Social Phishing: Don’t Let Your Customers (or Yourself) Get Scammed
Would you know if someone was impersonating your business on social media?
When a fraudster uses your business to phish for your customers’ personal information, it could leave your reputation on the hook. While your business may have nothing to do with the social phishing attack, it can still leave customers with a negative impression when an attacker uses your name to pull off their scams.
That’s why you need to know how to protect yourself and your customers when things seem “fishy.”
What Exactly is “Social Phishing”?
Social phishing is a criminal activity in which an attacker manipulates their victim into revealing their personal information via social media.
As an example, let’s say your customer, Laura, replies to your latest Instagram post with a complaint about a recent purchase. Normally, you’d comment and direct Laura to your customer service form, but someone else gets to her first. Laura receives a direct message from an account with the username “customerservice_your company” and your logo as their profile picture. With just a few questions from this fake customer service rep, Laura willingly hands over the password she uses to login to your site and even her banking information.
This is how social phishers reel in their victims.
Instead of looking for a technical gap in an organization’s cyber security systems, social scammers exploit human error to get the information they want. So, even if you’ve installed that most secure systems to protect consumers’ private information, your customers may still fall victim to a social phishing attack from someone impersonating your business.
How to Protect Yourself and Your Customers from a Social Phishing Attack
Before we discuss how to protect your customers from a social phishing attack, you need to understand how to protect yourself. By learning how to safeguard your own information, you’ll be better equipped to defend and educate your customers. As they say, you have to put on your own oxygen mask before you can help someone else with theirs.
1. Never Trust Someone Based on Their Username
A Twitter handle is not a valid form of identification! Just because a profile is using the company logo or includes the company’s name, doesn’t mean it’s authentic.
If you want to get in touch with customer service, it’s best to go to the business’s actual website to find their contact information. You may also be able to contact their customer service via social media, but you should never trust a comment or direct message linking to an unknown account. Always verify and reach out to the company’s account yourself.
2. Never Disclose Personal Information
Scammers will ask you questions in an attempt to get you to disclose personal information. They may ask for your password to access your account information, or they might say that they need your payment information to issue a refund. DO NOT GIVE THEM THIS INFORMATION.
A legitimate business will never ask you for sensitive information, so requests like these are huge red flags.
3. Never Click a Link from an Unfamiliar Account
Scammers sometimes post links to other websites where they can further manipulate you into disclosing private information. Often, these sites will be copied to look like a legitimate business or organization and ask you for your username and password, which the scammer can then use to access your real online account.
Even if you think you know the sender or the website, it’s best not to enter any sensitive information or download any attachments on an unknown site that was linked from social media. Accounts can be hacked, and legitimate websites can be copied in an attempt to gain your trust. Always look for the HTTPS designation at the beginning of a website’s URL to let you know if the site is secure.
Protect Your Customers
While you may not be legally obligated to notify customers of social phishing scams, it is still in your best interest to do so. If a customer has a negative interaction with your brand (even an imposter version of your brand), they’ll be less likely to interact with your business in the future, so it never hurts to take reasonable steps to protect your customers from scammers.
1. Monitor Your Brand
Google Alerts allow you see whenever someone mentions your company online, and they’re a great resource for discovering potential impersonators. Here, you can sign up to receive free alerts whenever your business is mentioned online and keep an eye out for any illegitimate uses of your business’s identity.
Besides using Google Alert for fraud monitoring, it’s a good idea in general to have an Alert set up for your business just to stay in the loop about what people are saying.
2. Report Scams
If you become aware of a social phishing scam, you should immediately report it. You can make your complaint to the FBI via their Internet Crime Complaint Center and the Federal Trade Commission. (If you’re located outside the U.S. you can make a complaint to your country’s own national fraud reporting organization.)
You should also report any suspicious activity to the social platform(s) that the scammer is using to impersonate your brand. They will have the resources you need to get any fraudulent accounts taken down.
3. Spread Awareness
If you know that your customers are being targeted, post an awareness message to your social channels and warn customers to be vigilant. You can also provide some of the tips listed above to help customers learn to recognize scams on their own.
Whatever you do, don’t just ignore it. Customers deserve to know when your business name is being used to deceive people, and the quicker you take action, the less likely they are to succeed.