Hook, Line, and Sinker: Phishing on Social Media

As the world of social media has diversified in terms of what content it offers and how it can be consumed, so too have scammers adapted their ways to target people across the various platforms.

When we refer to phishing, it encompasses any form of fraudulent communication, including over email and social media, where the goal is to trick the recipient into providing sensitive information such as passwords, credit card numbers, or social security numbers.

Maintaining personal security while enduring these threats requires people to be mindful about who they interact with online and how to recognize a phishing attempt. In order to help our readers with this, we have outlined common schemes that take place on social media to help you recognize them.

The “Check Out My Blog” Bot on Tumblr

On Tumblr, you may receive messages from someone that you don’t follow asking to take a look at their blog, website, game, etc. Usually this is not a real person – it’s a fake profile generated by a bot that sends out mass messages in order to entice people into phishing schemes or to generate traffic to their page and otherwise make money. Sometimes these fake profiles seem someone well put together, with a profile picture, a handful of posts, and a name that might almost seem real.

Tumblr Phishing
Figure 1. Phishing in Direct Messages on Tumblr

Most of the time you can differentiate these bots from real people simply on the basis of normal social cues. It’s extremely unlikely that a person would just randomly message a stranger to ask them to look at their blog – usually follower ties on Tumblr are formed through mutual followers or sharing related content.

The “Duplicated Friend” on Facebook

The Duplicated Friend phishing attempt refers to when an attacker or bot creates a fake profile with the identity of someone known to be connected to you. Then, this fake will send you a friend request to trick you into accepting by presenting as a trusted individual. Since most people have their settings adjusted so that Facebook Friends can see a lot of personal details (e.g. birthday, sometimes phone number, etc.), this means that these bots/attackers may also gain access to these if you accept the request of the duplicate profile.

A quick check to the person whose Facebook identity has been stolen can resolve this issue. The best way to prevent these types of phishing scams is to go into your Friends tab to Settings, and then adjust the security level of who can send friend requests to you. Then, it remains up to you to be mindful of whom you add as a friend.

The “I Just Won a Lottery!” Scam on Instagram

Instagram Scam
Figure 2. Examples of fake profiles on Instagram, Photo Credit: Softpedia

These types of scams refer to fake profiles created to impersonate lottery winners. Usually these profiles will have some personal detail, such as a username that sounds like a real name, a profile picture, and a description. The goal of these is to trick people into providing their email address or personal information in order to benefit from a “give away.” Sometimes this will include a post about clicking a link to donate 99 cents (supposedly for covering postage), which could expose people to compromising their credit card information. Softpedia brings up a good point in that even if only 10% of the people following the 111k follower account donate, it still could net more than $10,000.

The “Check Out This Link” on Twitter

Figure 3. Example of Phishing via DMs on Twitter, Photo Credit: ZDNet

This type of scam occurs when a bot or fraudster targets a Twitter user via their direct messages. They will use a hijacked account to send out direct messages that contain links to fake login pages that can steal user’s credentials. The thing about this is that it has a cascading effect – once a scammer compromises one user’s account, they can use that account to target others, and then build upon each wave of fake links.

Common Themes Between All Platforms

Of the listed scams, the things they have in common across all platforms include: a) sending and/or advertising sketchy links, and b) sending unsolicited friend requests/messages. The easiest way to protect yourself from these scams is to stay up to date with your security settings across your media profiles, avoiding clicking unsolicited links, and to report phishing activity if you see it.

Works Cited





This article was written by Kristina Weber, Content Supervisor at Centry Global.


3 thoughts on “Hook, Line, and Sinker: Phishing on Social Media”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s