Phishing on Facebook – Angler Phishing

This is an actual Angler Fish. Yes it is a real fish, but not the kind we are talking about. Somehow very appropriate though.

Cyber-criminals are masquerading as customer service sites on Facebook, luring disgruntled customers to their Facebook page in order to trick them into divulging their user name, password, and other personal information.  This is called “angler phishing.”

The way this usually works is this.  Let’s say you have a bad experience with your bank.  Then you write and post a negative comment on Facebook or Twitter about bad service you received at your bank, for example.  A cyber-crime crew will be searching Facebook for negative comments about the same bank, and direct you to a Facebook Customer Service page they have set up to impersonate the bank in question.

They will be very apologetic and solicitous, and guide you to a link to connect you with a “customer service agent.”  While this chat is progressing, they will also install malware on your computer, possibly a remote access Trojan, banking Trojan, or keylogger.  There may also be a form to capture you login and other personal information such as your name and address, social security number, bank account number, and the answers to your secret questions.  They may even offer to help you “set up security” on your account in order to get this information from you.  The ultimate goal will be to get your log-on credentials in order to access your bank account and transfer funds out of your account.

Understand that this cyber-crew may have fake Customer Service pages for many popular companies, so the approach will not necessarily come from a bank, it could be from your “Internet service provider” or your “cell phone carrier.”  They set up imposter site for companies with a bad service history, and hundreds or thousands of customers, and just wait for the hot post from a disgruntled customer.

The best protection against this exploit, as is with so many social engineering exploits, is awareness and skepticism.  If you really want to record a complaint with a company, go to their website directly by typing in the address or using your own browser bookmark.  Anyone proactively reaching out to you should be assumed to be an imposter until you can prove otherwise.  Be careful on your social networks, not everyone is as friendly as they may seem.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.