"Please Don't Send That Bot Anything" - A Mixed-Methods Study of Personal Impersonation Attacks Targeting Digital Payments on Social Media

Explore a groundbreaking conference presentation examining PROSPER (Payment Re-routing on Social media via Personal Impersonation) attacks, a novel form of social engineering that exploits interpersonal trust to redirect digital payments on social media platforms. Learn about the first comprehensive study tracking 181 personal impersonation attacks over three months, revealing how attackers leverage real-time public interactions to deceive victims into transferring funds to attacker-controlled accounts. Discover the operational tactics employed by both human-operated scam operations and automated bots, including the use of 70 distinct digital payment accounts and longstanding campaigns with reused payment infrastructure. Understand the scale and persistence of these attacks through quantitative analysis, while gaining deeper insights into attacker evasion strategies, victim targeting methods, and the specific vulnerabilities that make users susceptible to these schemes. Examine the mixed-methods research approach that combines tracking data with qualitative analysis to provide a complete picture of this emerging threat landscape. Review actionable recommendations for social media platforms and payment providers, including proposed UI enhancements, stricter account handle management policies, and blacklist information sharing strategies designed to mitigate these attacks and protect users from financial exploitation.