Angler phishing is a sophisticated social engineering attack that targets social media users by impersonating legitimate customer service accounts on platforms like Twitter (X), Facebook, LinkedIn, and Instagram to steal credentials and sensitive information.
Unlike traditional email-based phishing, angler phishing occurs entirely on social media platforms, exploiting the absence of corporate verification measures and taking advantage of users who publicly express frustration with companies or report problems.
How Angler Phishing Works
Attackers monitor social media platforms for users posting complaints about companies—most commonly financial institutions, airlines, telecommunications providers, and technology companies. When a target posts a public complaint or question directed at a company's official account, attackers create a fake account impersonating the company's customer service team and contact the complaining user to offer assistance.
The attack exploits several psychological factors: the user has already reached out for help and is expecting a response; the attacker contacts the user proactively, increasing perceived legitimacy; and the user's frustration or problem creates urgency that overrides careful scrutiny of the responding account.
The Attack Sequence
Monitoring: Attackers use automated tools to scan social media for brand mentions, complaint keywords, and interactions with official company accounts.
Account Creation: Attackers create fake customer service accounts with names that closely mimic official accounts, using minor variations like extra underscores, abbreviations, or country suffixes (e.g., @CompanySupport_Help instead of @CompanySupport).
Engagement: The fake account responds to the target's complaint with a helpful message offering to resolve the issue, often mirroring the tone and language of legitimate customer service.
Redirection: The attacker directs the victim to a malicious website or requests that they provide account credentials, payment information, or personal details through the social media platform or via a private message link.
Credential Harvesting: Sophisticated angler phishing attacks use real-time credential capture systems on cloned login pages, featuring real-time validation mechanisms and capture tools for multi-factor authentication codes and session tokens.
Why Angler Phishing Is Effective
Most social media platforms lack strong verification mechanisms for customer service accounts. Verified status badges can be purchased or faked, and the volume of brand mentions makes it difficult for companies to monitor for imposters in real time. Victims have themselves created the pretext for the attack through their public complaint, making the interaction feel more natural and legitimate.