Phishing on Social Media - How These Attacks Are Targeting Marketing Teams


hen it comes to internet security, ‘phishing’ is a term with which we’re all now familiar. Unfortunately, victims fall for this type of scam daily and this sad fact ensures that scammers and cyber-criminals will have a fruitful future for years to come. In particular, phishing has now become a major issue for marketing teams that rely on social media. 

Just like TV ads back in the day, social media is today’s essential marketing tool for businesses of all sizes. With billions of monthly active users on Facebook, it’s not surprising that businesses are clamoring for attention and exposure on social media. As these platforms play an increasing role in  more and more marketing strategies, social media has also become a growing target for cyber-criminals. 

In this guide, we’re going to uncover the truth about phishing for marketing teams; explain the biggest problems, and provide the strategies you need to prevent a phishing attack on your team. 

What is Phishing?

Going back to basics, phishing is where victims are sent a message through text or email, or phoned by the cyber-criminal. This person will pose as somebody else (sometimes an organization or business), and encourage their target to provide personally identifiable information. Elsewhere, these criminals may get straight to the point and attempt to obtain credit card details, banking information, and passwords to online accounts. 

We probably don’t need to say this, but the cyber-criminals have no interest in protecting your marketing team (or whatever else they promise). Also, we know that some readers may scoff at the fact that people still fall for scams of this nature. Unfortunately, cyber-criminals are improving the ways in which they scam marketing teams. Though you may feel invincible from phishing attacks, cyber-criminals are adapting their approach to the point where all businesses should pay close attention to this area, especially those using social media regularly. 

The Numbers 

According to one study, social media was home to 5% of all phishing attacks in 2018. In the same year, attacks on social media increased by around 200%. What can we take from this? Phishing attacks are a major problem…and they’re only getting bigger. 

Types of Phishing Attacks on Social Media 

As mentioned, cyber-criminals are getting smarter, and they have access to better technology. Therefore, no business can afford to take the threat of phishing attacks lightly. Here are some of the common phishing techniques: 

1. Impersonation 

During discussions about phishing, you’ll often see the phrase ‘social engineering’ which Oxford defines as the use of deception to manipulate individuals into divulging confidential or personal information that may then be used for fraudulent purposes. We can expand this definition to include tricking the person into taking some action like allowing remote access to their network. For social engineering to succeed, impersonation is a valuable technique for the cyber-criminals to use. 

To encourage action, these scammers will normally pose as somebody or an organization with authority. Not to be confused with parody social media accounts which are intentionally designed to provide a lighter view on a more serious topic and are used for entertainment purposes, scammers will pose as a “corporate IT” in a large business; whether that be your company’s security company or even as your ad agency to scam individuals or marketing team members. 

If we don’t recognize that the impersonator is a fraud, we might feel compelled to divulge certain pieces of information, and this is exactly what the criminal wants. 

2. C2 Infrastructures 

Recently, Twitter has seen a spate of short URLs for phishing attacks. This is where a scammer shortens the URL to hide malicious links and other content. Also known as command-and-control servers, C2 infrastructures are used to keep a channel of communication with potential victims. 

3. Data Dumps 

Sometimes, when scammers get access to a database, this breached data ends up in various locations on the internet. We aren’t saying you’re likely to see somebody selling the breached database on Facebook, but a bit more digging and you could find this level of information. For example, common spots for breached databases are forums, dumpsites, and the dark web. 

Bonus Tip: Check out if your email has been compromised here

4. Propagation (or Credential Theft) 

While it may seem like all phishing attacks we’ve mentioned take place on actual social media websites, this is not the case. In some cases, the cyber-criminals will ask victims to log into their account using a fake landing page. As soon as the user types in their credentials, the information is stolen. 

What happens next depends on the intentions of the scammer in question. For example, some will use this information to log into the social media account and launch multiple paid ads. Meanwhile, others will play the long game and try to get more information from the victim. As marketing teams, we need to be on the lookout for this sort of scam. Additionally, we need to make all members of the team aware of how these scams work. If 12 employees have access to your social media account, all it takes is one person to type the credentials into a fake landing page and the whole business is compromised.

5. Data Gathering 

Not all cyber-criminals create a general phishing attack for the masses, some like to gather lots of data and create an intricate scam tailored to specific businesses. Social media is home to an abundance of information about people; this includes names of family members and partners, pets, previous schools and colleges, and more. Cyber-criminals can skim through this information to learn all about you (and potentially reset your social media password). 

On social media, we’re often asked to set up a security question. Without even realizing it, you may have posted the information required to answer this question on your page. Even as a business, those who post regularly give away vital details needed for scammers to act. Suddenly, the cyber-criminal develops a campaign tailored to tricking your marketing team. 

Phishing attacks on social media have the potential to derail not only your marketing team but your business as well. If you’re targeted with any of the techniques above, your business stands to take major hits both in terms of potential costs and the impact on your reputation. As soon as cyber-criminals access customer information, it’s hard to recover from this loss, and customers may struggle to trust you again. 

Best Practices for Preventing Social Media Phishing Attacks

So, how do you go about protecting your accounts and your marketing team from attacks such as this? We have a few tips! 

Proactive Monitoring 

First and foremost, you need a system in place that monitors your social media accounts and recognizes potential threats when present. Keep in contact with employees, look for mentions of your brand online (even on the dark web), and actively monitor the health of your social media accounts. 

Recently, several protection tools have been launched, and this includes our own product, OhNoo by Trapica. After linking OhNoo to your ad accounts, it protects against both external threats and internal mistakes. With this tool in place, you can breathe a sigh of relief and sleep well knowing that OhNoo is monitoring your accounts and will let you know when intervention is required. Since ads take up a significant portion of a marketing team’s social media usage, this is a great start. 


Secondly, we recommend arming all employees with the knowledge they need in order to avoid common phishing attacks. Ask a marketing team how they feel about avoiding phishing attacks, and the majority will project outward confidence. However, show them a comparison of genuine and phishing messages, and most can’t tell the difference. 

Have a simple meeting with the team and inform them of the biggest dangers. Make sure the marketing employees understand the common scams with regards to social media. 

As part of your education process, pass this information on to customers too. Ensure that they understand how your business will communicate with them; if you never ask for personally identifiable information via social media, make sure your customers know it so  they are less likely to fail victim to phishing attacks. With education and a better understanding, everybody wins (except for the cyber-criminals!).

Act Quickly 

If your marketing team identifies a problem, one of the most important steps is to act quickly…as quickly as possible. The faster you act, the more likely you are to limit the damage inflicted on the business. Whether the scam is targeting yourself or customers, have a plan in place to deal with it. It might be a simple Tweet informing customers of the scam. Alternatively, it might be a message to your external IT team for support. 

Either way, the best defense against phishing attacks on social media is a combination of human expertise and automation. While technology helps in some regards, we mustn’t forget that phishing on social media relies on the actions of people. If these people don’t have the right training, it causes all sorts of problems for your customers, marketing teams, and business.