Creating a fake account on social media is easy. For the most part, social networks have few built-in mechanisms for readily authenticating accounts as they are created, and users can claim to be anyone or anything they want without consequences. And cybercriminals’ favorite thing to pretend to be online? Your brand.
Recent research on this topic found that the number of malicious impersonations, as opposed to fan accounts, has increased a whopping 11 times since 2014. Considering social media’s scale and brands’ increasing investment in growth and advertising on these platforms, the landscape is ripe for cybercriminals to exploit these organizations. They attack customers, damage reputation and rob brand value before the cyber “police” even know what’s going on.
With low barriers to entry, the networks’ attempts to police this situation has been to add the coveted blue authenticated checkmark to certain big accounts. However, this doesn’t stop attackers from Photoshopping the checkmark into their background image or creating a support representative or franchise page. As such, the social networks also rely heavily on the brands themselves to identify and report any violations of their terms of service.
If I was an attacker, what would I do?
It’s a question that needs to be asked more and more regularly—and not just for brands, but for any individual or company with a presence on social media. Here’s the challenge for marketers: Think like someone exploiting your brand for money or publicity.
The answers that marketers come up with are often exactly in line with market trends. They believe an attacker would create a fake customer service representative and hijack ongoing conversations, develop a fake coupon to phish credit card information or build a brand impersonation to shame the company and hijack followers.
Research supports marketers’ suspicions, showing that 48 percent of brand impersonators use fake coupons as tactics and 38 percent direct brand followers to phishing pages. Kaspersky reports that 20 percent of all phishing attacks are launched on social media, and according to Barracuda Labs, 54 percent of users have encountered phishing attempts.
How do you stop what’s already going wrong?
The good news is that brand protection is in marketers’ hands. When the onus for finding threats is on the brand rather than the network, so too is the opportunity for success. And since, unlike the networks, brands don’t have to boil the ocean to solve the problem, they will be more successful at protecting themselves than leaving it to the giants in Silicon Valley.
Marketing teams should start by understanding the risk landscape, either by working with a vendor to compile a report or documenting their social presence and any known risks. After building a task force base, expand to deal with whatever challenges pose the biggest threats. With the right people in the room, this team can start building out policies around social media usage, threats, account security, workflows and more. Review these regularly. Adopt social media protection technology to help automatically identify and remediate a number of these risks. For an in-depth look at this process, read Hootsuite’s guide to brand protection.
Two additional words of warning: trust not the egg account and know that it could be worse.
Blank impersonation accounts, also called egg accounts, may look innocuous enough. However, the controllers of those accounts are aware that leaving evidence of their malicious activities in plain site is grounds to get banned. Instead, between campaigns, the attacker wipes the account. Compared to Peter Clemenza from the Godfather’s philosophy of crime scenes—“leave the gun; take the cannoli”—scammers can remove traces of both firearms and Italian pastries with just the click of a button.
For a scammer, the only thing more powerful than controlling a convincing fake account is to control the brand account itself. Account takeovers are many social media marketers’ worst nightmare: their most powerful marketing tool weaponized against them resulting in embarrassing posts and PR crises. However, the more dangerous attack is one where the account is not treated like a wall to vandalize but as if it were a fake account, subtly direct messaging customers with malicious links and sharing fraudulent promotions. This infiltration can last months, and the cost to brands in terms of lost followers, support costs and reputational damage are difficult to fathom.
While the networks are hard at work resolving these issues, expect them to be prioritized behind fake news, privacy regulations, election meddling, propaganda and more. However, with all the brand value they have helped create, we should give them both the benefit of doubt and time. Until then, the good news is that you are the master of your own ship when it comes to finding and reporting fake accounts and protecting your hard-earned online brand. Time to get started.