Action Fraud is urging people to use strong passwords and 2-step verification after receiving thousands of reports about hacked email and social media accounts.
Data from Action Fraud, the national fraud and cybercrime reporting service, shows that from August 2022 - July 2023, there were 18,011 reports of social media and email hacking.
Within these reports, 4,092 victims reported being extorted for money, or having their accounts used to perpetrate fraud against the wider public. In one example, Action Fraud has received over a dozen reports in the last two months relating to hacked social media accounts being utilised to promote fake Taylor Swift tickets.
Members of the public are less likely to suspect it's a scam if the tickets appear to be sold by someone who has lots of friends on their profile and posts dating back many years.
Pauline Smith, Head of Action Fraud, said:
“Social media applications are, without doubt, the most widely used in the world, which presents a huge opportunity for criminals. With millions of people using apps like social media every day, scammers have a wide pool of potential victims to target and they often try and gain access to people's online profile as a way to defraud others.
“Keep your accounts secure and set up 2-step verification. Under no circumstances should you ever share your 2-step verification codes with anyone, and if you think something doesn't seem right, report the message and block the sender within the app itself.
“To make your accounts even more secure, and to provide an extra layer of protection, we would recommend that your email and social media passwords should be strong and different to all your other passwords.”
In 49 per cent of cases reported to Action Fraud, there were two primary types of account takeovers:
On-platform takeovers
These occur entirely on the platform through the messaging element of the service. The suspect will trick a victim into sharing or altering crucial account details. Primarily this is done via the suspect already being in control of one of the victims' friends accounts. The fraudster will then message the victim purporting to be their friend.
The victim, unaware of their friend's account being hacked, will believe they are speaking with their friend. The criminal will then make a request to the new victim, such as help “securing” their account, voting in a competition or potentially offer the victim a financial opportunity. The fraudster says that this requires sharing with them a code sent to the victim's phone, or taking a screenshot of a link sent to them.
Alternatively, the fraudster may ask a victim to change the email address on their account to claim a prize or follow a link the suspect has sent. Each of these actions, unknown to the victim, can provide the suspect with control of the account.
Email compromise and phishing
These types of account hacks often occur when victims have unwittingly divulged their login details to fake websites after having clicked on a link in an email they thought was genuine. Once a fraudster has access to a victim's email account, they can use it to reset the password of any social media account associated with that email address.
Frequently, the suspect will have acquired the email due to weak security on the account, such as lack of 2-step verification, weak and re-used passwords, a leak of the victim's email on the dark web, or the actual expiration and purchase of the victim's custom web domain.
What can you do to avoid being a victim?
- Use a strong and different password for your email and social media accounts. Your email and social media passwords should be strong and different from all your other passwords. Combining three random words that each mean something to you is a great way to create a password that is easy to remember but hard to crack.
- Turn on 2-Step Verification (2SV) for your email and social media accounts. 2-Step Verification (2SV) gives you twice the protection so even if cyber criminals have your password, they can't access your email or social media account. 2SV works by asking for more information to prove your identity. For example, getting a code sent to your phone when you sign in using a new device or change settings such as your password. You won't be asked for this every time you check you check your email or social media.
If you live in England, Wales and Northern Ireland and have been a victim of fraud or cybercrime, report it at www.actionfraud.police.uk or by calling 0300 123 2040. In Scotland, victims of fraud and cybercrime should report to Police Scotland on 101.
Suspicious emails should also be sent to SERS at report@phishing.gov.uk.