August 9, 2018 By Joan Goodchild 5 min read

The massive rise in popularity of social platforms has led to a huge upswing in social media scams — putting a growing pool of users at risk. Facebook had 2.23 billion monthly active users as of the second quarter of 2018, while photo-sharing site Instagram hit 1 billion monthly active users by June 2018, according to Statista.

By empowering users to share and connect, social media platforms open the door for a variety of different security and privacy concerns. As any security professional will tell you, allowing your employees to use social media sites on corporate networks could make your system increasingly vulnerable.

Unfortunately, there are many social media scams your team must know about. Here are the biggest scams to watch out for in 2018.

1. Catfishing

Ah, l’amour. Most of us are suckers for it, and a variety of scammers are turning to social media sites like Facebook to take advantage of this fact. Catfishing is an internet scam in which a cybercriminal creates a fake online profile to seduce a victim into a fictitious online relationship — usually to get money or other benefits from the victim.

Of course, this doesn’t just happen on Facebook. Unsuspecting users of dating sites and apps are also common prey for fake profile scams.

“A catfisher scours through the user base, looking for a particularly vulnerable and eager user open to emotional manipulation,” wrote Heimdal Security.

Once the catfishing criminal lures their victim, they begin establishing trust and building a relationship. Eventually, this culminates in an agreement to meet, but the victim finds out it’s not that easy. Suddenly the catfisher needs funds to travel to see the victim, cover visa processing fees or help with some other financial shortcoming that must be resolved before the meeting can take place. Unfortunately, this is all a ploy to manipulate the victim into giving up their money.

Facebook announced last year that it was making an effort to reduce catfishing by leveraging artificial intelligence (AI). Facebook officials said at that time that they were developing features to make users aware of instances when their photos have been posted without permission.

2. Profile Hijacking

The Facebook profile hijack is another take on using a fake profile for nefarious means. In this case, cybercriminals often use the attributes and details of real people — like their photos, hometown and occupation — to set up profiles pretending to be that person. Other versions of this scam involve breaking into an existing profile, changing the password and using what has been a trusted profile to scam users in the person’s network.

Once in, the scammer might use the profile to ask the victim’s network for money. Often, a cybercriminal will message the user’s connections claiming that they have lost their wallet while on vacation and need a wire transfer of cash to get home.

3. Lottery Schemes

A ruse emerged earlier this year involving fake profiles that appeared to belong to top Facebook executive Mark Zuckerberg. The cybercriminals sent messages to other users informing them that they’d just won lottery prize money.

“The pitch often begins with an unsolicited ‘Hello. How are you doing?’ on Facebook or Instagram,” a The New York Times report explained. “The fake accounts then proceed, sometimes in broken English, to inform people of their enormous Facebook lottery prize.”

The New York Times profiled a victim who was told he had won $750,000. But to collect the winnings, he needed first to send $200 in iTunes gift cards. The victim, a retired Army veteran living on Social Security, bought the gift cards and sent the redemption codes to the user claiming to be Zuckerberg. But the requests for money didn’t stop — and he eventually lost an additional $1,310 before realizing he had been scammed.

4. Quizzes That Mine Your Information

Which “Stars Wars” character are you? What city were you meant to live in? Which celebrity is your soulmate? Sound familiar? These are all popular quizzes that have been widely shared on Facebook, imploring users to take a few minutes for what seems like harmless fun.

But the Better Business Bureau (BBB) warns that some quizzes are designed to steal your data in an outright scam. Oftentimes, cybercriminals will include links embedded in the quiz that can steal information from your personal accounts. Once these criminals have your account information, they can use it to lure in other unsuspecting victims, including your friends.

“We always knew someone was trying to trick us with social media quizzes because they are free,” said Bill Fanelli, chief security officer at the BBB, in a release from the organization. “If there is no charge, then the value is the data they can collect. We also knew that it was for a use we probably would not like, because they went to such great lengths to hide their purpose. Now we know we were right on both counts.”

The BBB cautions users to be skeptical: Before you take a quiz, figure out who created it. Is it a brand you trust?

Security researchers with Symantec also note that the quizzes can be used as a cover for tricking users into subscribing to monthly services that will automatically charge their credit cards until action is taken.

5. URL-Shortening Cons

While URL shorteners are very useful for sharing a website link within a tight character limit, such as Twitter, they can also be used to mask a malicious page.

The Symantec report cited above also advises users to be careful about “blindly clicking on shortened URLs. You’ll see them everywhere on Twitter, but you never know where you’re going to go since the URL (‘Uniform Resource Locator,’ the web address) hides the full location.”

That location could be a nefarious site run by cybercriminals that can drop malware on your machine or lead you into some other scam. If you’re concerned about a shortened link, you can check it before clicking. There are a variety of websites, such as CheckShortURL, that offer a URL lengthening service, enabling you to paste in a link to see exactly where it leads.

6. Chain Message Hoaxes

Social media app Snapchat has run into a problem with chain message hoaxes, according to Tech Advisor. The ruse here involves trying to alarm users about something terrible that is going to happen to their data within the app.

“The most recent is a message being circulated that your Memories (i.e., saved photos) would be deleted unless you copy the message and share it with your friends,” wrote Tech Advisor.

A similar scam scared users by warning that any nude photos sent over Snapchat were going to be uploaded and shared.

These hoaxes are often made to look official because the cybercriminal creates the message in such a way that it appears to come from the official Snapchat account. Keep an eye out for poor grammar, spelling mistakes and other giveaways that the message is fake.

7. Money-Flipping

Money-flipping is a growing financial scam on Instagram and other social media channels. Criminals seek to extort money from users by convincing them to make a bum investment.

“Cybercriminals make it seem like their victims are investing their money in a business model that lets them ‘flip’ or double their money in no time at all,” according to IG Reviews. As ZeroFOX reports, many of these scams target military members. The cybercriminals in question often attract traffic from service members by using military-specific hashtags.

Why? ZeroFOX researchers say military personnel are often familiar with making overseas cash transfers, and military-specific banks have faster transactions and larger withdrawal limits to serve their customers.

Identifying Social Media Scams

Social media sites have brought people together, allowing them to connect and collaborate in ways that weren’t possible just a decade ago. But the price of that connection is the severe risk to privacy and security as cybercriminals lurk, waiting to take advantage of users’ personal information.

Employees who access social platforms from corporate machines could put your business assets and network at risk. By educating them about the common scams making the rounds periodically, you can ensure they stay aware and vigilant of the threats lurking on popular social sites.

Listen to the podcast to learn more: Social Engineering 101 — How to Hack a Human

More from Fraud Protection

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today