A scam campaign targeting UK banks and customers has been identified by security researchers at Proofpoint.
The angler phishing campaign involves hackers creating fake Twitter accounts, posing as customer support staff, to trick customers into handing over their personal details.
The scam entails hackers monitoring bank customers’ interactions with their banks on Twitter.
They then hijack conversations users attempt to have with genuine support staff of banks, and redirect the customers to a fake support page.
As an example, when a customer tweeted to the genuine Barclay’s support account (@BarclaysUKHelp), hackers commandeered the request of support by replying with a fake customer support account (@BarclaysHelpUK).
Proofpoint researchers said: “Angler phishing is named after the anglerfish, which uses a glowing lure to bait and eat smaller fish. In this attack, the ‘lure’ is a fake customer support account that tricks your customers into giving up credentials and other sensitive information.”
Social media phishing scams are on the rise, and Proofpoint has said that it has seen a 150% in this type of attack in 2016.
These attacks, as well as targeting banks, target other industries that are especially reliant on utilising social media to engage with their customers.
Phishing campaigns are generally successful, as they mimic the real site’s look and tone (in writing). The data is then stolen when unknowing customers provide their usernames and password details.
‘This method of phishing is highly effective because your customers are already expecting a response from your brand. Unfortunately, angler phishing is part of a broader trend in social media fraud,’ said Proofpoint researchers.
‘We need to understand that these days sadly not everyone on the internet is who they say they are,’ comments Mark James, security specialist at ESET.
‘Users should take some time to research the official response channels, make sure you know who is going to respond and be very wary of any deviations in names or errors in grammar.’
‘It only takes a few minutes to be the victim of fraud or identify theft and cannot be undone. Of course you can cancel cards and change passwords but it’s the inconvenience that causes the most damage in these cases.’
‘Don’t be afraid to ask questions, get some info from them if you’re concerned and go check it out, come back after you have verified it’s true, 15 or 30 minutes won’t make a lot of difference and if they are genuine they will understand and often encourage it.”