Phishing emails are targeting large TikTok accounts with phony copyright warnings or offers for account verification, according to researchers at Abnormal Security.

“An email campaign sent in two rounds on October 2, 2021, and November 1, 2021 to more than 125 individuals and businesses appeared to target large-volume TikTok accounts of all kinds and across disparate locales,” the researchers write. “Among the typical talent agencies and brand-consultant firms we would expect to see, this actor sent messages to social media production studios, influencer management firms, and content producers of all types….From well-known digital media channels to individual actors, models, and magicians, the campaign reached out to content creators worldwide. Several emails were sent to the wrong company of the same name in the same country, and many of the email addresses used appear to have been lifted directly from social media.”

The researchers add that the attackers set a time constraint to ensure that the victim acts quickly, then send a link to trick the user into entering their credentials.

“This campaign indicates that attackers have linked TikTok with the social media giants, including Facebook and Twitter, in the impersonation game,” the researchers write. “In the original phishing email, designed to appear like a copyright violation notice from TikTok, the victim was instructed to respond to the message, lest their account be deleted in 48 hours.”

Abnormal notes that hackers sometimes demand a ransom to return the account to its owner.

“While we were unable to identify the end goal of the campaign, past targeting of social media accounts on other platforms offers several options,” the researchers write. “Social media accounts have become increasingly valuable in recent years, creating the incentive to ransom them back to the original owners for a hefty fee. An underground economy has evolved to offer ban-as-a-service, manipulating abuse reporting mechanisms to harass and censor other users, primarily on Instagram. Sadly, victim accounts in this scenario often end up deleted, especially for those on TikTok.”

New-school security awareness training can enable your employees to recognize social engineering tactics so they can avoid falling for these attacks.