Scammers 👺 and hackers 😈, of course! Here are two scenarios that illustrate their sheer cold-blooded ruthlessness 😠!

From using laugh-crying faces to adorable animal icons to “animated stickers” for expressing emotions and reactions in social media, we do love spicing up online chatter with graphical emojis and their animated successors.

However, there is a dark side to these cheerful graphical objects that we will need to pay attention to.

Here are a few ways that emojis can be more dangerous than they seem.

Scammers use them to develop trust

A coy-winking emoji, a heart emoji and a hug emoji: romance scams center around developing trust with potential victims, often under the false pretenses of wanting to develop a relationship.

Scams like pig butchering often involve lengthy conversations that last from weeks to months. These conversations leverage familiar emojis as the language of the modern internet to express feelings of playfulness, love and romance.

However, what lies behind those emojis are users that are not who they say they are. These scammers have one goal in mind: to promise of fake investments or plea for financial assistance in order to steal money from victims. Pig butchering scammers and romance scammers thrive on interaction through social media and dating apps. Users of both types of platforms should be weary of investment offers or requests for financial aid.

Emojis as exploit code

When we think of malicious software (or malware), we often envision the stereotypical cybercriminal wearing a hoodie and typing on a terminal with computer code displayed in bright green text. In reality, that is not how malware is delivered.

Typically, malware is delivered through phishing emails or malicious downloads on the web. However, in 2022, researchers Hadrien Barral and Georges-Axel Jaloyan found a way to deliver exploits to victims through a series of innocent-looking emojis.

[Editor’s note: After finding a vulnerability, hackers in a set of specific circumstances known as emoji-only shellcode, can send “exploit code” to capitalize on the vulnerability. Such a shellcode (consisting of letters and symbols) provides hackers with a “shell” prompt through which high-privilege commands can be sent into the compromised machine’s deepest workings. However, it is theoretically possible to send emojis as shellcode for the attack. However, this will only work if a separate emoji-aware filter has been put in place to process emojis and turn them into shellcode. Nevertheless, this proof of concept demonstrates that using emojis to hack targets is feasible — if the necessary emoji-compliant components are made available during such an attack, to spawn a command shell.]

Thankfully, the circumstances in which this exploit can take place are extremely specific and unlikely to happen in real life. Nevertheless, it is still a fascinating case study of delivering malware through innocent-looking emojis.

The two researchers used this string of emoticons for their proof-of-concept that such iconic attacks are possible in practice.

Stay alert when enjoying emojis

So you see, while emojis imbue text with emotional richness and foster better expressivity in our virtual interactions, their use is not devoid of pitfalls.

The most immediate concern is the use of emojis as part of romance scams, which can have the most impact on everyday users online.