The social and gaming platforms most popular for phishing in 2023

Phishing — the act of luring people into sharing private information or clicking on malicious links or attachments, enabling the installation of malware and more — is one of the most common security risks you will face in your digital life. But there are certain places where phishing is particularly prominent, and in the past 12 months there has been considerable growth on social and gaming platforms.

With only a small percentage of phishing attempts ever being successful, scammers need to focus on the biggest audiences they can, which makes any platform with a large user base is an attractive target. This has resulted in gaming and social platforms being the perfect places to implement phishing campaigns, with popular platforms such as Facebook, Instagram, YouTube, Twitter, Steam, Roblox, and Twitch boasting millions of users. And these platforms are even more appealing because they often contain credit card information or digital assets, such as in‑game currency, which can be sold on the dark web.

According to Statista, gaming accounts have the biggest share of market revenues in the consistent growth of global digital market — with an estimate of one billion online gamers worldwide. This number of users is projected to exceed 1.3 billion in the year 2025, said Maria Patricia Revilla-Dacuno, Senior Threat Researcher at F‑Secure. With this growing number of users, we can expect that cyber criminals will continue to target these platforms for scams and phishing.

Engagement and trust

It isn’t just the number of users that makes gaming and social platforms a compelling target for phishing attacks, either. Every­thing about gaming and social platforms is focused on driving engagement, which means that users are already in a mindset where they are primed to share personal information and respond to any call-to-action they might see; some­thing that scammers are more than happy to use this to their advantage.

Most imitated social networking platforms for phishing in 2023

Criminals love to use Meta’s Facebook, the world’s largest social network, as a lure for phishing attacks. Meta’s other apps, WhatsApp and Instagram, came in a distant second and third as the networks most likely to be imitated. LinkedIn barely makes the top 20 of social networks by size but ranks fourth as a phishing lure.

Source: F‑Secure Threat Intelligence

An example of Facebook phishing

One emerging phishing attack is a new scam that imitates Facebook and uses the platform’s tagging feature to trick Page owners into believing that they’ve violated Facebook’s terms and conditions. Several variations of the attack exist, but all lead to phishing sites designed to steal a Page owner’s credentials.

After the Post is published on the malicious Page, victims receive notification that action must be taken quickly to prevent their pages being permanently disabled, explained Joel Latto, F‑Secure Threat Advisor.

This tactic creates both confusion and a sense of urgency; both of which are important elements in a successful phishing campaign.

The source of the notification is unclear, Latto said. And since victims may believe this is an official notification that requires quick action, they are less likely to spot the red flags that suggest the message is fraudulent.

Stolen accounts can then be used for several malicious purposes — such as promoting scams, running questionable ads, impersonating businesses, or reselling access to other criminals. F‑Secure observed one scam page publishing a new Post every couple of minutes, totaling roughly 47 posts in an hour, with each post tagging 25–30 pages. This resulted in over 1,000 Pages being targeted each hour for several days before Facebook shut it down.

This type of spamming seems to be able to evade Facebook’s inauthentic behavior detection systems surprisingly well, Latto said. The first line of defense for Page owners is to secure your personal account with a strong, unique pass­word and turning 2FA (two‑factor authentication) on. You should also periodically review which apps, agencies or ex‑employees have access to your Page.

The phishing threat for gamers

Another factor that leads to scammers targeting social and gaming platforms is the demographic of their users. For example, according to Statista, 45% of users on the Roblox platform are aged 12 or under, which means that many of them will not be familiar with online threats, and will be more susceptible to cyber scams as a result.

In one example of scams targeting Roblox users, attackers used YouTube videos to entice children to click on a link to get free Robux (in‑game currency), with the link leading viewers to phishing sites where criminals could harvest login information. Phishers also hijacked Roblox accounts with the same technique, using fake User Ads (the Roblox in‑game messaging system).

Gaming is massive. A recent F‑Secure survey found that it’s even more popular among kids than social media, said Latto. Because games aren’t usually associated with high financial risk, gamers tend to not take their security very seriously. And kids usually aren’t security conscious at all.

Most imitated gaming platforms for phishing in 2023

Phishing scams have become increasingly effective at targetting the billions of gamers around the world. Phony emails attributed to Steam, the biggest desktop gaming platform, make up the most common attacks. Scams posing as coming from Roblox, a gaming platform extraordinarily popular among internet users under the age of 16, rank second, followed by Garena, a free gaming platform based in Singapore.

Source: F‑Secure Threat Intelligence

The growth of voting scams

Elsewhere, the rise in popularity of free-to-play (F2P) games such as Fortnite — which make their money through in‑game purchases of skins, weapons and so on — has led to a marked increase in the number of scams targeting gamers on Steam. These often include free offers or, more recently, voting scams.

Voting scams first appeared in 2022 and are used to steal Steam accounts. The attack starts in a Steam or a Discord channel, with a message appearing to be from a friend, asking the victim to follow a link and vote for their team. The link directs to a phishing page. Once they click on it, their Steam account goes to the attacker.

To avoid threats such as these F‑Secure recommends that parents should talk to children about security hygiene. This would include advising them to use a strong pass­word generator and two‑factor authentication for all their gaming accounts, especially accounts that are connected in any way to credit cards. And this can also be a good opportunity to discuss the legality of accessing cracked and pirated material online.

One of the most common ways for gamers to infect their devices is to look for cracked games or other types of cheats that may be found through Discord channels, Latto explained. And cheaters rarely prosper because the cracks may not even work. But they often deliver malware, such as info­stealers.

How to avoid and react to phishing

To avoid cyber attacks aimed at social media and gaming platforms, you should ensure that you use strong and unique pass­words; enable two‑factor authentication where possible; use safe browsing protection; don’t enter your login details outside a particular gaming service; avoid free offers as a rule, as it is often just a trick; and educate children about phishing scams by sharing this post with them.

If you’ve been a victim of phishing then you should change any affected pass­words. And if you’ve entered credit card details or financial information, contact your bank, and follow their instructions, such as cancelling the card or setting up a fraud alert on the account.

Unfortunately, you may not know if you’ve fallen for a phishing scam, so use a service like F‑Secure ID Protection to monitor if your data is on the dark web.