Anatomy of a Social Media Impersonation Scam: Targeting Bank Customers

Anyone who had a MySpace account in the fledgling days of social media knows that impersonation has always been a part of the deal. From spoofed celebrity Twitter accounts to Craigslist scammers trying to dupe buyers and sellers into sending them money via a third-party payment system, long-time social media users have learned to be skeptical when faced with potentially duplicitous accounts.

And that’s why Facebook remains one of most effective social media platforms for executing scams and attempted fraud campaigns. Its usership skews a bit older and less tech-savvy than other platforms, like Instagram and TikTok, and in many cases attackers have been successful in targeting these users.

BlueVoyant’s cyber threat analysts have been tracking a sophisticated social media impersonation campaign for over two years that adds a new wrinkle: spoofed banking customer service Facebook pages that prey on users seeking help with their accounts. You can read the full report here, or continue on for some of the highlights:

The Customer Isn’t Always Right

In April 2021, BlueVoyant identified a rise in Facebook customer service impersonation campaigns targeting customers of several large international banks and their subsidiaries. Attackers create spoofed customer service accounts pretending to represent these organizations, reeling in unsuspecting customers who sought assistance. The users fail to recognize that the pages are fake and engage with them, playing right into the threat actors’ hands.

Our team has determined that it is most likely a team of attackers working together – or at least sharing best practices – to carry out this type of scam. They aim to gain access to customers’ bank accounts by contacting customers who find their fraudulent pages and walking them through a series of steps that appear to be in service of helping them with their accounts, but are actually steering them to provide credentials, personally identifiable information (PII), or, worse yet, direct access to their account itself via a screen control app.

In order to increase the legitimacy of the campaign, the impersonated pages are continuously updated with the bank’s original Facebook content, including the most recent posts and uploaded pictures.

Springing the Trap

Our analysts engaged with the threat actors running these accounts, acting as customers who have been genuinely tricked. They followed the conversations as far as they could without being exposed or handing over access to their accounts.

After getting the customer's information, the representative asked the customer to download the Anydesk Remote Control app, which provides platform-independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality. The actor uses the software to gain access to the customer's device, which then allows them to bypass 2FAs, conduct illicit transactions, steal PII, etc.

As our analysts are seasoned threat hunters, they rebuffed this demand to see what the next move would be. The threat actors then asked them to attempt a money transfer using Remitly, an online transferring service, to verify their identity. At this point, the conversation broke down, and our analysts withdrew from the ruse.

Recommendations

Social media-savvy users might crack jokes about Grandma not knowing how to use the computer when this type of attack is successful. But the fact remains that there are billions of internet users across the globe, and not all of them have the experience and the knowledge to identify scams at the surface level.

Ultimately, the burden will fall on the organization that has been impersonated to rectify the situation. Therefore, it’s imperative that banks and other financial institutions continue to educate their users and continually enhance fraud prevention protocols. Banks should warn customers about this type of attack using official social media channels, so they can potentially learn to decipher which accounts are legitimate and which are fake.

Download the full report to learn more about this social media impersonation campaign.