Social media scams are just one of the many ways cybercriminals are taking advantage of people online these days.
If your social media networks are anything like mine, you’ve noticed an uptick in people getting “hacked” lately. Maybe you’ve got a weird Facebook message from someone you hadn’t spoken with in a while. Maybe your most petite techy friend is suddenly talking about crypto on Instagram. Or perhaps you’ve seen post after post on your timeline of someone saying something like, “Sorry everyone, I got hacked!”
So what’s the deal? Why are your aunt and your favorite podcaster and that girl you went to high school with suddenly getting hacked? Isn’t that something that used to only happen to celebrities??
The short answer is Every day, and people are easy and cheap targets for cybercriminals. Now let’s dig into the long answer.
Is everyone actually getting hacked?
First things first: Your aunt wasn’t hacked. She was phished, which is a different type of cybercrime. Hacking is “the application of technology or technical knowledge to overcome some sort of problem or obstacle.” Hackers can have good intentions (like those we work with here at Avast), or they can have criminal purposes (like those who broke into Facebook in 2018). Regardless of intent, hacking requires a deep knowledge of technology and excellent programming skills.
Phishing, on the other hand, is a social engineering technique that manipulates people into voluntarily giving up sensitive information. Phishing scams can be simple (i.e., a message with a link saying “look who died”) or complex (i.e., a tech support scam). Still, they always utilize some form of electronic communication to trick and defraud people.
Significantly, phishing relies on the victim trusting the scammer and taking action — like clicking a link or sending bank account information — for the scammer to get what they want. Unlike hacking, phishing does not require advanced tech skills.
Types of social media scams
It’s not your imagination — social media scams are on the rise. According to the Federal Trade Commission (FTC), social media scammers stole a total of $770 million from Americans in 2021. That’s almost three times more than 2020 when they stole $258 million. Social media has become the number one most profitable method for scammers to scam. That’s because it’s cheap and social media offers the number one thing that a phishing scam needs to succeed: personal information that can be manipulated.
“The reason they target legitimate accounts instead of creating new fake ones is that there is an existing level of trust in the connections network,” Avast Global Head of Security Jeff Williams says. “If you and I are friends on Facebook, for example, and you send me a private message, I naturally assume that it is really from you and not spam. As a result, I’m much more likely to follow a link.”
So, what social media scams should you look out for? Here are some of the top ones.
Direct message scams
Direct message (DM) scams are a vector for various phishing-based social media scams. Scammers will send a direct message from the account of a victim’s friend saying something like “is this photo of you??” or “look who died” with an attached link. The link will then bring the victim to a false sign-in site to steal their credentials or ask for money to view the previous image or video. The scammers rely on peoples’ trust in their social media friends and natural curiosity to trick victims into thoughtlessly clicking and handing over private information.
Crypto investing scams
Crypto scams are blowing up right now, especially on social media. I have seen multiple friends’ Stories on Instagram talking about crypto investing — and it’s never my techie friends. These scams use phishing techniques, usually a malicious link, to get someone’s account credentials and take over their account. They then use that account to spam the victim’s friends and, like many of the ones I’ve seen, take over their Stories and posts to talk about crypto and further spread the scam. The goal is to get you to “invest” in cryptocurrency on their fake investment sites or give over your existing crypto credentials so that they can steal your money.
Catfish/romance scams
Catfish and romance scams are, in my opinion, some of the most sinister. These scams rely on people’s genuine desires for connection and love to defraud them of money. Romance scammers create fake profiles on social media sites like Facebook or Instagram — and, increasingly, on legitimate dating sites — and then connect with intended targets. They come on fast and strong, creating a romantic and/or sexual bond with their victims, and eventually ask for money for an “urgent” reason. Be aware of the fast-growing trend of crypto-romance scams, which take the age-old catfish method and add a layer of untraceable money via cryptocurrency.
Sugar daddy scams
Sugar daddy scams are a crossover with romance and DM scams. The scammer poses as an older, wealthy man looking to pay a younger woman (aka the sugar baby) for her time. But, surprise! He’s not a sugar daddy. He’ll ask the young woman to send over money (often via gift cards, which are the favorite payment method of online scammers) to “verify” their payment information. Ultimately, the “sugar baby” ends up being the one who pays, not the other way around.
‘Who viewed my profile?’ scams
Have you ever seen an ad purporting to reveal who viewed your profile? Please don’t click on it. Those ads are a form of phishing that prey on peoples’ natural curiosity and vanity. Their only goal is to steal your social media credentials to either a) gain access to your accounts or b) sell them on the dark web.
Fake advertisements
These scams utilize fake advertisements that look like they’re coming from legitimate companies to get people to buy non-existent products. Most commonly, people place orders for items that they see advertised online but never receive the items. These types of fake advertisement scams accounted for 45% of all reports of social media scams in 2021, according to the FTC.
Avast Threat Labs detected a fake advertisement scam in 2021 that scammers had used to steal over $100,000 by the time they were caught. The ads promised Amazon cryptocurrency tokens and brought victims through a convincing process to “invest” in this “opportunity.”
Locked out of my account scams
This type of social media scam relies on the fact that most people want to be kind and helpful. It usually involves a DM from someone claiming they’ve been locked out of an account and need help getting in. They’ll ask you to click on a link to retrieve their password for them, but that link will be malicious. That means you’ll either get malware on your device, or you’ll be redirected to a site that asks you to enter some valuable information — like login credentials or financial information — so they can steal it.
‘Please help!’ scams.
Finally, there will always be scammers who take advantage of tragic situations. That’s been the case with the current war in Ukraine. Avast security experts very quickly detected scammers claiming to be Ukrainians in need on social media and asking for money in the form of cryptocurrency.
Another version of a “, please help!” The scam is commonly called a “grandparent scam.” This is where a scammer poses as the grandchild of an intended victim and claims to be in a dire situation — like they’re stuck in a foreign country or got arrested — and to need financial help immediately. These scammers prey on a person’s love for their grandchild and desire to protect them, which is a pretty heinous thing to do.
How to avoid getting hacked on social media
Don’t click on links
Especially if they look weird! Ask yourself: Would your friend send a link with this subject? And if they would send you a link, would it be a shortened one? Usually, the links that scammers send are run through a link shortener to disguise what it is. So if the link looks fishy, it’s probably phishing.
Be wary of unsolicited messages.
If someone you haven’t spoken with in years — or someone you don’t know — randomly messages you, you should automatically be wary. We’re not saying that anyone reaching out on social media is sketchy. But there’s a higher bar to pass for legitimacy, so don’t assume that just because you’re “friends” online, you’re messaging with your friend.
Turn on MFA everywhere.
Multi-factor authentication (MFA) is a security measure that requires two or more things from you to sign in to an account. For example, your Gmail on your computer might ask that you put in your password and then open the Google Photos app on your phone to confirm that it’s you trying to sign in. The idea here is to prevent someone who has gained access to your password — perhaps through a social media scam — from getting into your account. And since data breaches happen all the time, MFA is essential for security these days.
Practice good password hygiene
Speaking of passwords, you know the rules by now: Use unique passwords (or passphrases) for every account. Use a password manager to keep track of them all. Change your passwords frequently. And don’t share them with anyone! Your passwords are for you and you alone.
Use an ad blocker
Since one of the ways scammers utilize social media to scam is through fake advertisements, use an ad blocker. It will keep you from seeing the ads, which means you’re not tempted to click on them. Problem solved!
Make sure you’re running antivirus software.
Good antivirus software will protect you from all kinds of attacks, including social media scams. Get it; install it; keep it running. It’s like your own personal scam stopper.
I got hacked on social media! What do I do now?
If a social media scammer has already targeted you, don’t fret! You can take steps to secure your account (and money) against future attacks.
First, you need to change your password immediately. And if you choose not to change it, they could keep taking over your account and spamming your friends or even lock you out of it.
Then, do some accounting: Did you use that password anywhere else? If you did, you have to change it on those logins. The scammers could sell your information, which would potentially give other criminals access to other accounts of yours if you’ve reused passwords.
Once you’ve regained control of your account, post a little informing everyone what happened. The likelihood is a bunch of your friends already clicked on a bogus link from “you,” but it’s common courtesy to warn everyone else, just in case. And throw in a little apology for any of those friends who did click. It doesn’t hurt!
If you’ve lost control of your accounts, most social media services have a “recover my account” process now. It’s probably going to be a pain in the butt, but it’s worth it to stop the scammers who are impersonating you and probably bugging your friends.
Social media scams are just one of the many ways cybercriminals are taking advantage of people online these days. Pay attention, stay skeptical, and remember: Don’t click on any links!