Hackers. Bots. Trolls. Cybercriminals. We’ve all heard these terms used – sometimes interchangeably – to describe alleged perpetrators of cyberattacks and other malicious online activity. But as social media grows as the cyberattack vector of choice, it’s important for businesses to understand and be able to recognize the differences so they can spot the real attackers from the benign.

When Good Bots Go Bad

First, it’s important to understand that bots are not inherently bad. Many organizations use bots to automate social posts because it’s easier and requires less effort than having humans manually send tweets or post articles on LinkedIn. For example, many major news publications’ social accounts qualify as “bots” simply because of the sheer volume of content being posted.

Bad actors use bots for the same reason many legitimate organizations use them – the fully automated entities usually run with scripts that allow them to post at volumes that would be impossible for a human. Some bot accounts are also programmed to pick up specific hashtags or other text-based cues.

Bad actors primarily take one of three different forms on social media. In addition to bots, there are trolls, which are human actors tasked with responding in a certain way or amplifying certain content, and hybrids, which are human actors using software to communicate through multiple accounts at the same time. This tactic may be used to avoid bot detection algorithms.

So just how can you determine whether a bot qualifies as a bad actor? It’s not an exact science, but there are dozens of signatures that can be used to at least understand the probability of whether or not an account is bad. Some of the most obvious indicators include the volume of content an account posts or seeing how much or little profile information is filled out. Those signatures can then be used to rank accounts across the following areas:

  1. Bot: Account posts at such a frequency and volume, among other factors, that it appears to be artificial.
  2. Malicious: The account’s posts include malicious content or show attempts to lure other users, including sharing links that are phishing attempts or spam.
  3. Suspicious: Posts exhibit characteristics that warrant further analysis, i.e. it appears that based on a variety of information, the account is not who they are purporting to be and thus is generally suspicious in nature.
  4. Disinformation: Posts contain content known to be shared for misinformation purposes or are not factual.

Bad Actor Motives & Methodology

While the motivations of bad actors may differ – from stealing IP for financial gain to executing disinformation campaigns to influence election outcomes – it’s important to understand how they work. Lately, we have seen bad actors successfully exploit social media channels for social engineering attacks, and there is no sign they are slowing down. Whether it’s targeting an official corporate account or personal employee account, the attack vector is growing because it’s a relatively easy and low-effort option for bad actors to launch social engineering attacks.

Social engineering schemes routinely target employees and executive-level staff, most often higher-ranking employees with access to a wealth of high-value data and business accounts. But they also reach what we call MVPs, or most-vulnerable people, who are mid-level employees with access to sensitive information, like HR and procurement managers. 

In addition to compromising employees, bad actors also use social media to research public information to target an account. Users routinely publicly post personal information like birth dates, anniversaries, and the names of children on social media, which presents serious vulnerabilities to employees and businesses. Even if a specific employee is not the end target, bad actors use the information posted online to create a personalized phishing attack on someone else.

Having access to reliable, personal information is one reason it ends up being harder for victims to identify when they have been attacked, which is what makes personalized and spear-phishing attacks so successful. Bad actors can also quickly compromise employees and organizations because traditional security controls and firewalls do not extend to social accounts. That, compounded with the fact that there are billions of accounts on social networks, makes them difficult to detect.

Whether your business relies on social media for communicating with customers and marketing or simply has employees who use social media channels in their personal life, identifying bad actors in real time is critical to every company’s security.

Otavio Freire, president and CTO at digital risk protection company SafeGuard Cyber