Home Advice & How-ToIdentity “I’ve Been Hacked!” Your Guide to Social Media Identity Theft
Home Advice & How-ToIdentity “I’ve Been Hacked!” Your Guide to Social Media Identity Theft

“I’ve Been Hacked!” Your Guide to Social Media Identity Theft

by Fred Decker

There are several kinds of posts you can expect to see pretty regularly on social media.  There’s the “having a great time, don’t you wish you were here?” vacation post; there’s the picture-perfect meal post; there’s the “no, seriously, I just rolled out looking like this” post; and — increasingly — the despairing “that wasn’t me, my account was hacked or something!” post. 

That last one is the result of social media identity theft: someone using your name and image on social media, or using it as part of an all-new synthetic identity.  It’s something that can complicate your life in embarrassing and sometimes costly ways, so it’s well worth taking a closer look at how social media identity theft works and what the scammers want. 

Why Scammers Love Social Media

Social media sites are a fertile ground for identity theft, because sharing the details of your personal life is what they’re for.  While scammers sometimes manage to capture entire identities at once through phishing schemes or major data breaches, more often they’ll have just one or two crucial pieces and will need to find enough additional information to meaningfully impersonate you. 

That’s where social media comes in.  Someone who follows you, or is a friend of a friend, could pretty easily glean all the information they need to fill in those blanks: birthday wishes and a mention of your age give them your birthdate; discussions of genealogy can give them your mom’s maiden name; and it’s equally easy — if you’re incautious — to pick out details like your location, the names of your kids and pets and a whole lot more. 

Sometimes that information is used for conventional identity theft, resulting in damaged credit and financial losses to you personally.  Other times the information you’ve given away is deployed on social media, in ways ranging from the (relatively) innocuous to the mercenary to the downright — and personally — malicious. It might be used to create a fake profile with your name and image, or in a worst-case scenario to actively take over your own real account.

How Social Media Identity Theft Is Used

How an attacker uses your identity on social media can be pretty varied, depending who’s using it and what their goals are.  There are an almost infinite number of variations on the theme, but they break down into a handful of broad categories that account for most known cases.

1. Pranks

If you’re really lucky, the end result of social media identity theft might be nothing more than a harmless prank instigated by a friend, a family member or a random stranger (the modern equivalent of an older day’s prank phone calls).  It could happen, but it’s likely you’ll see something more serious instead. 

2. Catfishing

Catfishing is simply pretending to be someone you’re not.  On the most innocuous level, a catfisher might steal your photo because they think your face is more attractive than their own (which is flattering, if a bit creepy).  It grows from insecurity and a desire to be someone else for just a little while. 

On the downside, catfishing can also be done for more malicious reasons.  It might be the setup to a cruel prank, or the prelude to actual criminal activity. 

3. Romance Scams

This is one of those malicious reasons.  A scammer might use your image, or your name and identity, to woo someone online.  They might even present photos of your family as photos of their own family.  It all helps build a plausible identity, which ultimately — for most romance scams — ends in a financial loss for you.  

4. Personal, Individualized Malice

This is a tough one.  Someone who knows and dislikes you personally, or encounters you online and takes exception to your views, could use your information to take control of your account or set up a fake account (a “sock puppet”) under your name.  At that point, they’ll use it to post material that casts you in a negative light.  In extreme cases, if the faux you posts defamatory, hateful or criminal content, it could even have legal repercussions for the real you.

5. Scamming Your Friends and Family

One of the most common forms of fraud on Venmo and other cash apps comes from scammers who pretend to be you and reach out to your friends and family to ask for (financial) help with a sudden emergency.  Once the money is sent, it’s typically gone forever.  A variation on the theme urges your acquaintances to put their money into bogus investments, often a dodgy cryptocurrency or “money-flipping” scheme. 

6. Phishing Your Family, Friends or Work Contacts

Scammers can also use your social media identity to send phishing messages to your friends and family, and perhaps — if you use social media for work purposes — your colleagues (maybe your boss!), clients and prospects as well.  Messages that appear to come from a trusted source are more likely to be clicked, and so are malicious, identity-stealing links in those messages.  With that advantage, criminals can then leverage their information in turn.  It’s like the evil twin of word-of-mouth advertising. 

How to Know When Your Social Media Identity Has Been Stolen

There are several ways to know when you’ve been the victim of social media identity theft.  One is when you start receiving angry messages from friends who’ve been deceived, or are shocked at something the faux you have posted.  If the scammer has taken active control of your actual personal account, you might find that you’ve been locked out and that the password and the phone number used for recovery purposes have been changed. 

It’s better, of course, to catch on before the trap is sprung.  Proactively checking your own identity on a regular basis is a good way to do that.  Set a particular day at least once a month: it could be calendar driven (the first Sunday) or inspired by an existing habit (the same day you check your statements, or pay your bills, or wash the car).  Start by using Spokeo’s people search tools to search your own name, address, email and phone number.  If you find more than one you, or you on a social-media platform you don’t use, you’ll know you may have a problem. 

Next, search yourself on all of the social media platforms you actually use, to see if there’s a duplicate.  If so, notify the company immediately. Finally — because your photos are a part of your identity that’s often stolen and misused rather than your name — pop a dozen or so of your recent photos into Google’s reverse image search tool.  If they show up on a social media or dating site with someone else’s name attached (or yours), that’s a pretty definite red flag. 

Protecting Yourself on Social Media

So how do you protect yourself from social media identity theft?  Well, if you hear that there’s been a data breach at a site you use, the first thing you should do is change your password immediately.   In fact, it’s a good idea to change your password regularly just in case.   

Your next step should be to review the privacy settings across all of your social media accounts:

  • You don’t necessarily have to make your account private (though it’s a good idea for some).  Changing your default settings so that only friends see your posts by default, and you have to deliberately make things public, is better than doing it the other way around. 
  • You should also audit your friends and followers, trimming away any you don’t know and whose own accounts look suspiciously thin. 
  • Finally, tackle your photos.  Make those private or friends-only, so they’re less likely to be stolen.  Your photos also contain metadata that tells when and where they were taken, so you should learn how to strip that out by default. 

Ultimately, the biggest thing you can do to protect yourself on social media (and elsewhere online) is both the simplest and the hardest: stop oversharing, especially when personally identifying information is involved.  Before you click “Submit” on that next post, take a moment to ask yourself whether it really needs to be shared beyond a few close friends (or at all).