Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Social Media Doppelgangers Strike Again

    social media doppelgangerMost people would be surprised by how easy it is to scam people online using duplicate versions of public accounts, according to Jake Moore, a security specialist at ESET. Moore describes an experiment he ran on Instagram by creating a duplicate of his real Instagram account to see how many of his friends would trust the new account. The fake account had a very similar handle, and Moore screenshotted some pictures from his real Instagram account and uploaded them to the duplicate account. He also used the same bio, but added “NEW ACCOUNT AFTER LOSING ACCESS TO ORIGINAL.” He then sent follow requests to people who followed his real account.

    “Within moments I had three private account owners accept my request and two followed me back,” Moore said. “This was a good start. I was expecting someone to contact me via a different communication method and question this request, particularly due to my line of work and the embarrassment that I could have been subjected to, understanding that even I am susceptible to an account compromise! But no one did. In fact, the numbers increased. Thirteen accounts followed me back on the same day and by the evening I decided to message these people and see what sort of responses I would receive.”

    Eight of the thirteen contacts messaged him back, and Moore casually mentioned that in addition to having his Instagram account hacked, the hackers also cleaned out his bank account. At least one of his contacts offered to help him out, and Moore sent her a PayPal address (he revealed the ruse before she sent any money).

    “What I found most disconcerting was how quickly it all escalated and I was able to trick the target into thinking it was genuine with no extra checks required,” he said. “I was even able to make her be the one to offer to help me which was a nice little twist. This is usually a clever technique used by professional social engineers reversing the psychology to avoid the request of the money.”

    While it’s good to help out friends, the people in this case were prepared to send money based solely on the word of a new Instagram account. Many people have their Instagram accounts set to “public,” and scammers can easily set up duplicates and send messages to the person’s followers.

    “It is vital to try to reduce the amount of personal information and photos of ourselves online where possible,” Moore explains. “Although this is a huge task, it is important to teach the next generation of social media users to try to limit the amount of information that is posted online before it is out in the open forever. This scam won’t work if accounts are private. Saying that, however, many people whose accounts are private still allow people they do not necessarily know to follow them due to minimal vetting. It is extremely important to think about what you post as well as accepting only followers you don’t mind knowing more about you. Being completely public has the potential of creating dangers such as this.”

    Even if the real account of someone you know messages you and requests money, you should still be very suspicious and use a separate mode of communication such as a phone call to verify that they haven’t been hacked.

    Moore’s experiment shows how easily scammers can exploit people’s charitable impulses. New-school security awareness training can give your employees a healthy sense of skepticism by enabling them to see things from a scammer’s point of view.

    ESET has the story.

     

    Return To KnowBe4 Security Blog

    Don’t get hacked by social media phishing attacks!

    Many of your users are active on Facebook, LinkedIn, and Twitter. Cybercriminals use these platforms to scrape profile information of your users and organization to create targeted spear phishing campaigns in an attempt to hijack accounts, damage your organization's reputation, or gain access to your network.

    KnowBe4’s Social Media Phishing Test is a complimentary IT security tool that helps you identify which users in your organization are vulnerable to these types of phishing attacks that could put your users and organization at risk.

    SPT-monitorHere's how the Social Media Phishing Test works:

    • Immediately start your test with your choice of three social media phishing templates
    • Choose the corresponding landing page your users see after they click
    • Show users which red flags they missed or send them to a fake login page
    • Get a PDF emailed to you in 24 hours with your percentage of clicks and data entered

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/social-media-phishing-test

    Topics: Security Awareness Training, KnowBe4

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews