"Please don't send that bot anything": A Mixed-methods Study of Personal Impersonation Attacks Targeting Digital Payments on Social Media

Personal impersonation attacks on social media are an emerging form of social engineering that exploit trust within interpersonal relationships to redirect digital payments. Unlike brand impersonation, these attacks target everyday users, leveraging real-time public interactions to deceive victims into transferring funds to attacker-controlled accounts. In this paper, we present the first in-depth study of PROSPER (Payment Re-routing on Social media via Personal Impersonation) attacks, focusing on their operational tactics, scale, and impact. Using a mixed-methods approach, we tracked 181 PROSPER attacks over a 3-month period, uncovering 70 distinct digital payment accounts and revealing human-in-the-loop scam operations alongside automated bots, as well as longstanding campaigns involving reused payment accounts.

Our quantitative analysis highlights the scale and persistence of these attacks, while our qualitative analysis provides deeper insights into attacker evasion strategies, victim targeting methods, and how victims are particularly vulnerable to these schemes. Based on these findings, we propose actionable recommendations for social media platforms and payment providers, including UI enhancements, stricter account handle management policies, and the sharing of blacklist information to mitigate these attacks and protect users from financial exploitation.