Action Fraud Warns of Social Media Account and Email Takeover Scams

Data from Action Fraud, the national fraud and cybercrime reporting service, reveals a concerning increase in social media and email hacking incidents. Between August 2022 and July 2023, there were 18,011 reported cases of accounts being compromised. Within these reports, 4,092 victims fell prey to extortion or unknowingly became accomplices in fraudulent activities against the general public.

One recent example involves a series of reports received by Action Fraud in the past two months. These reports highlighted the use of hacked social media accounts to promote fake Taylor Swift tickets. Scammers take advantage of unsuspecting victims by leveraging the credibility of a profile with many friends and a history of posts dating back several years.

Pauline Smith, Head of Action Fraud, emphasizes the vulnerability of social media applications due to their widespread usage. Criminals see these platforms as a prime opportunity to target potential victims. With millions of people using social media apps daily, scammers attempt to gain access to online profiles to defraud others. Smith advises users to keep their accounts secure by setting up two-step verification and never sharing verification codes with anyone. If something seems suspicious, users are encouraged to report the message and block the sender within the app itself.

To enhance account security, Action Fraud recommends using strong and unique passwords for email and social media accounts. It is crucial to avoid reusing passwords across multiple platforms. A strong password can be created by combining three random words that hold personal significance. This approach ensures a password that is both memorable and difficult to crack.

Another prevalent method employed by fraudsters is on-platform takeovers. In 49% of the reported cases, these takeovers occur through the messaging feature of the platform. The suspect gains control by tricking the victim into sharing or modifying crucial account details. This is often achieved by compromising one of the victim’s friends’ accounts. The fraudster then impersonates the friend and requests assistance in securing their account, voting in a competition, or offering a financial opportunity. The victim unwittingly complies, providing the suspect with control over their account by sharing a code sent to their phone or changing the email address associated with the account.

Email compromise and phishing are additional methods used to hack accounts. Victims unknowingly disclose their login credentials to fraudulent websites after clicking on links in seemingly genuine emails. Once the fraudster gains access to the victim’s email account, they can reset the password of any social media account linked to that email address. Weak security measures such as the absence of two-step verification, reused passwords, leaked email addresses on the dark web, or the purchase of a victim’s custom web domain often contribute to these types of breaches.

To avoid falling victim to these scams, Action Fraud recommends the following preventive measures:

• Use strong and unique passwords for email and social media accounts.
• Enable Two-Step Verification (2SV) for email and social media accounts to provide an extra layer of protection.
• 2SV requires additional information to verify your identity, such as a code sent to your phone when signing in from a new device or changing settings.
• Report fraud or cybercrime incidents in England, Wales, and Northern Ireland at www.actionfraud.police.uk or by calling 0300 123 2040. In Scotland, victims should report to Police Scotland on 101.
• Forward suspicious emails to SERS at report@phishing.gov.uk.

By following these precautions, individuals can significantly reduce their risk of falling victim to social media account and email takeover scams. Stay vigilant and protect your online presence from cybercriminals.