity theft or to sell on. These surveys and contests often use the hook of a fabulous prize to get people to participate.

If you want to participate in a survey, make sure the company is legitimate and if you wish to enter a contest make sure it is a real one and not a trap!

  • Charity fraud

Perhaps one of the saddest online scams, charity fraud exploits well publicised global disasters. Links on social media posts will lead to well-crafted spoof charity websites tricking visitors into believing they are making a donation to a worthy cause. This robs the victim and deprives disaster victims of much needed support.

If you wish to donate, choose the charity and make the donation via their official website where you should be making the payment via a secure payment method.

  • Clickbait

Our curiosity is a key reason why so many scams are successful, none more so than when we are exposed to clickbait. Would you want to read the following?

“Lose 10 pounds in two days! Unmask the latest diet craze that will make you the envy of all your friends!”

“Lad tells girlfriend he’s going for a ‘quick pint’ and ends up in Ibiza”

“20 stars who look exactly like their children”

“Shocking ALS Ice Bucket Challenge Goes Wrong and Kills Little Girl”

 These are typical examples of clickbait teasers to trigger reader’s curiosity and persuade them to click the links.

Clickbait is in fact the term used to define all those web contents with the main goal of getting users to click on a link to go to a certain webpage. Once the link has been clicked a pop-up is likely to appear urging the user to take a further actions such as updating their video player or scanning their device for viruses.

Determined to read the news item or watch the video, the reader starts the download and ends up installing malware. Alternatively, the pop-up window may ask the reader to register in order to access the news – at best they have subscribed to a service that will bombard them with unwanted content, at worst they have given up confidential information.

 How to avoid falling for these scams?

 First of all, don’t click!! If a news story sounds bizarre it’s probably fake

  • When you spot an account that seems fake, block and report it.
  • Have a strong, updated antivirus running on your device


Impersonation can happen both on and off line, on social media and via email (phishing) but is often over the telephone.

A scammer will try to impersonate an official entity in order to gain access to either money or personal and sensitive information.

Scammers often target taxpayers, informing them they owe money to the government and urging them to pay immediately over the phone or ask for sensitive information to move a matter forward.

What should you do if you receive such a call?

Authorities will never telephone asking for personal information or immediate payment.

If you are in doubt, end the call and telephone the official number of the organisation who will be able to either confirm or deny the request. If you suspect any kind of impersonation scam, alert the authorities.

What about online impersonation scams?

Online and social media impersonation scams are very popular, especially when it comes to romance. Dating websites are the favourite platform for romance scams, where the fraudster steals pictures from a real profile and uses them to build a fake account and contact users.

The technique of stealing real life pictures and opening fake accounts in order to spam users, is also widely used on social media platforms like Instagram and Facebook. The scammers begin by approaching the victim and starting a conversation which at the beginning seems totally legitimate. After moving the conversation forward the scammer will ask the victim to phone, meet or “download” a private chat. Much of this interaction may be automated using bots or robots.

Of course, the telephone call or the meeting will be used steal money and the private chat will download malware.

Similar to romance scams, sextortion scams also target individuals on dating websites or social media platforms looking for a companion.

In this case, the scammer will build up communication with the victim, to the point where they are asked to exchange “explicit” pictures that will be used for blackmail.

Last but not least, another impersonation scam involves stolen information relating to someone you may have known in the past or someone in your family.

Often these scams pretend that the victims’ “friend or relative” is in trouble and needs money urgently.

What can you do to spot and not fall victim to an impersonation scam?

If you use dating websites or social media to find love, be aware that some profiles could be fake, you may want to do a reverse image search to make sure the person you’re talking to is real and not a robot.

In 100% of the cases, if the person on the other end asks you to download something, call a number or disclose private information, it will be a robot, so you should end the chat right away!

Ask yourself why would someone need financial or personal information or ask you to download something to your device?

Even though the account seems to belong to your pen pal back in school or to your Aunt in Australia, why would they need to have access to such information? And, if this is a relative or a close friend why would they contact you via social media to tell you they’re in trouble and need money?

Whoever the person claims to be, you should always double check the validity of the account and, if that is a friend or a relative, just get in touch with them in some other way.