×

Hackers turn to social media to phish for credentials

Hacking mobile phone laptop
Scyther5 | Getty Images

Getting a company's attention over Twitter is becoming an easy and often effective way for consumers to achieve what they want, when they want. Yet the increase in hackers creating fake accounts to interact with consumers — and "phish" for private information — is a growing concern.

It goes something like this: Someone tweets at a company because they may be upset about an issue. A fake account on Twitter replies directly to that person, and asks them to log in to a fake website. The victim then exposes their personal information to hackers.

A 2014 report by EMC noted that various phishing scams cost companies a combined $5.9 billion in nearly 500,000 separate attacks. Meanwhile, cybersecurity experts at Kapersky Lab found that last year, more than a quarter of phishing scams targeted users' financial data.

Proofpoint, a cybersecurity solutions firm, is just one of the companies seeing a significant increase in fake retail banking and retail customer service accounts phishing for bank account credentials. These breaches are becoming especially prevalent on Twitter and Facebook. A representative for Twitter did not immediately respond to CNBC's request for comment.

Devin Redmond, vice president at Proofpoint, said that as more businesses adopt to social media to address customer concerns, other people with bad intentions are also watching.

"The bad guys go wherever the conversation is," he told CNBC. "The bad actors know they can actually leverage that to steal and defraud people."

Read MorePhishing scam targets Washington E-ZPass holders

How to make the fake seem real

Experts say the names of fake social media accounts are often very similar, but are not exactly the same as actual companies. For instance, a fake account may add "the" or add a space or an underscore symbol in its handle, in order to appear as though it's real.

The scam is perceived as far more convincing to consumers than similar email-borne threats, since there is a direct and relevant response to a consumer.

It may also be easy to fall for it. On Twitter, many users may not even see if an account is verified unless they actually click on the profile of the account.

Proofpoint's Redmond attributes the increased hacks to the ease of adopting a fake account.

"You can fairly easily trick someone into thinking you're the brand they're interacting with," he said.

The American Bankers Association acknowledged that as customers use social media more frequently, the industry anticipates phishers will follow.

"Banks have every regard to make sure their information isn't being used by criminals because they have their own reputation to protect," Doug Johnson, senior vice president of payments and cybersecurity policy at ABA, told CNBC.

The trade group advises customers be extra diligent before signing into websites, especially to a link that is given over a social media site.

"Customers need to be aware that they have the need to recognize that when they see something that looks remotely suspicious, be suspicious," Johnson said.