Angler Phishing: What You Need To Know

Posted on 3 November 2019

Are you aware that cyber criminals are utilising social media to defraud users in a whole new way? Welcome to the world of angler phishing.

Phishing is on the rise, with a 2020 report indicating that over 95% of online attacks used social engineering techniques such as phishing to defraud consumers.

Cyber criminals are constantly inventing new ways to take advantage of consumers’ trust, and with angler phishing they are able to capitalise on how we tend to let our guard down when using social media.

What is Angler Phishing?

Put simply, angler phishing is the practice of masquerading as a customer service account on social media in order to reach and defraud a dissatisfied consumer.

By now, we are all familiar with traditional phishing, where fraudulent emails spoof legitimate organisations in order to gain access to sensitive information or lead users to malicious sites. Angler phishing is similar to this, but instead of reaching potential targets via email, cyber criminals utilise bogus social media accounts to target people with an updated version of the same scam.

Who’s Targeted?

Cyber criminals are aware that organisations are increasingly using social media to interact with their customers, either for marketing and promotional purposes or to offer an easy route for customers to ask questions or make complaints.

Many of us live our entire lives on social media sites and apps – particularly Facebook, Twitter, Instagram, and LinkedIn – publicly showcasing our thoughts when interacting with friends, family, fans, total strangers and businesses alike. Angler phishers exploit this behaviour by preying on the fact that disgruntled customers use social media as a way to get a quick response and resolution to their complaints.

How is it Done?

Upon receiving a social media complaint, organisations will respond promptly, seizing upon the opportunity for damage control, and potentially  good PR. The company will usually ask the customer to provide their personal details so they can locate the customer within their system and issue a refund or some sort of resolution.

This practice is exactly what online fraudsters exploit.

They do this by spoofing corporate accounts and intercepting customer queries before the official account has the chance to respond. Cyber criminals attempt to look legitimate by using a similar social media handle to the real business – for example, @TopshopCustomerService – and while eagle-eyed consumers may spot that the response did not come from the account that they directly contacted, it is quite common for large companies to have a dedicated customer service account, such as @TopshopHelp.

@Topshop on Twitter
@TopshopHelp on Twitter

With that said, most customers don’t notice the difference to begin with, and often assume that any contact following their complaint can be trusted.

Once the cyber criminal has made initial contact, they will then ask the consumer to DM them their account details (as many genuine organisations do) or link the consumer to a malicious site posing as a customer support page. The customer’s information is then stolen, or their device is infected with malware.

What Can You Do About it?

Although regular phishing that occurs via email is something that most of us are pretty clued up on at this point, angler phishing is not. This type of scam is often quite hard to spot, but you can protect yourself from angler phishing scams by carrying out the following safeguarding activities:

Address complaints and questions to official customer service channels only.

Rather than taking complaints directly to social media, privately contact a company via the email, phone number, or contact form listed on their official site. Although it might take longer to get a response, you are better safe than sorry.

Check for legitimate responses.

Double check that the social media account that responded to you is the one that you addressed in the first place by checking for a conversation thread and clicking through to the account that is responding to you. Check follower count and post number, as a serious lack of followers and posts could indicate a fake account.

Ensure a company’s customer service social media channels are trustworthy:

  • Look out for verification ticks to ensure account legitimacy.
  • Search for the company’s official complaints pages on social media and contact/respond to contact from those only.
  • Check for direct links to the official customer service account on the company’s main social account via their comments or profile to make sure they are both part of the same company. A lack of interaction between the main account and the customer service account could point to a scam.
  • Do not immediately trust a customer service account that gets in touch with you out of the blue, look for a comment referral or tag from the main account.
  • Double check that the account that contacts you is the correct one; look for spelling issues or misused characters, for example _Topshop or Topsh0p instead of Topshop.
  • Complain via DM on the company’s main social account so your details and the interaction remain private.

What Can Your Organisation Do About it?

Most social media users have very limited, if any knowledge of angler phishing. This could spell bad news for large organisations, considering how often employees tend to browse social media on office devices or on their company network. It only takes one member of staff clicking a harmful link to infect your organisation’s whole system with malicious software or open your enterprise up to a data breach.

In order to protect against this, you must teach you employees how to spot all types of phishing attacks in action, including email, SMS, and social media. A comprehensive phishing awareness course is a good solution, as well as adequate device and data security to ensure that if a member of staff does fall victim to an angler phishing scam, your systems are completely protected.

What’s more, implementing customer identity and access management solutions – effectively managing customers and their identity to safeguard their data and access – can provide the upper hand against angler phishing.


As cyber threats become more sophisticated, organisations need to clue themselves, their employees, and their customers in on the dangers lurking online – it might just be what gets them off the hook.

To find out more about protecting your systems against a wide range of cyber security threats, please contact our dedicated team.

A few people we've already done it for