What is angler phishing and how can you avoid it?

Angler phishing definition

Angler phishing is a type of phishing attack that targets social media users. A hacker creates a fake social media account and pretends to be a customer service employee working for a company. Next, they contact customers of that company who have made complaints on social media. Using their disguise, the attacker tries to convince victims to give them private data or install malware, which can monitor your activity or rope your device into a botnet.

All phishing attacks involve bad actors using false identities to extort money and data from their victims. Angler phishing attacks work in the same way but use fake social media accounts instead of emails, the most common phishing tactic.

How does angler phishing work?

An angler phishing attack takes place almost entirely on social media platforms like Facebook, Twitter, and Instagram. A hacker creates a fake social media account, pretending to be a customer service representative for a legitimate company, like a financial institution or an ecommerce platform.

Angler phishing attackers can then trawl through the social media pages associated with the company they are pretending to work for. Once they find someone who is voicing a complaint — in a tweet or a Facebook comment, for example — the person using the fake account contacts them, often with a direct message.

Social media users, eager to have their customer service issues directly dealt with, are likely to respond to these messages, thinking they are dealing with a real customer representative. The hacker is likely to use a social media account handle that looks similar to the company they are using for the attack.

After making contact, the hacker tries to convince the victim to expose sensitive personal details, like passwords, or click on a link that will cause them to download malware.

Who is targeted during an angler phishing attack?

Angler phishing attacks target disgruntled customers who have taken to social media to complain or express frustration with a company. Once the customer complains online, tagging or posting on an official page, the hacker can reach out to them through various social media channels.

People who have recently posted a complaint online are often hoping to be contacted by customer service agents, so they are primed to expect contact. When a reply or message comes in from someone with a convincing username, the victim might not notice that they are dealing with a fake account.

How effective is the attack?

Angler phishing attacks can be very effective. Customer complaints against large companies like financial institutions often go unanswered or may not generate a response for several hours. Immediately after complaining, the customer is particularly vulnerable to an angler phishing trap.

If the hacker is able to convince their victim to give up sensitive data, like account credentials and login details, they can do enormous damage with this information. The hacker could take control of the victim’s account, engage in identity theft, or use the victim’s social media profiles to launch phishing attacks against their contacts.

How to avoid angler phishing

To avoid angler phishing and protect yourself from social media scams, follow these steps.

Make sure it’s a company account

To make sure you don’t fall victim to an angler attack, you should double-check that you’re dealing with an authentic account. If the account isn’t verified or if it appears to have been created in the last few days, it is likely to be a fake.

Contact the company

If a company representative reaches out to you directly, contact the company they claim to work for to verify their identity. This may take a little time, but it is worth being on the safe side. If the person who has contacted you encourages you not to reach out to the company, that is also a major red flag.

Be careful with links

If someone on social media sends you a link to follow, be on your guard. This is true of all messages online, but it is especially important when dealing with someone you don’t know personally. Tell the person contacting you that, for security reasons, you do not wish to click the link. Most genuine company representatives will understand and encourage your caution — a hacker will not. Additionally, using an anti-phishing solution can offer another layer of protection by automatically analyzing and flagging suspicious links.

Report fake accounts

Make sure you report accounts that seem suspicious. Even if you can easily tell that a social media profile is fake, others may not be so quick to catch on, so for the sake of all potential victims, flag the account in question as a potential scam. All major social media platforms have tools in place to allow for fast, easy reporting.

What to do if you are a victim of phishing

Phishing attack detection tools can help flag potential threats, but what do you do if you fall victim to one? If you are a victim of any kind of phishing attack, including angler phishing, you should take every possible step to limit the resulting fallout.

If you gave away login details for a social media account — or any other account — reset it at once. You should also alert your contacts online and let them know that your profile might have been hacked. If the hacker uses your account to send phishing messages, your friends and family will be aware of the risks.

In cases where banking information has been exposed, you should immediately contact your bank and let it know so it can freeze or restrict your accounts and prevent hackers from withdrawing or moving funds.

Finally, if you think you have installed malware, download anti-malware software to scan your system for potentially harmful files and avoid processing any sensitive data on the infected device.