Cybercriminals love the holidays, through social media platforms like Facebook, phishing has turned to digital social networks and prior stolen information to prey on unsuspecting victims. Sparity has provided many presentations with the term “data aggregation”. Essentially, this means pulling together various types of information about you from both opensource (public) and purchases on the dark web. Relationship analysis is conducted on social networking sites that rely on data aggregated shared by you and your friends.

Social Media – Data Aggregation

Step One: “Fake Friending”

In order to deceive their victims, cybercriminals use email and social media invitations and start by creating fake profiles on Facebook. Their profiles often feature stolen images of real people dressed in professional attire for the sake of credibility. Using automated programs, the scammers spam hundreds of Facebook users with friend requests.

When a fake profile is ‘friended,’ it lends the scammer credibility within your personal network. The scheme needs only one person from your network to accept a fake profile friend request in order to appear within your social circle.

Your connections will see this “friend” and decide that they must be trustworthy. Facebook users are more likely to accept requests from the fake profile based on your connection. Now the social media target is exposing their own personal information to the scammer.

Step Two: Information Gathering

Once ‘friended’ the cybercriminal or cybercriminal unit will analyze all the information that their victims put on their Facebook profile. In intelligence terms, this is known as assessment.

Facebook centralizes all of your personal data on one profile, so the scammer has access to all of the details that you would only share with close family and friends. Details such as hobbies and activities what books or movies you enjoy, where you shop and donate money informs the threat actor about your interests.

Details like those above give the scammer powerful knowledge about their target’s interests, which in turn are used to create an effective con.

Step Three: Mirroring

Threat actors will customize their fake profiles to mimic the interests of their target. This technique, called “mirroring”, gives victims a false sense of familiarity. It’s a real-world technique often portrayed in spy movies and to some degree, they are based on reality.

This technique may use the victim’s natural sense of empathy or friendliness to lower their targets guard in a situation where they would otherwise be alert.

For instance, the threat actor may claim to have attended the same university or have a similar degree from another college. They may even like and comment on the things that you like in order to build rapport.

Some victims even report that threat actors will engage in small talk or send chats for weeks or even months before asking for money. All of this is done in order to bypass the victim’s critical thought processes and build a false sense of trust between the victim and the scammer.

Step Four: The ask

Once the rapport between the threat actor and the victim is established then they make a “pitch.” Here comes the holiday charity pitch – a fund drive for an organization that is need of donors.

Often so detailed they will show misleading website links that ask for large sums of money in exchange for gift cards, awards or 6 months delayed vacation vouchers. At this point in time, the cybercriminal knows enough about their target to appeal to their personal interests.

They may simply rely upon the goodwill of the donor and just ask for money outright. If the victim is resistant, they will say that time is running out or that there are only so many awards to go around and distribute to the donors.

Step Five: The Bank Account

Once the victim has taken the bait the scammer will then ask them to wire transfer money to a bank or third party like Western Union but never an online transaction.

After the money is wired over it’s too late. The cybercriminal will vanish as quickly as they appeared, and leave the victim without any real information to trace. The profiles and names that the scammer impersonates are either fake or stolen there is little that local police can do to track the scammer down.

Sadly, there is little that victims can do to recover their money. Banks will often refuse to replace the stolen money because the funds were voluntarily wired.


After talking with the victim for days and weeks, the cybercriminal now has all the information they need to specifically target friends and relations across several platforms. They may have spent hours unsuccessfully talking to the first contact but they did earn connections. Now instead of a storm of connection requests on social media, there will be a target or group-specific set of a phishing email. This is just one example of how your company can fall prey to cybercrime. With over 80% of the professional workforce in remote locations, it is more important than ever to make sure you maintain both a good security posture and an active cybersecurity training program.