Anyone with a social media account has been warned that criminals are increasingly targeting common people and taking over their profiles. According to Action Fraud, the national fraud and cybercrime reporting service, there were 18,011 reports of social media and email hacking between August 2022 and July 2023.
In addition to stealing critical personal data from victims, fraudsters are also using the accounts for fraud - for example, there have been a dozen reports in the last two months regarding hacked social media accounts being used to promote fake Taylor Swift tickets.
If the tickets appear to be sold by someone with a large number of friends on their profile and posts going back a long way, officials said, people are less likely to suspect it's a scam. Out of the 18,000 reports, 4,092 people reported they had been the victim of financial extortion or that fraud against the public had been committed using their accounts.
There were two main categories of account takeovers in 49% of cases that Action Fraud received reports of:
On-platform takeovers
These take place entirely on the platform, via the messaging feature of the service. The suspect will dupe the victim into sharing or changing critical account information. This is primarily accomplished by the suspect already having access to one of the victims' friends' accounts. The fraudster will then message the victim, posing as a friend.
The victim will think they are speaking with their friend and won't realise their friend's account has been hacked. After that, the criminal will ask the new victim to do something, like help "securing" their account, cast a vote in a competition, or possibly even extend a financial offer.
Email hacking and phishing
These types of account hacks frequently occur when victims unwittingly divulge their login information to fake websites after clicking on a link in an email they thought was legitimate. Once a fraudster has gained access to a victim's email account, they can use it to reset the password of any social media accounts linked to that email address.
The scammer can easily access the email as a result of weak account security, such as a lack of 2-step verification, weak and re-used passwords, a leak of the victim's email on the dark web, or the actual expiration and purchase of the victim's custom web domain.
"Social media applications are, without a doubt, the most widely used in the world, which presents a huge opportunity for criminals," stated Pauline Smith, Head of Action Fraud. Scammers have a large pool of potential victims to choose from because millions of people use social media and other apps on a daily basis. They frequently attempt to access people's online profiles in order to defraud others.
“Keep your accounts secure and set up 2-step verification. Under no circumstances should you ever share your 2-step verification codes with anyone, and if you think something doesn’t seem right, report the message and block the sender within the app itself. To make your accounts even more secure, and to provide an extra layer of protection, we would recommend that your email and social media passwords should be strong and different to all your other passwords,” Smith added.