Each week, the NTIC Cyber Center highlights a different social engineering scam impacting individuals and communities within the National Capital Region. We encourage everyone to share this information with friends, colleagues, and loved ones to help reduce their risk of becoming a victim of financial fraud and identity theft.
Have you ever seen a friend’s social media post promoting a product at such an incredible discount, you almost couldn’t resist clicking the advertisement and making a purchase? Not so fast! You may have encountered a fake social media ad scam. Fake social media ad scams are social engineering schemes in which perpetrators use compromised social media accounts to post links to phishing websites disguised as product advertisements. These advertisements frequently showcase sales of designer products such as sunglasses, sneakers, or other fashion accessories, offered “while supplies last” or “for limited time only.” However, there is no inventory of merchandise available and no orders are shipping. Ultimately, scammers use these advertisements to capitalize on the trust that social media users place in their friends' recommendations and lure interested parties into surrendering personal information or account credentials.
Here’s how fake social media ad scams work. Scammers first gain access to compromised social media accounts. To accomplish this, they may purchase hacked account credentials from Dark Web marketplaces. They may also steal account login credentials through malicious apps loaded onto users’ devices. If a social media user has reused a password across platforms, scammers may even log into an account using a password from a previous data breach (a technique known as credential stuffing). Once they obtain access to a compromised account, scammers use it to post advertisements for sales of discounted products. The posts are often disguised as the account holder’s personal endorsements urging other social media friends to take advantage of the great deal. Social media users whose accounts have been compromised may not even be aware that their account has been hijacked for this purpose.
Eager to jump on a good deal, social media users who view the posted advertisements may follow the links and shop for the advertised products. These shoppers ultimately are tricked into navigating to pages that masquerade as online stores but operate as malicious websites. Some of these are phishing sites that harvest victims’ financial details, personal information, or account credentials. Others force the download of malicious applications, take control of browsers, or distribute malware onto victims’ devices. The scam doesn’t end here, however; scammers use any account credentials they can capture to continue the harmful cycle of posting advertisements, deceiving shoppers, and gathering even more stolen information to perpetrate identity theft, fraud, and other crimes.
The NTIC Cyber Center recommends social media users review the following guidelines for identifying and avoiding fake social media ad scams:
Don’t click on social media links that advertise unrealistic sales.
Don’t reuse passwords across platforms. Since scammers often rely on “credential stuffing” to perpetrate fake social media ad scams, reusing passwords increases the likelihood your account will be compromised and used to propagate fake ad scams.
Alert friends if you believe their account has been compromised and used to post fake advertisements; they may not know their account has been hijacked.
If you believe your social media account may have been compromised and used to spread fake advertisements, immediately change your account password to something unique and strong.
Enable two-factor authentication on all accounts that offer it to reduce the risk of account compromise.
Review the permissions of third-party apps and services and revoke any that seem suspicious.
Remember that if the sale of an item seems “too good to be true,” it probably is.
If you believe you may have been impacted by a fake social media ad scam, contact your local law enforcement entity or file a complaint with the FBI’s Internet Crime Complaint Center.