One of the leading nonprofit identity theft assistance organizations has drawn on its direct expertise to gather statistics that show criminals are spending much more time on social media. Personal data theft is up across multiple categories, but social media account takeovers have jumped a shocking 1,000% in just a year’s time.
Social media the new hotspot for personal data theft
The Identity Theft Resource Center (ITRC) drew on a survey of over 1,600 victims of personal data theft for its 2022 Consumer Impact Report. The lead item is the colossal jump in social media account takeovers from April 2021 to March 2022, and criminals appear to be actively hunting for scam victims rather than relying on plugging in credentials from prior data breaches.
Of the major social media platforms, victims indicate that personal data theft is most rampant on Instagram. 85% of those who experienced a social media account takeover had it happen on Instagram; the next closest platform is Facebook at just 25% (likely due to overlap in shared credentials between the two Meta-owned services).
The survey indicates that nearly half of the social media account compromise is cascading out from some sort of initial breach. 48% of the respondents said their account was compromised when a trusted person on their friend list, presumably who had their own account taken over, sent them a malware link. 22% of the respondents said that they were taken in by a crypto scam on a social media platform. All told, a little over half of the personal data theft victims that experienced a social media compromise also either lost money out of their own pocket or lost business revenue due to the incident.
Victims also report great difficulty in recovering accounts once they are taken over. 70% said that they were still locked out of their stolen social media account at the time of the survey, and 67% said the attacker used it to post messages. Over half of all respondents, including those that were attacked through some other means than social media, said that their issue was still not resolved.
What are attackers doing with social media accounts, particularly the heavily-targeted Instagram accounts? As the survey respondents indicate, one tactic is to pass malware to unwitting targets via trusted friends and contacts. Another is to use accounts with a substantial following to post crypto scams and other assorted investment schemes. Criminals have even been observed using stolen social media accounts to harvest advertising revenue from legitimate sources. And if the social media user keeps personal information in their profile, attackers may sell it to the dark web or use it themselves to run some sort of scam.
As criminal interest grows, personal data theft attacks become more complex
Half of the victims of personal data theft during the survey period report more than one incident, and the biggest jump in victims was among those that ended up losing over $10,000 (likely due to the proliferation of crypto scams).
In addition to focusing their efforts on bigger fish, criminals are crafting more complex attacks. This had led to both an increase in average time to resolve these incidents, and a larger amount of people (an 18% increase) reporting that their incident was never resolved. As these issues take longer to sort out and present an increasing risk of irreversible damage, respondents are reporting much higher levels of stress and health issues connected to personal data theft.
Victims also have a greater awareness of preventive and defensive measures than ever before, however, and a path forward lies in smart use of them.