It had almost all the elements of a smart promotion. With the release of its iPhone 8, Apple offered Facebook followers the chance to win the pricey device if they liked its “iPhone 8 Official” Facebook page. Thing was, it wasn’t Apple.
It was one of 532 fraudulent social accounts designed to trick Apple fans into checking into a fake website, where they’d provide their passwords and/or download malware. Each fall, with the release of a new iPhone, these scams resurface.
Nearly one in three retailers reported a loss of revenue due to cyberattacks in 2016, according to Cisco, and 54% had to manage public scrutiny due to a security breach. What’s the cost? Across industries, in more than 50% of the cases in 2017, these cyberattacks resulted in financial damages of at least $500,000, according to the Cisco 2018 Annual Cybersecurity Report.
In particular, cyber intruders are taking advantage of social media, often by creating imposter accounts that impersonate brand pages, said Sam Small, chief security officer at the cyber-security firm ZeroFox, which identified the counterfeit Apple accounts.
“When theoretical risks become tangible threats, consumer confidence can plummet — and is difficult to re-instill,” Small said in an email. “This can affect not only breached parties, but the broader market segment as well.”
Small explained how cyber criminals use social media networks and brand awareness to creep into posts and “poison the waterhole,” and how retailers and shoppers can protect themselves.
The Guise and Guile of Social Impostors
Money isn’t the only motivation for digital villains. Attackers also could be angling to deliver malware or ransomware, commit identity theft, perpetuate fraud or scams, hijack computers — or simply to damage a brand.
The primary technique for doing this, Small said, is impersonation — either directly or via brand representatives like customer service agents. Attackers use fraudulent accounts to insert themselves into ongoing conversation threads — a tactic called threadjacking — to engage directly with a brand’s followers or to hijack hashtags and search terms, creating a poisoned-waterhole effect.
And they take care to make those fraudulent accounts look authentic. For example, cyber criminals will duplicate signature markings or cues that identify individual networks, such as Twitter’s blue “verified” checkmark.
“In combining these phony cues with convincing display names, similar account handles and copy-and-pasted brand images and bios, impersonation accounts typically appear incredibly convincing to everyday, unsuspecting users,” Small said.
When cyber thieves strike, the damage can be extensive — and embarrassing — for both retailers and shoppers. Here’s what Small suggests each can do to avoid susceptibility.
3 Retailer Tips
- Reinforce the features of your identity. Cyber criminals like to duplicate the markings of different social networks, but those copies will have “tells.” It’s up to brands to call them out by clearly identifying and promoting the characteristics that define their official social platforms, such as logos or language use. They can do this on their websites or via cross-platform promotions.
- Protect conversations. There’s a category of software products and services that can help social media management teams protect against threadjacking. These products monitor and collect analytics on brand mentions, discussions and people, such as brand executives or ambassadors. Other products help organizations automatically identify and fix specific security and brand risks, managing much of what would otherwise be a manual process that requires security domain expertise.
4 Consumer Tips
- Recognize the look. We may know the Facebook thumbs-up icon and Twitter bird, but might not be that keenly aware of each platform’s “voice” and other icons. Shoppers should become familiar with and pay attention to the various elements social media platforms use to convey identity, authenticity and verification, such as the circular profile photos on Instagram.
- Watch those links. Caution should be applied when following shortened links from unfamiliar sources or even from familiar brands whose accounts have not been vetted. Similarly, consumers should be careful about engaging with content from familiar brands they may come across in their day-to-day activity but do not follow — content discovered through search terms or advertisements, for example.
- Second-guess your “friends.” If a friend or family member sends anything that feels uncharacteristic, such as a discount link for a retailer she or he is unlikely to promote, ignore it. Then check with the friend directly, but not through the social network. Use text, email or the phone.
- Detect loose threads. Consumers can detect threadjacking, too, by carefully reviewing new comments in an ongoing conversation and monitoring for repetition or unusual language. They can ensure the information and links are legitimate by Googling them to see if anything is flagged as a scam.
Lastly, brands and their followers shouldn’t underestimate the peril caused by attack fatigue. When undetected, impersonated accounts force everyone to discern the real from the fake, which becomes burdensome. It also reinforces both general and brand-specific skepticism, Small said.
“In aggregate, this undermines trust in the authenticity of content and, more specifically, in the targeted brands’ marks and messaging,” he said in his email. “With increased uncertainty and distrust come reduced user engagement and an increase in abandonment.”