Social media scams put users’ data at risk, Kaspersky warns

Kaspersky experts warn of a wave of scams using social engineering and phishing techniques on social media and messaging apps to steal credentials and distribute malware. Taking advantage of the popularity of platforms such as WhatsApp, Facebook, Instagram, X, Telegram, and TikTok, cyber attackers are creating fake pages that mimic legitimate websites and promise everything from account verification to benefits like free followers or premium features. This situation is especially worrying considering the high level of digital exposure users face today.

Over the past year, Kaspersky has identified multiple fraudulent campaigns employing sophisticated tactics and widely recognised platforms to execute their attacks. These scams operate in a variety of ways, but they all have a common goal: to obtain users' credentials or install malicious software on their devices. Below are examples of such schemes.

Fake verification pages: Users were led to websites mimicking WhatsApp and other app's official interfaces. These fraudulent pages ask users for their phone number and the verification code received via SMS. With this information, cyber attackers could access accounts, take full control, and perform actions such as impersonating them, sending messages in the victim's name, or accessing confidential information.

Promises of free followers: Fraudulent pages offered to boost users' digital popularity on platforms like Instagram by supposedly giving away followers. However, to access the benefit, victims had to voluntarily enter their login credentials. This strategy allows cyber attackers to take control of accounts, use them to spread further scams, or even sell them on dark markets.

Example of a fraudulent website on Instagram

Fake shops on TikTok: This social network has also been the target of targeted attacks, especially through its TikTok Shop feature, which allows sellers to directly associate products with posted videos, making them easier to purchase. Taking advantage of this functionality, cybercriminals created fake sites that simulate being part of TikTok Shop, with the aim of stealing sellers' credentials.

Example of a fake Tik Tok page

Fake security notifications: Cybercriminals sent alerts pretending to be from Facebook and similar platforms’ security teams, warning of suspicious activity on the user's account. Through these notifications, they directed victims to phishing forms requesting their credentials. Once entered, the attackers could take control of personal profiles or manage pages, using them for scams, spreading malicious content, or extortion.

These situations reflect the real risks associated with using social media: exposure of personal data, loss of control over accounts, dissemination of false information, and threats to privacy. Despite the increase in these types of threats, users are not defenseless. With increased awareness, good cybersecurity practices, and the use of reliable protection tools, it is possible to significantly reduce the risk of falling victim to these scams.

“Social media and communication apps have become a part of our lives, but with their popularity comes cyber risks. With the rise of artificial intelligence-based tools, scams can be more believable and personalised than ever. Therefore, it is key to maintain cybersecurity awareness, develop critical thinking, and use robust cybersecurity solutions,” comments Seifallah Jedidi, Head of Consumer Channel for META at Kaspersky.

In celebration of World Social Media Day, Kaspersky experts recommend the following practices to reduce risks:

• Don't click on suspicious links, especially those promising unbelievable offers, benefits, or services. These often lead to phishing sites where sensitive information such as passwords or banking details is stolen. Always verify the authenticity of the sender and the content before clicking.
• Be careful what you share: Information like pet names, important dates, or locations can be used by cyber attackers to guess passwords or design personalised attacks. Avoid sharing travel plans, financial details, or overly personal information.
• Use strong passwords and two-factor authentication: Choose unique and complex passwords for each social network, combining capital letters, numbers, and symbols. Also, activate an extra security option that many platforms offer: after entering your password, you will receive a code to your phone or email to confirm it's you. This way, even if someone figures out your password, they won't be able to log in.
• Review your privacy settings: Platforms regularly update their policies and security options. Check who can see your content, tag you, or access your profile. Also, review and revoke permissions for third-party apps you no longer use. To make this easier, you can use Kaspersky's free Privacy Checker tool to keep track of your online information.
• Use  cybersecurity solutions to protect your digital life: Solutions like Kaspersky Premium warn you about suspicious links and downloads, and also help you check if your phone number or e-mails appears in any data leakage, providing advice on what to do in case credentials were leaked.