This summer, online payment service giant PayPal learned that bad guys had set up a fake PayPal Support page on Twitter, and then monitored the real PayPal Support page for remarks from customers. The bad guys responded to those inquiries and pointed users to the fake site where they would ask for, and sometimes receive, personal and account information – an attack called angler phishing.
PayPal’s Information Security Director Trent Adams likens the ongoing battle to protect its brand to a game of whack-a–mole, and with new social media threats popping up daily, it’s becoming more like “whack-an-ant-hill” because while one account may be shut down, others are probably still at work.
“We would like to get into a position of prevention – but prevention is really hard,” Adams says. “Early detection is where we are right now.”
As social media platforms become the predominate form of customer communication, so too do the threats to companies and brands. Nearly 600 new fraudulent brand accounts were created each month between April and June 2016 on social media sites Facebook, Twitter, YouTube and Instagram, according to a study by Proofpoint. Of nearly 5,000 social media accounts connected with 10 top global brand names, nearly one in five was fraudulent.
Even though the incidents of phishing on those fake accounts is relatively small (about 4 percent), they’re still a huge target for bad actors and a danger to customers and brand reputation. “They can reach almost 33 million people across those top 10 brands,” says Devin Redmond, vice president and general manager of digital security and compliance at Proofpoint, which offers brand fraud detection and mitigation services.
It’s not just the largest brands that have been targeted. Food service and retail companies have seen bad actors create what looks like a promotional site for coupons, access to special content or previews for online games, Redmond says. Unknowing users will surrender credit card information and other personal information on the sites.
We would like to get into a position of prevention – but prevention is really hard.
PayPal’s Information Security Director Trent Adams
The rise in brand fraud has even prompted companies that don’t even have a social media presence to monitor popular platforms. “Companies are starting to understand that even if they’re not active on social media, they need to be monitoring it because other people could be active on their behalf,” says Shanna Gordon, client services director at BrandProtect.
Protecting your brand
Some 79 percent of information security leaders surveyed by Ponemon institute believe that their security processes for Internet and social media monitoring are nonexistent, partially deployed or inconsistently deployed. Brand fraud experts offer five tips for protecting your company’s name and reputation.
1. Create your own social media presence before someone else does
Companies should have an official presence on major social media sites, even if they don’t use them often, says John LaCour, CEO of PhishLabs. “If customers go looking for [your page] and can’t find one, they may find the bad guys instead,” he says. Many social media sites offer icons or flags that identify legitimate sites, he adds. Companies should also communicate with customers that their official sites will only be used for announcing new products and services, for example, so customers will look more suspiciously at alleged brand sites that offer free perks or customer service action.
2. Establish governance
Companies need to have a governance program in place and staff responsible for social media accounts and communication as part of the company’s main infrastructure, Redmond says.
Business units often create their own legitimate domains, but the security team might not know about them. “They don’t do it through the right channels,” Gordon says. “That needs to be monitored with processes in place.”