For years, phishing prevention followed a familiar playbook: secure email, filter malicious links, train users to recognize suspicious messages, and harden the infrastructure attackers traditionally exploited.
On paper, that effort has worked. Email defenses are stronger than ever. DMARC adoption continues to rise. Organizations have invested heavily in secure email gateways, domain monitoring, browser protections, and user awareness training. Employees are more likely to question suspicious messages than they were a decade ago.
But phishing didn’t disappear. It evolved beyond the email inbox.
One of the fastest-growing tactics is social media impersonation: the creation of fake social media accounts, profiles, pages, or advertisements that imitate legitimate brands, executives, customer support teams, or public figures to deceive users. These impersonation accounts are often used to distribute phishing links, promote investment scams, steal credentials, or facilitate payment fraud.
While security teams focused on strengthening email and network defenses, attackers quietly shifted to channels where trust is easier to exploit and security defenses are weaker.
Today, social media scams produce far more in losses — an eightfold increase since 2020 — than any other channel used by scammers to reach consumers, according to the Federal Trade Commission. In fact, nearly 30% of people who reported losing money to a scam said that it started on social media in 2025 — with total reported losses reaching $2.1 billion.
What makes this shift to social media phishing especially notable is how little it appears in broader phishing conversations. Most phishing prevention guidance still focuses overwhelmingly on email and malicious websites. Social media may receive a passing mention, but it is rarely treated as a primary attack surface.
That disconnect matters. Because in many cases, phishing no longer starts with an email. It starts with social media.
From Email Attacks to Multi-Channel Campaigns
The traditional phishing model was relatively straightforward: An attacker sends an email. The victim clicks a malicious link and logs in. Credentials are stolen.
Today’s attacks look very different.
Modern phishing campaigns increasingly span multiple channels and interactions, often beginning with social media engagement rather than inboxes.
Now, a typical phishing attack can look like a fake social media profile, paid ad, direct messages, comments, or other social media engagement that leads to a phishing website, investment scam, credential theft, or payment fraud.
The tactics vary, but the pattern is familiar. Attackers impersonate brands, executives, influencers, or customer service teams to establish trust before directing targets elsewhere. And, phishing incidents are no longer isolated events.
In Netcraft discussions with organizations responding to active threats, there is a consistent pattern to coordinated campaigns involving multiple accounts, multiple touchpoints, and multiple platforms.
Instead of one-off phishing emails and isolated attacks, modern phishing campaigns now operate as interconnected ecosystems. This changes what security teams must monitor and how quickly they need to respond.
Why Social Media Is the New Phishing Channel
As email became harder to exploit, social media offered attackers several advantages that traditional phishing infrastructure no longer provides:
Built-In Trust
Social platforms are fundamentally identity-driven environments. Users expect to interact with brands, executives, customer support representatives, and financial organizations through verified-looking profiles and familiar visual branding.
A convincing impersonation account can feel legitimate at a glance — especially when profile images, logos, bios, and copied content closely resemble the real thing.
Figure 1. Facebook Brand Impersonation: Fake profile page impersonating customer support for EVRi.
Instead of spoofing infrastructure, attackers are now impersonating identity.
Massive Scale
Creating social accounts is fast, inexpensive, and repeatable. Attackers can launch large numbers of impersonation profiles across social platforms with relatively little effort, often testing variations of usernames, branding, and messaging until something gains traction.
The scale is difficult to match through traditional email phishing alone.
Direct Engagement
Unlike email, social media enables real-time interaction. Attackers can initiate conversations through direct messages, comments, mentions, paid advertisements, or engagement with trending content. They can respond dynamically, adapt messaging, and build credibility over time.
Security teams are increasingly seeing scams built around executive impersonation, fake investment opportunities, fraudulent customer support accounts, and brand-targeted deception campaigns.
The result is a more interactive form of phishing — one designed to exploit trust rather than technical weaknesses.
The Social Blind Spot: Why Security Teams Miss It
Most security programs were never designed to monitor where those attacks are now happening. Traditional phishing defenses were built around infrastructure security: email, domains, and websites.
Here’s a breakdown of what traditional phishing defenses are designed to detect vs. where attacks are happening now.
Traditional Phishing Defense Coverage vs. Modern Attack Surfaces
Attack Surface | Detected by Traditional Phishing Defenses? | Common Coverage |
|---|---|---|
Yes | Email filtering, DMARC, secure email gateways | |
Domains / Websites | Yes | URL scanning, domain monitoring, browser blocking |
Social Media | Limited or none | Fake profiles, impersonation accounts, malicious posts |
Paid Ads (Social/Search) | No | Malicious ads on Met, TikTok, Google, etc. |
Messaging Apps | No | WhatsApp, Telegram, SMS scams |
Social media is fundamentally harder to monitor than email or websites. Much of the relevant activity occurs behind login barriers, private messaging systems, restricted content views, or platform-specific interfaces that traditional monitoring tools cannot easily access.
Unlike phishing websites — where malicious infrastructure can often be scanned, analyzed, and blocked — social media threats are frequently fragmented across accounts, conversations, and content formats.
Even when content is visible, detection often depends on indirect indicators:
Suspicious profile metadata
Stolen or manipulated brand imagery
Behavioral patterns across accounts
Engagement anomalies
Signs of coordinated impersonation activity
The challenge is not just detection. It is visibility. Security teams often cannot investigate what they cannot easily see.
The New Challenge: Detection Without Clarity
Phishing emails are often easier to classify. A malicious link. A spoofed sender. A credential harvesting page.
Social threats are more ambiguous. Not every suspicious account is malicious. Not every impersonation profile clearly crosses a policy threshold. Some may appear inactive, incomplete, or only subtly deceptive.
Security teams aren’t just trying to identify attacks. They are also sorting through large volumes of ambiguous signals that require classification, validation, and prioritization.
In many cases, the issue is not a lack of alerts. It is too many uncertain ones.
As one security practitioner described it:
“Anything that ends in detection is suspicious… not necessarily malicious.”
The result is a growing operational burden: teams overwhelmed by signals that are difficult to confirm, difficult to escalate, and difficult to remove quickly. Social media brand protection requires a different approach.
What This Means for Security Teams
As attackers shift toward social media impersonation and multi-channel fraud campaigns, organizations need to rethink what phishing protection actually means.
That starts with broader visibility. Security teams increasingly need:
Visibility beyond email and domains to monitor where impersonation is happening
A focus on identity abuse, not just infrastructure abuse
The ability to connect activity across channels and identify coordinated campaigns rather than isolated incidents
Faster detection and response capabilities before impersonation gains reach and credibility
The next phishing attack may never touch an inbox. It may begin with a fake Instagram profile, a fraudulent customer support account, or a convincing executive impersonation campaign.
Phishing did not disappear. It moved to where trust is higher, detection is harder, and controls are weaker.
Don’t let phishing move undetected. Discover how Netcraft's brand protection platform helps you identify and take down impersonation across social media and other emerging channels.
Social Media Impersonation FAQs
What is social media impersonation?
Social media impersonation is the use of fake social media accounts, profiles, pages, or advertisements that mimic legitimate brands, executives, customer support teams, influencers, or public figures. Attackers use these impersonation accounts to build trust with users and promote phishing scams, credential theft, fraudulent payments, or other forms of online fraud.
What is social media phishing?
Social media phishing is a type of phishing attack that begins on social platforms such as Instagram, Facebook, LinkedIn, TikTok, or X. Attackers use impersonation accounts, direct messages, comments, or advertisements to lure victims into revealing credentials, personal information, or financial data.
Why are attackers using social media instead of email?
As email security controls such as DMARC, secure email gateways, and user awareness training have improved, attackers have shifted toward social media where identity verification is often weaker and users are more likely to trust familiar brands and personalities.
How can brands protect themselves from social media impersonation?
Brands can reduce the risk of social media impersonation by continuously monitoring social platforms for unauthorized accounts, fraudulent advertisements, fake customer support profiles, and other forms of brand abuse. Effective social media brand protection combines proactive detection, rapid takedown processes, and ongoing monitoring to identify threats before they gain visibility and credibility. Organizations should also educate customers on official communication channels and verification methods, helping users distinguish legitimate brand accounts from impersonators.
