This summer, online payment service giant Paypal learned that bad guys had set up a fake Paypal Support page on Twitter, and then monitored the real Paypal Support page for remarks from customers. The bad guys responded to those inquiries and pointed users to the fake site where they would ask for, and sometimes receive, personal and account information – an attack called angler phishing.
Paypal’s Information Security Director Trent Adams likens the ongoing battle to protect its brand to a game of whack-a–mole, and with new social media threats popping up daily, it’s becoming more like “whack-an-ant-hill” because while one account may be shut down, others are probably still at work.
“We would like to get into a position of prevention – but prevention is really hard,” Adams says. “Early detection is where we are right now.”
As social media platforms become the predominate form of customer communication, so too do the threats to companies and brands. Nearly 600 new fraudulent brand accounts were created each month between April and June 2016 on social media sites Facebook, Twitter, YouTube and Instagram, according to a study by Proofpoint. Of nearly 5,000 social media accounts connected with 10 top global brand names, nearly one in five was fraudulent.
Even though the incidents of phishing on those fake accounts is relatively small (about 4 percent), they’re still a huge target for bad actors and a danger to customers and brand reputation. “They can reach almost 33 million people across those top 10 brands,” says Devin Redmond, vice president and general manager of digital security and compliance at Proofpoint, which offers brand fraud detection and mitigation services.
[ ALSO ON CSO: Five social engineering scams employees still fall for ]
It’s not just the largest brands that have been targeted. Food service and retail companies have seen bad actors create what looks like a promotional site for coupons, access to special content or previews for online games, Redmond says. Unknowing users will surrender credit card information and other personal information on the sites.
Paypal’s Information Security Director Trent Adams
The rise in brand fraud has even prompted companies that don’t even have a social media presence to monitor popular platforms. “Companies are starting to understand that even if they’re not active on social media, they need to be monitoring it because other people could be active on their behalf,” says Shanna Gordon, client services director at BrandProtect.
Protecting your brand
Some 79 percent of information security leaders surveyed by Ponemon institute believe that their security processes for Internet and social media monitoring are nonexistent, partially deployed or inconsistently deployed. Brand fraud experts offer five tips for protecting your company’s name and reputation.
1. Create your own social media presence before someone else does
Companies should have an official presence on major social media sites, even if they don’t use them often, says John LaCour, CEO of PhishLabs. “If customers go looking for [your page] and can’t find one, they may find the bad guys instead,” he says. Many social media sites offer icons or flags that identify legitimate sites, he adds. Companies should also communicate with customers that their official sites will only be used for announcing new products and services, for example, so customers will look more suspiciously at alleged brand sites that offer free perks or customer service action.
2. Establish governance
Companies need to have a governance program in place and staff responsible for social media accounts and communication as part of the company’s main infrastructure, Redmond says.
Business units often create their own legitimate domains, but the security team might not know about them. “They don’t do it through the right channels,” Gordon says. “That needs to be monitored with processes in place.”
3. Conduct a social media brand inventory
A simple search of a company’s name on popular social media sites can begin to uncover any nefarious social media accounts or at least reveal how the company is being represented, fraud experts say. During a recent audit of its social media presence, a major consulting firm was shocked to discover that hundreds of accounts were impersonating its brand or were using its name in some unwanted way on sites like Facebook, Twitter, LinkedIn, Google+ and Instagram, Gordon says.
Some accounts might be legitimate while others may reference a company’s name simply to draw traffic to their site. But a few could be truly criminal and are attempting to use fake accounts for phishing scams or to sell knock-off merchandise, she adds.
4. Identify fraudulent accounts and act quickly
At Paypal, security teams focus on identifying fraudulent sites and then reacting quickly, usually with the help of its worldwide customer base.
“The fastest way we identify [fraud] is being notified by our customer base,” including merchants and consumers, Adams says. “We are often notified much more quickly by customers than we are by the industry organizations that identify potential fraud and kick out threat alerts.”
Paypal’s investigative team reviews the fraud tips as they are received and identifies whether they are malicious or benign. Next they reach out to social media platform operators and their security departments to alert them.
5. Know where and how to report brand fraud
When customers suspect a fake company account on social media, they need to know who to report the fraud to, Redmond says. Develop a response plan that includes the documentation that should be collected and who should be contacted at the company and the social media site.
“Companies need to report brand fraud in a way that responders can consume it quickly because minutes count in these situations,” Adams says. To that end, Paypal is testing a specialized fraud reporting queue it has set up with a half dozen social media sites.
Fraud tipsters provide documentation about the suspected fraud in a standard format, and it is submitted by Paypal to the social media platforms. “We’ve been able to see a significant decrease in the amount of time it takes from the time we identify the problem to the time we report it, to the time action is taken,” Adams says. In one recent month, the expedited channel was 75 percent faster than reporting through the standard channel, he adds.
Adams says the reporting queue project is in the in the early prototype phase, and once it is proven successful Paypal plans to share the process or technical specifications with the world as open source.
Preventing social media brand fraud will remain a challenge because of the generative nature of social media platforms and the proliferation of new and more creative scams, Adams says. While these measures won’t stop this kind of abuse completely, he says, “it will raise the barrier.”