Understanding social media phishing.
Phishing via social media is a bit different from other types of phishing.
While email and text message phishing are essentially passive attacks sent to a user who then must decide whether or not to take action, social media phishing actively encourages the user to click on a link or open a video based on their interests.
Of course, social media sites rely on algorithms to put the things that interest you most in front of you, usually in the form of ads. But threat actors also take advantage of algorithms and user behaviors in the hopes that someone who loves cat videos, for example, will click on their malicious link.
So—who are threat actors and what do they want?
The threat actor's objective is to reel you into their trap so that they can gain access to your most valuable assets. Social media account takeover is popular and is often tied to another strategy, impersonation; either scenario can result in phishing.
If an attacker takes over your account, for instance, they can use it to send phishing messages or friend requests. Or if someone you know is being impersonated with a fraudulent account, you could receive dangerous private messages requesting you watch a video or open a link.
Quizzes have proven to be a successful way to harvest credentials.
Any time a link is clicked, a third-party site can access a social media account, creating the risk of the password and username being compromised. Innocent scrolling through Twitter or Instagram may lead one to a malicious link in a post.
Hackers depend on users feeling safe on social media—they are among “friends” on trusted websites, after all—so they let down their guard and loosen up on normal security behaviors.