While common fraud attempts such as vishing and phishing are well-documented, Social Media fraud is an often-overlooked topic. Seen as a soft target, the social media space is public and more relaxed, so most people tend to let their guard down. However, just like many soft targets, social media lacks supervision, and with few restrictions and relaxed rule enforcement, it leaves businesses open to attacks.
Credit unions that view social media as purely a marketing channel, and overlook the fact that it’s a potential liability, can be caught off guard. Credit unions should consider managing social media under the same auspices as any other advertising channel and with the same precautions documented in regulatory guidance.
There are systems designed to detect fraud during account and loan creation. There are systems to protect against fraud for malicious attacks against credit union systems, such as credential stuffing. But fraud attacks through social media are a bit more elusive. By design, social media creates a certain level of anonymity using “handles” that hide the user’s identity. Social media users don’t look for spoofed social media sites the way that they would scrutinize a website. This creates a new fraud threat for credit unions which requires fraud management and mitigation. Let’s dive deeper into how social media fraud can ruin a brand’s reputation (image) and create financial losses.
Credit unions are the ultimate trusted brand. Their loyalty to their members has fostered unquantifiable trust, and fraudsters love to impersonate a trusted and well-regarded brand on social media. Brandjacking/brand impersonation occurs when a company’s name, image, or other identifying brand elements are used to trick victims into divulging personal information for fraudulent purposes. Fraudsters routinely create lookalike social media accounts using credit union branding and wait until unassuming credit union members happen upon the fraudulent accounts.
Consider the scenario where an account is created on a credit union’s social media site as “yourcreditunionservice.” Unsuspecting members may send general questions to this account which will be effectively answered because the information is probably available on the credit union’s website or through an internet search. But the answers will come with additional questions that begin to ask for personal information. Members may be less likely to scrutinize these fraudulent accounts with their guards lowered from the fun and casual space that social media creates. It is only a matter of time before fraud occurs.
The ramifications of brand impersonation can range from simple embarrassment to creating a hostile image with the general public to ransom demands. It is worth noting that social media brand attacks can come from legitimate users who create fraudulent accounts to damage the company’s brand out of frustration. During the worst of the Target data breach, an account impersonating Target was set up and replied sarcastically to many of the message inquiries left on their social media pages. This went unnoticed for almost 16 hours. While this impersonator limited their fraud to sarcastic comments, it worsened an already severe situation by taking advantage of the volume of inquiries Target was fielding due to the data breach.
Social Media Phishing
Phishing on social media looks slightly different from the traditional phishing ploy that is known to credit unions. Fraudsters will create social media accounts to impersonate the credit union and run ads promoting loans and account opening offers. These ads will send users to spoofed websites and spoofed social media pages. In other cases, the links in these ads are designed to download malware on devices when clicked. A safe practice is to periodically enter the credit union’s name into the search section of each social media platform. If multiple accounts are returned, or if any account are returned on platforms where the credit union does not have an account, attempted fraud is probably occurring. Credit unions employ this methodology for web searches, but doing the same type of search on social media is often overlooked.
Brand Protection Services
Connect offers social media fraud mitigation services that become an extension of your credit union’s social media team. This digital brand protection not only detects brand impersonation but continuously scans all the social media platforms for bad actors using a credit union’s brand trademarks. Artificial intelligence gauges the threat during social media scans. It will offer the credit union the choice to be notified about the fraudulent brand impersonation or initiate an automatic takedown of the fraudulent accounts when detected.
Member Impersonation Fraud
Bad actors can also set up fraud by monitoring a member’s social media account. By reviewing the content of a member’s social media account, fraudsters are armed with member information and habits they could not easily obtain from other sources. Consider a scenario where a member posts pictures of their vacation. The fraudster then contacts the credit union to say that they had a great time at the vacation destination (which they know from the social media posts). Still, unfortunately, their trip was cut short, and they need to remove the restrictions they set up on their account while away. When initially setting the restrictions, the credit union may have entered notes about the member’s travel plans, such as location. A potential fraud scenario is created because the fraudster has utilized information from social media. Just think about the fraud scenarios that can be created from the information members post on their social media accounts.
Likewise, credit unions should monitor their social media sites to ensure that posts are legitimate. For example, imagine that a credit union posts that they will be supporting a community charity event. The fraudster then creates a fraudulent account and posts pictures from the credit union’s legitimate account, with a link to make donations. The members are then donating to the fraudster’s retirement plan.
The Federal Trade Commission stated that 2021 was a banner year for social media fraud. Over 95,000 people lost money to social media fraud, with $770 million in losses reported to the agency.
Credit unions need to be vigilant about social media fraud. Social media attacks are cheap for fraudsters because they don’t have to buy information from the dark web to commit fraud. Their money can come from scamming a member or threatening a credit union’s brand reputation. In either scenario, there can be significant monetary or brand reputation loss. A brand takes years to develop but can be tarnished in hours. Brands need to be protected vigilantly. Credit unions should consider making social media fraud prevention part of their security program.