Social Media Account Verification Messages: CyberCriminals’ Latest Phishing Technique Exploits Both Human Emotions And Anti-Fraud Techniques
Social media users’ delight at receiving notification that their accounts have qualified for Verification (that is, receiving the often-coveted “blue check mark” that appears on the social media profiles of public figures) has become the latest target of criminal exploitation. Cybercrooks intent on stealing people’s identities (or worse) have begun sending well-crafted messages that both impersonate various major social-media providers, as well as mimic the instructions that such media platforms utilize as part of their respective Verification processes.
In order to ensure that they do not erroneously Verify accounts impersonating public figures or businesses, some social-media providers ask candidates for Verification to submit copies of government issued identification documents, such as drivers’ licenses or passports; only after the platform has validated the documents submitted by a candidate for Verification, and confirmed that the information on the documents corresponds to the data associated with the relevant account, will the social media provider Verify the account with a blue check mark.
As such, scammers sending bogus Verification messages request that recipients do the same, and exploit the fact that so many people both expect to be asked for copies of such documents as part of the Verification process, and are willing to share such documents in order to become Verified. The attack is especially devious because, in some cases, targeted individuals are not even directed to a phishing site, rather, they are instructed to send the relevant documents via email to an address that mimics one used by the social media provider’s real employees.
Some of the fraudulent Verification messages appear to be targeted – sent to active social media users with significant followings, for whom receiving Verification is often valuable, and for whom receiving notice of qualifying for Verification seems wonderful, rather than suspicious. Because targeted attacks involve relatively small numbers of people, criminals also benefit from would-be-victims not having previously learned about such scams, and a lack of media coverage that might otherwise serve as advance warnings to future targets. (There have been some fraudulent Verification emails sent to poor targets, perhaps indicating that some criminals are now attempting to use more of a “shotgun” approach of sending out many messages with the hope that one or more recipients fall prey. I myself received one such message – for a social media account of mine that has been Verified for the greater part of a decade.)
One of the simplest ways to avoid falling prey to a bogus Verification-message scam is simply not to trust unsolicited email messages from social media providers; instead communicate through the messaging systems offered as part of the relevant official apps and websites. Also, never send personal documents to a social media provider by email; all major providers offer ways to upload documents directly to them, and to perform the upload via the providers’ official apps and/or websites.
And, of course, if you do receive some notification that one of your social media accounts has qualified for Verification, but that message was delivered to you as an email or text message – or via any other form of message other than one in the official support section of a social media app – beware.