Angler phishing 

I am sure you use social media every day, ever complained in a post? Has the cable company not followed through with your complaint about your cable box not working? I have personally experienced the latter. Here, in part 5 of “An Understandable Guide to the World of Phishing” I want to explain what “Angler phishing” is, how it works, and how to not get “caught.”  

Angler phishing’s named after the angler fish. Here is a picture of the scary looking Anglerfish. Anglers were named for their approach to catching their meals. Modified dorsal fins that look like a “fishing rod” with “glowing bait” is used to attract their food, close enough to just simply swallow dinner. That is real life fishing using social engineering, at its best! The angler fish’s dinner was just looking for relief from its hunger! 

Much like the angler fish lures its hungry prey with its “glowing bait,” threat actors use “angler phishing,” under the facade of providing you relief in a frustrating situation (social engineering). Threat actors take advantage of the trust you have in companies to steal your personal/financial information and/or take control of your devices by convincing you to download malware. 

What is “Angler phishing?” 

An angler phishing attack takes place almost entirely on social media platforms. The threat actors use notifications, direct messages, or fake social media posts to lure you into acting. These can be used to steal login information, download malware, or even pay for fake services/applications. Targeted attacks regularly use information you willingly post on social media such as names, birthdays, vacations, or dissatisfaction with a company or recent purchases.  

The latest and fastest growing attack uses social media “spoof” sites to draw you into providing sensitive information. Similarly, threat actors can engage in brand spoofing (impersonating trusted brands). Frequently, “brand spoofing” phishing attacks use all forms of communication:  email(phishing), voice (vishing), text (smishing),  and social media messaging (angler phishing). 

Angler phishing is a technique where attackers impersonate customer service representatives on social media. Commonly, threat actors use impersonated accounts such as bank customer representatives accounts on  Facebook, Twitter, SMS, WhatsApp, etc. 

Now that we know what Angler phishing is let us investigate how it works.  

How does it work? 

So back to posting on social media, ever complained about that time, at the bank, you were overcharged for service fees? Attackers search through social media pages associated with the company they are going to pretend to work for. Once you voice your complaint online, tag a post or post on any official page, a threat actor may reach out to you through direct messages from the “company” you launched your complaint with.  

“I cannot believe “Your Bank” overcharged me when the money was clearly there!!! I called them but everyone seems “BUSY” so waiting for a call back from them!” in a tweet or a Facebook comment. Sound familiar?  

Using the façade of trying to get you a refund or a reward. Threat actors pretending to represent “Your local bank” drop fake WhatsApp customer support numbers or send a direct message to you. Apologizing for the “overcharge and their inability to address it immediately.” Once they get engaged, they then trick you into sharing sensitive information with the promise of getting you a refund.  

They also could try to get you to click on a link that will cause you to download malware. Which can monitor your activity or rope your device into a botnet (group of internet-connected devices used for attacks). 

Eager to have your issues directly dealt with, you are more likely to respond to the messages. These fake accounts usually look so close to actual bank profiles it can be hard to distinguish. Due to thinking you are dealing with a real customer representative and your frustration with the issue, it can be easy to fall victim without realizing it! 

Now you know what angler phishing is and how it works. Let us look at how not to get “caught”  

How To Not Get “caught!”  

Here are safety precautions to protect yourself against being “caught” in angler phishing: 

Before replying to anyone who contacts you confirm that the account rep is legitimate. Always verify the sender’s identity and email address. When in doubt always visit the company’s official website and check their “Contact Us” page to see if the account is mentioned as a point of contact.  

Check the profile page for spelling mistakes and number of followers. A customer support account of a reputable institution should have many followers. Check the profile history to confirm whether the account has successfully assisted a customer before. 

Never share sensitive information or One Time Passwords (OTP). No reputable customer representative would ask for a code sent to your phone/mail to access the site. They would send you one to verify it is you but not to login! 

Be cautious with unsolicited emails, even if they seem to be from a reputable company. Avoid clicking on links or downloading attachments from suspicious emails. Always, when in doubt, contact the company through official channels to confirm the message’s legitimacy. 

Address account issues only on the official social media website. You can find the official account on their website. Look for an official blue check-mark, verification symbol, like those found on Twitter and Instagram messaging, the account should have one. 

Don’t Get Caught!

Tell the person contacting you that, for security reasons, you do not wish to click the link. Most genuine company representatives will understand and encourage your caution! A threat actor will not. If you gave away login details, for a social media account or any other account, change the password at once! 

You should also alert your contacts online, such as your friends and family, and let them know that your profile might have been compromised. If the threat actor uses your account to send phishing messages, your friends and family will be aware of the risks. 

In cases where your banking information has been exposed, you should immediately contact your bank and let it know so it can freeze or restrict your accounts and prevent threat actors from withdrawing or moving funds. Remember, the safest way to resolve financial issues is by going to your bank’s physical branch or if urgent, by contacting customer support via verified channels (Mobile banking application, official email address, a safe website) only. 

Finally, if you think you have installed malware, download anti-malware software to scan your system for potentially harmful files and avoid processing any sensitive data on the infected device. 

In Conclusion 

Angler phishing attacks take place almost entirely on social media platforms. Threat actors use notifications, direct messages, or fake social media posts to lure you into acting. These can be used to steal login information, download malware, or even pay for fake services/applications. 

Once you voice your complaint online, tag a post or post on any official page, a threat actor may reach out to you through direct messages from the “company” you launched your complaint with. 

Eager to have your issues directly dealt with, you are more likely to respond to the messages. The fake accounts usually look so close to actual bank profiles it can be hard to distinguish. Due to thinking you are dealing with a real customer representative and your frustration with the issue, it can be easy to fall victim without realizing it! 

There are many precautions you can take to avoid being “caught” in this form of phishing attack! 

Have you become a victim of “Angler Phishing?” We can help! Contact us!