According to the 2022 ITRC Consumer Impact Report released by the Identity Theft Resource Center (ITRC) last week, social media account takeover fraud is an emerging scam where cyber thieves and ID theft criminals are taking over Facebook and Instagram accounts to steal personally identifiable information (PII).
It’s not enough for criminals to commit account takeover fraud (ATO) like when a fraudster successfully gains access to your bank account, credit card account, cell phone account, utility account, Social Security account, or reward/loyalty card account. This is happening when bad actors typically use weak passwords, phishing, hacking, and/or credential stuffing to take over an account.
Now, the ITRC has seen one type of attack grow by over 1,000 percent in the last 12 months – social media account takeover. The 2022 Consumer Impact Report includes the results of a snap survey of victims who reported a social media account takeover. According to the victims who responded to the micro-survey:
Eighty-five (85) percent had their Instagram accounts compromised; 25 percent had their Facebook account compromised.
Forty-eight (48) percent clicked on a link they believed was from a friend; 22 percent responded to a cryptocurrency scam.
Fifty-one (51) percent of victims lost personal funds or sales revenue when their account was compromised.
Seventy (70) percent have been permanently locked out of their social media account; 71 percent contacted friends listed in the social media account; 67 percent report the criminal continued to post as the account owner after the lockout.
Sixty-six (66) percent of victims report having a strong emotional reaction to losing control of their social media account, including feeling violated (92 percent), feeling worried or anxious (83 percent), angry (78 percent), vulnerable (77 percent) and suicidal (7 percent).
According to Eva Velasquez, the President/CEO of the ITRC, “when you get verified on social media, it proves your profile is trustworthy and credible. However, scammers are finding ways to strike.” Velasquez said that “criminals offer to assist people in the verification process. They then take over the account, block the true owner and post as that person or business.”
To get verified on social media safely, Velasquez recommends that “consumers follow the instructions for the verification process directly from the platforms like Facebook and Twitter. Do not accept help from someone who says they can ‘assist’ you through the process.”
According to James Lee, the Chief Operating Officer of the ITRC, the “hijacking of social media accounts increased significantly when remote working started during the Covid-19 Pandemic.” Lee said that “consumers need to be aware of suspicious messages from friends and to not click on links found in emails or texts unless you are 100% sure they are safe.”
However, there is another social media account scam tactic as this article titled How Cybercriminals Use Public Online and Offline Data to Target Employees highlights how a LinkedIn post on a new job opportunity turned into a phishing scam.
All of us – consumers and business executives – need to be aware of how social media account users are being set up with targeted attacks. If attackers know enough about you or your social media behavior, they can target your social media account.
So, what can you do? You can be proactive and prevent social media account takeover with my eight prevention tips:
Never use the same passwords for multiple accounts, especially your social media accounts.
Use a password manager or a strong 20-character passphrase (versus a password).
Do not click on links or texts from suspicious (or unexpected) emails or texts.
Use two-factor authentication and a VPN, especially when connected to public Wi-Fi.
Limit and/or eliminate sharing your personal information online.
Increase your privacy awareness by reviewing and adjusting your privacy settings.
Be aware that some social media accounts reset your privacy settings during major upgrades.
Be aware of imitation phishing scams including brands such as LinkedIn, Microsoft, DHL, Amazon, Apple, Google, and Netflix.
For more information, consumers and victims of identity crimes and compromises can receive free support and guidance from a knowledgeable advisor at the ITRC by calling 888.400.5530 or visiting www.idtheftcenter.org to live-chat.