Recently, a reader who recently encountered several attempts at phishing on social networks turned to us with her story. Attempts to use people’s trust for their own benefit are nothing new. However, while they were previously more fraudulent emails, Facebook and Instagram have recently become an increasingly popular platform for these unfair practices.
There are several mechanisms of fraud, and they may differ in their purpose. An attacker will often want to get your money, access to personal data, or ideally both. Although most tricks are easily detected by an experienced user, unfortunately, many still succumb to these attacks.
Rather than regular readers of our website, this article targets dozens of people who, according to operators and the police, fall victim to these scams every month and are looking for a way forward. Of course, we will also focus on detecting such an attack and preventing damage before it occurs.
How does the attack work?
First, let’s focus on a variant, which we will professionally call a “targeted attack.” Therefore, it is a situation where the attacker does not try to catch anyone, but only you, respectively. A narrower group of “common acquaintances.” The mechanism works by the attacker stealing the identity of some of your acquaintances, friends, or family members.
Wondering how this is possible? Very simply. Such a person chooses merely one of your friends who has a publicly visible list of friends, creates a new profile with the same or a similar name, and sets the same profile photo as your real acquaintance. They will then try to reach you from this fake account. In most cases, they will probably send you a friend request first, but they may try to write to you straight away. However, if he writes you a profile you don’t have in your friends, Facebook will notify you.
From the point of view of an attacker, it is usually necessary for you to accept the request first. If he manages to hit the fact that he imitates the profile of someone with whom you don’t write so often, but you know him, the chances of the attacker are pretty high. Many people say that the person probably took them from friends by mistake and wants them back, or they mechanically click all the requests. Suppose you are one of the people who have hundreds of friends, and you are adding everyone you have seen once in your life. In that case, you may entirely miss that someone you already have friends in the friend is asking for your friendship.
Then the phase of the addressing itself can take place. A message will come from your contact. The attacker will either ask you to vote in a contest or claim that he needs your phone number (if he doesn’t already have one) to have a verification text message sent to him.
Voting in the competition
Assuming it is voting in a competition, it can go something like this. You will receive a message where the attacker greets you in a friendly way. Because, for example, he knows from the photos on the profile of the “copied” friend that he has a dog. He will ask you to vote for him in the competition for the most beautiful dog Horní Dolní. You say to yourself that this is nothing, and you do a favour to your supposed acquaintance.
The voting site will not look suspicious but require you to log in via Facebook, Instagram or another social network. Once you fill in the fields in the fields, the attacker will actually get them. The form will be fake, and instead of being the login gateway of the given social network, it will store or send the entered data somewhere.
If an attacker puts a little effort into creating a fake site, you may not notice it at all, and it may seem that the vote went well. You will probably learn about the consequences later.
The previous “competitive” mechanism aims to obtain access data. These can come in handy, as well as access to your account itself. Such data may be misused to gain access to other services, fraud against your friends, or sold to other attackers. However, it is a more demanding and sophisticated attack to encounter a variant of confirmation SMS.
The beginning is the same as in the previous scenario. You will receive a message from an alleged acquaintance. If you have a phone number visible on Facebook, you will make the attacker’s work easier. If not, he will have to get it first. This can alert you that something special is happening – how come your good friend doesn’t have a phone?
The attacker is likely to continue by telling you that he has been trying to confirm the payment for some time but is still not receiving the confirmation code. But he is in a hurry to pay, so he would like to use your number to confirm. As soon as you provide it to him, the attacker will make a so-called m-payment. This is a form of internet payment made through the operator. The amount paid will either be deducted from the charged credit or appear separate on the monthly bill.
In this scenario, the attacker is likely to give the impression of urgency so that you do not have much time to think about the whole situation. At first glance, the course of the “operation” looks relatively legitimate. You will actually receive an SMS with a payment confirmation code. These SMS contain a warning that you do not share the code with anyone, but who would pay attention to that. Just fly through the text of the SMS and forward the code he requested to the contact.
What you don’t realize at this point is that while it was actually a confirmation of a payment made by your supposed acquaintance, you are paying for it. You can find out at the latest bill, but you will be lighter by the appropriate amount.
Similarly, by the way, the whole scenario may work for other abuses. The phone number can help restore access to an account, authorizing a card payment (whose data the attacker obtained again, for example, by a fake form) and the like.
Celebrity and brand competitions
The third type of attack is a bit different in that your fake acquaintance no longer appeals to you, but you will catch the “bait” a bit yourself. This form is prevalent on Instagram. Scammers pretend to be celebrities, YouTubers, companies, e-shops, just about anyone you might expect from competition or promotion. Specifically, we noticed, for example, fake profiles of the entertainer Kazma or the brand Honor.
Some profiles will offer winning electronics, some money; some may be just a discount voucher. Sometimes such an “advertisement” will take the form of Stories. Sometimes it will be a classic post, comment, or perhaps even a direct message. The level of credibility will also differ, from contributions written in broken Czech to successful graphic forgeries.
But all these methods have one thing in common. To get or have a chance to get some benefit, you have to register somewhere. And here everything is again the same as in the scenario with a “dog competition.” You fill in your data on some dubious website, “ideally” for banking, payment card or PayPal, for example
Instead of registering, however, this information goes to the attacker, who then quickly ensures that your funds change hands. Theoretically, there could still be a second phase, where an SMS confirmation would be required for some step, and the attacker could try to follow the story of the confirmation SMS.
You may come across these types of fake profiles more or less at random, but they may also contact you. And often after you take part in a real competition. Scammers monitor (usually automatically) interactions with these profiles and then try to target people who are obviously interested in such content.
Scammers or automated robots often go on Instagram after a specific hashtag (#soutez, # giveaway…). Technological YouTuber Vojta Dalekorej (WRTECH), for example, launched a competition on his Instagram, which just such a robot caught. Subsequently, a fake profile (including a website) was created, from which its followers were contacted via private messages.
The news informed about the win and forced the user to click on the link that led to the fraudulent page (it is still active, by the way, you can find the URL in the attached screenshot). It is, therefore, necessary to be careful about this type of “attacks.”
How to defend against these attacks?
So far, we have described three main types of phishing attacks on social networks. Now that we know how they work, we can easily find hints that tell you that someone is trying to apply them to you. We recommend that you pay attention to this section. If you encounter remarkably similar behavior to one of the described scenarios, think very well about what you are doing.
For “targeted” attacks, where your supposed acquaintance will address you, the first indicator may be that you have no messages with such a person. Since you’re actually approached by a new fake profile, logically, you’ve never written together before. But if you remember that a conversation with this person had taken place in the past, it is highly suspicious.
However, an inattentive or less technically proficient user may not notice. An attacker could also be lucky and hit the profile of someone you haven’t really signed up with. Alternatively, he might try to convince you that this is just a Facebook outage that prevents the conversation from appearing.
The next step to reveal is to focus on such a person’s Facebook profile. As the attached screenshots show, you can easily access it from the mobile application and the web environment.
There is usually no doubt in the profile of the person who writes to you that he is a fraud. Most of the time, he will have almost no friends or random people in them, or, for example, someone suspicious will be missing – for example, a family member. The fake profile will almost certainly be new and will have no or concise history of posts.
The last step may be to search for the person and find two identical accounts on Facebook. Their comparison will then, without any doubt, confirm that the one who writes to you is fraudulent.
In the case of fake celebrity profiles and brands described above, it is even easier to detect falsity. On Instagram, unlike Facebook, the name cannot be completely identical. A closer look usually reveals an extra character in the username, replacing the small “L” with “I” and the like. The number of followers of a given profile is also a good indicator.
Badges of verified profiles can also be a straightforward tool. Facebook, Instagram and other social networks use brands for popular profiles to indicate their authenticity. Next to the username, you will find a blue pipe that means authenticity. So if you try to search for a given person or brand and see that there is a verified profile, while the one offering the competition is not confirmed, it is pretty clear what you are up to.
However, it is worth noting that even some real profiles are not verified. Either the shape did not request it, or the social network refused to confirm for some reason. We would focus mainly on the number of followers, age, resp: profile history and language quality of contributions.
What to do if you have already become a victim?
If you are reading this article only after you have succumbed to some of these methods, all you have to do is try to minimize the damage. Suppose you have the slightest suspicion that an attacker could obtain your credentials anywhere, change them immediately. Of course, you have to change them not only on the service through which you lost them but also wherever you use the same. So, for example, if you entered your Facebook password in a questionable competition form but at the same time used the same for email, you need to change both passwords.
Subsequently, we also recommend checking the list of registered devices. You can find it on Facebook in Settings and privacy -> Settings -> security and login -> Where you are logged in. In the case of Instagram, there is a similar section in Settings -> Security -> Login Activity. Here you can easily see all the devices with access to your account, including those you’re currently logged in from. Those you don’t know can unsubscribe here.
The next step, of course, is to report a fraudulent profile. The procedure is almost identical on Facebook and Instagram. Open the profile detail, click on the three dots marking the menu and select the reported dialogue. Then choose the relevant reason in it and confirm.
If you suspect that an attacker has misused your profile to reach your friends, be sure to warn them as well – for example, by post. Don’t be reassured that you don’t see any suspicious messages. The attacker could theoretically try to make detection more difficult by deleting them one after the other so that only the other party can see them.
Did you suffer any damage? You will need to contact the police.
Unfortunately, suppose the attacker lured you out of money, for example, by a forged m-payment. In that case, you don’t have much chance of getting to them. You can theoretically try to complain about the payment to the merchant you went to. Still, the chances of success are not very high. You can also try to contact the carrier. Still, it can’t be assumed that they would pay for you a payment that you actually or more actually made voluntarily.
All that remains is to turn to the shelf. Unfortunately, the chances that you will ever see the money again are not too great. The payments thus obtained usually amount to relatively small amounts. They range from higher hundreds to lower thousands. After the amendment to the Criminal Code from last year, the damage must exceed not five but ten thousand. Until then, it’s just an offense and let’s pour ourselves pure wine. It can’t be expected that anyone will investigate it with any commitment. However, it may not be appropriate to report the matter to the police. It would be a criminal offense if the perpetrator could be found and attributed several partial acts within his systematic fraudulent activity framework.
Source: Christian Wiediger (CC0)
Even if the perpetrator is caught, convicted, and convicted, it is still not a guarantee that you will get the money. Fraudsters are usually not precisely wealthy people, and the recovery of debts may not be easy. Given the safety rules and a particular caution, it is best not to get into this situation, which is not so complicated.
Action for protection of personality
Instead, for the sake of completeness, we add that if the perpetrator, for example, by his actions somehow damaged your reputation, caused you non-pecuniary damage, misused your name for further fraud, etc., you can also defend yourself at the civil level. One of the possibilities is to file a lawsuit to protect your personality and demand an apology, compensation for non-pecuniary damage, or, if necessary, abandonment of activity, the continuation of which continues to harm you.
But again, let’s take reality into account. Unless there is significant damage to your rights, such as destroying your professional reputation and the like, this procedure is probably not generally recommended. If you succeed, although the defendant would have to pay the costs of the proceedings, we will again consider how realistic it is to obtain these funds from an internet fraudster.
General principles of security
We’ve tried above to describe the elements you can quickly tell that someone is trying to deceive you. All these attacks are based, at least in part, on you simply believing the fraudster.
But there are also ways to defend oneself by technical means. This will reduce the chance that an attacker will contact you at all. Even if you accidentally pass on your login details, they will be more difficult to misuse.
Passwords and authentication
One of the essential Internet security principles is not to have the same passwords on all services. Of course, it is ideal to have a different password for each registration. However, it is true that in this case, you probably can’t do without a password manager. But security will also help significantly if you have a separate password for at least those critical services. Above all, it is essential to have a different password for email and social networks. There is probably no need to talk about having a separate and strong password for any financial services.
Otherwise, one line of your digital fortification will fall. Many necessary steps, such as changing your password, contact email, and so on, must be confirmed by email. However, when the password is the same as in the email, a maximum of a few minutes for the attacker. You also need to have an email that you actually use and have access to. Otherwise, you will lose the ability to reset your password if an attacker changes it.
We strongly recommend that you enable 2-step verification on all the services and networks you use. Thanks to it, the attacker will not have a chance to log in, even if he obtains your password. It would still have access to the device (typically your phone), which will receive an authentication SMS or an authentication application installed on it.
It can also be an exciting option to set up three to five trusted friends on Facebook who can generate a code for you, if necessary, to restore access to your account. Facebook has this alternative described in its help.
Don’t be an attractive victim.
In addition to good account security, it will also help if you are a less attractive victim of an attacker. For example, we recommend setting the visibility of your friend’s list to just you or your friends. An attacker will not be able to guess who profile to use to copy the identity easily. You can find this setting in the Settings and privacy -> Settings -> Privacy section.
The visibility of other personal data can then be set directly on your profile. It is recommended not to mention the phone here for the reasons described in the section on fraudulent verification SMS.
Conclusion: a little attention is enough
If you’ve read this far, you already know what tricks attackers can try on you, what they can gain, how to detect them, and how to defend themselves against them. Of course, the article can’t cover all variants of fraud that you may encounter on social networks. But that is not even necessary.
Analysis: Facebook knows almost everything about us, but it suffocates that it does not sell data
Suppose you follow the safety rules and pay a little attention to who you communicate with. In that case, every internet fraudster should break his teeth on you. In addition, most of the measures described make sense not only to protect against these frauds. Not publishing unnecessarily much personal data and having well-secured accounts is something you will definitely not have reason to regret.
If you have ever encountered a similar behavior, we will be happy to share your story in the discussion.