Phishing on Facebook – Angler Phishing

This is an actual Angler Fish. Yes it is a real fish, but not the kind we are talking about. Somehow very appropriate though.

Cyber-criminals are masquerading as customer service sites on Facebook, luring disgruntled customers to their Facebook page in order to trick them into divulging their user name, password, and other personal information.  This is called “angler phishing.”

The way this usually works is this.  Let’s say you have a bad experience with your bank.  Then you write and post a negative comment on Facebook or Twitter about bad service you received at your bank, for example.  A cyber-crime crew will be searching Facebook for negative comments about the same bank, and direct you to a Facebook Customer Service page they have set up to impersonate the bank in question.

They will be very apologetic and solicitous, and guide you to a link to connect you with a “customer service agent.”  While this chat is progressing, they will also install malware on your computer, possibly a remote access Trojan, banking Trojan, or keylogger.  There may also be a form to capture you login and other personal information such as your name and address, social security number, bank account number, and the answers to your secret questions.  They may even offer to help you “set up security” on your account in order to get this information from you.  The ultimate goal will be to get your log-on credentials in order to access your bank account and transfer funds out of your account.

Understand that this cyber-crew may have fake Customer Service pages for many popular companies, so the approach will not necessarily come from a bank, it could be from your “Internet service provider” or your “cell phone carrier.”  They set up imposter site for companies with a bad service history, and hundreds or thousands of customers, and just wait for the hot post from a disgruntled customer.

The best protection against this exploit, as is with so many social engineering exploits, is awareness and skepticism.  If you really want to record a complaint with a company, go to their website directly by typing in the address or using your own browser bookmark.  Anyone proactively reaching out to you should be assumed to be an imposter until you can prove otherwise.  Be careful on your social networks, not everyone is as friendly as they may seem.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.