top of page

Red Flags - social media hacking scams

We’ve teamed up with Nottinghamshire Police and HSBC to deliver important messages on how to stay safe whilst using social media channels, and how to spot the tell-tale signs of scams, hackings and fraudulent behaviour online.

Social media plays a huge part in our lives. From ‘living your best life’ selfies, taking snaps of your food for Instagram likes, chatting with friends, making memories, reels, memes, stories…it’s omnipresent.


We all use it, but sadly so do criminals. Nottinghamshire Police have witnessed a surge in criminal activity online with a key aim of the criminal being to extort funds from their victims via fiendish tricks such as phishing, hacking and impersonation fraud.


Therefore having HSBC on board as a sponsor to kickstart the campaign is a big plus for all concerned.


Kirsty Jackson, one of Nottinghamshire Police’s Cyber Protect and Prevent Officers, said:

“We have seen a huge increase with social media hackings this past year. This is a national issue with 28,464 cases of computer misuse reported this year with social media and email being the most common with 12,543 reports so far in 2022.
“As social media hackings have increased, I wanted to get key messaging into banks. We have now teamed up with the East Midlands Cyber Resilience Centre to create key materials, including a leaflet and an online campaign, which HSBC have sponsored. Anyone can nip into a Nottinghamshire HSBC branch and pick up a leaflet containing key Protect advice to help protect social media and other online accounts.
We are also delivering key training to all HSBC staff so that they can provide direct advice/support to kick start our mission to reduce these crimes. Our intention is to then carry on this work with other banks across Nottinghamshire.
“Having spoken with local victims across the county in response to these hackings, I have seen first-hand the devastation this has caused victims, leaving them feeling violated, scared and locked out of their accounts without any control over their data, images, reputation and messages.
“The social media hackings I have personally worked on saw a growing trend emerge across each victim I have supported. They have generally reused the same or similar password across all online accounts and have appeared in data breaches, which is the likely point of compromise. Some victims have even been scammed into sharing their 2-Step Verification codes, which is like handing over the keys to their account."

The campaign is being backed by HSBC. Local Director Gursh Bassi explained:

“We are dedicated to supporting our customers and the community of Nottinghamshire. The chance to work alongside Nottinghamshire Police to raise awareness of cybercrime - which is becoming more prevalent in society and a real concern for our customers - is a fantastic way to support our community. We are grateful for Nottinghamshire Police for the work they do and the opportunity they help”

So, led by Nottinghamshire Police, backed by HSBC and accelerated by the EMCRC, the aim is to broadcast the message that there are simple but very effective preventative measures that can be put in place to better protect your social media accounts.


Let’s take a look, starting with…


Password Security


A staggering - and alarming - amount of people are still using really basic passwords which hackers can easily guess. The UK’s National Cyber Security Centre carried out analysis of passwords leaked in data breaches and found that more than 23 million users worldwide used 123456 as a password! Facepalm emoji!


Make it harder for cyber criminals to break in. Always use a different password for each online account you have, otherwise one data breach or password compromise will put all of your accounts at risk.


Strong memorable passwords can easily be created by combining three random words. For example, you could use: Hippo!Pizza.Rocket1? Note the grammatical insertions. Special characters can also be thrown into the mix to ramp security up even further. A few underscores and an asterisk here and there will beef up your password.


We know what you’re thinking: “But I will never remember all my passwords, especially if they’re complex!”. We hear you. So perhaps consider using a trusted password manager to help store all your passwords across multiple accounts.


Finally - and crucially - NEVER share passwords or authentication codes with anyone, no matter who they claim to be.


2FA ok?


Are you au fait with 2FA? Two-factor authentication (also known as two-step verification ‘2SV’ or multi-factor authentication) is designed to help stop cybercriminals from accessing your accounts by adding an extra layer of security.

Two-factor authentication ensures that any new device trying to log in or make account changes needs a second layer of security before access is given.


2FA includes single-use codes being sent via SMS, email, phone, or smartphone application (authentication apps). This means that if anyone tries to log in to your account - even if they have somehow obtained your password - a notification with an access code will be sent to you, denying them access. Don't EVER share access codes!

Here's how to turn on 2FA for common social media platforms...

Keep up-to-date


Always keep your device software, apps and other programmes up-to-date to allow fixes to newly identified security bugs and vulnerabilities. People often consider updates a hindrance. But there’s a good reason why companies issue updates, and it maybe to plug a vulnerability or to thwart malware.


Enable automatic updates and avoid using devices that cannot be fully updated. Back-up regular copies of all your important documents, messages, contacts, photos and videos on a separate device or in the cloud.


What if I use social media for my business?


All the above applies, but check out our extra tips to keep your business accounts secure: Are your business social media accounts secure?


Red flags and phishing


Social media scams usually include some sort of "ask." This is the biggest red flag to look out for. If a brand or person (even a friend or family member) have asked you to do something, this could lead you to becoming hacked as well as putting your friends and family at risk of falling victim to the same scam.


Look out for…


  • Fake Influencer voting - sent via a social media message from a hacked friend or family member to fool users into clicking on a malicious link to vote for them to be a top influencer through a fake competition. This will lock you out of your account. Watch the video from This Morning below to see an example of how this caught an ITV employee out.

  • Giveaways - these might ask that you give away personal info, make a payment, or log into a site in exchange for a prize. This could leave you wide open to a hacking and the inability to access your account.

  • Support - this could be any request of help or support with your social media account from a friend/family member (who will have also been hacked). Never share login credentials or authentication codes. This is like giving over the keys to your account.

  • Random messages - if you receive a random message from someone in your friends list that may ask you to click a link, be cautious. Typically, the message will be designed to fill you with curiosity with questions such as ‘Is this you in this video?’ or, as we have seen recently, the ’guess who’s dead’ scam. If in doubt, message the person and query whether or not they actually sent the message willingly.

  • Bitcoin Investment - if hacked, you could be asked to pay a ransom and/or film a hostage-style video promoting fraudulent cryptocurrency get-rich-quick schemes, as hackers from around the world hijack and hold social media accounts for ransom.

Phishing scams are rife! They dominated the threat landscape last year and are doing so again in 2022.


Never click on any unverified emails, texts or other messages (eg. on any social media platform including Messenger and WhatsApp). Verify using a trusted phone number or contact or check via their official website or app.


Never be rushed into clicking a link that requests you to reset your password, enter a competition, or generally to do something on the back of a message received. No genuine person or organisation will phone or message you unexpectedly and ask you to make changes or give them remote access to any of your devices.


We could talk about phishing all day, but luckily we have also blogged about it previously. Check out our comprehensive phishing blog, 'Let’s remind ourselves about phishing...'.


Impersonation fraud, extortion and a digital hostage situation!


A new breed of organised cybercriminals has penetrated social media, with the aim of stealing your profile and taking your identity.


In the last 12 months, impersonation fraud on Instagram alone has risen by 155%, as criminals target unsuspecting users.


But how do you spot the impersonators and keep your identity safe? Alice Beer recently appeared on This Morning to cover this topic, and she also covers some of the must-know safety tips we have mentioned.


The video is 7 minutes and 42 seconds long, but it’s worth every second if it prevents you from being compromised.


Watch it here...

Useful links


Throughout this blog we have linked to related blogs which offer more information on the topic. We have an abundance of useful blogs on our website, and the East Midlands Cyber Secure website has access to Cyber Aware top tips, helpful videos and the opportunity to sign-up to their webinars.

 

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

 

Comments


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page