Social media impersonation is a form of digital identity theft. Using this tactic, a cyber-criminal or scammer creates a profile on a social platform using personally identifiable information (name, picture, location, background details) stolen from a certain individual.
The first step is to manipulate the victim’s contacts into thinking the fake profile belongs to a real person they can trust. Then, the end goal is to use that impression of authenticity to exploit those who interact with the fake account (by asking for information, money, or discrediting the owner of the account).
Impersonating real people on social media falls into the larger category of social engineering, a series of tactics that rely on psychological manipulation. The intention is to trick victims into revealing confidential information or act despite their better judgement.
Social Engineering Through Impersonation on Social Networking Sites
Malicious users gather confidential information from social networking sites and create accounts in others’ names. Attackers use others’ profiles to create large networks of friends and extract information using social engineering information using social engineering techniques. Attackers try to join the target organization’s employee groups where they share personal and company information. Attackers can also use collected information to carry out other forms of social engineering attacks.
Social Engineering on Facebook
- Attackers create a fake user group on Facebook identified as “Employees of” the target company.
- Using a false identity, attacker then proceeds to “friend,” or invite, employees to the fake group “Employees of the company”
- Users join the group and provide their credentials such as date of birth, educational and employment backgrounds, spouses names, etc.
- Using the details of any one of the employee, an attacker can compromise a secured facility to gain access to the building.
Social Engineering on LinkedIn and Twitter
- Attackers scan details in profile pages. They use these details for spear phishing, impersonation, and identity theft.
Risks of Social Networking to Corporate Networks
- Data Theft: A social networking site is an information repository accessed by many users, enhancing the risk of information exploitation.
- Involuntary Data Leakage: In the absence of a strong policy, employees may unknowingly post sensitive data about their company on social networking sites.
- Targeted Attacks: Attackers use the information available on social networking sites to perform a targeted attack.
- Network Vulnerability: All social networking sites are subject to flaws and bugs that in turn could cause vulnerabilities in the organization’s network.