Your Social Media Accounts are a Playground for Cybercriminals

Last updated on March 17, 2019 Comments: 2
Social media carelessness can quickly spill over into identity theft if users aren’t on top of their privacy protection game. We’ve examined the causes of this growing phenomenon and provided some tips on how you can avoid becoming a statistic in the next social media ID theft report.

Social media identity theft is something that every internet user should be aware of.

But in reality, how many users of social networking websites such as Facebook, LinkedIn, and Twitter have spared a thought about what might happen to the breadcrumbs that they leave in their timelines and photo albums? Or asked whether clues about their online preferences, hobbies, and connections could cause far worse damage than giving a potential employer pause for thought about their suitability for a position that they’re hiring?

We’re guessing the answer is ‘very few’, but predict that will soon be changing. The reality is that social media and identity theft often go hand in hand – particularly for the unsuspecting among us.

With the worldwide number of social media users expected to reach 2.77 billion within two years, it’s not difficult to understand why scammers and fraudsters of every variety might be salivating over the prospect of finding reliable inroads to users’ Facebook and Twitter accounts. And all indications are that social media is booming as a vector for ID fraud: the 57% rise in identity fraud seen in the UK last year has been largely attributed to social media identity theft cases.

Without further a-do, here’s how it all happens, how to minimize your chances of suffering identity theft through social media, and what to do if – despite doing precisely that – you’re the criminals’ next victim.

Social Media and ID Theft – a New Type of Crime

Although it’s considered a new form of online crime, the object of social networking identity theft is as old as swindling itself: masquerading as others to realize personal gain. For the record, the first recorded case of identity theft is believed to be the Biblical story of Jacob posing as his brother Esau! An ancient art indeed.

The first step in the process is careful information-gathering to amass as many particulars about potential victims as possible. Simply put, the more you disclose on social media sites, the easier the hackers’ job will be.

Once would-be identity robbers have collected enough information about their victims’ identity, it’s time for phase two: exploiting their victim’s personal information for ill-gotten gain.

Just some of the plots that online cybercriminals can hatch include:

  • Guessing an individual’s corporate email address by finding their employer on LinkedIn and running its website through io (an email address finding service). Then, trying to work out their login password by using clues obtained from other sites, such as pet names or hometowns disclosed on a Facebook profile’s ‘about’ page.
    • Once broken into, corporate inboxes can be fertile sources of business intelligence (BI) for competitors or those seeking to gain a foothold in your industry (although the potential list of those who may be interested in the contents of your business inbox goes well beyond that.)
  • Using victims’ real Facebook and LinkedIn profiles to create a fake account that’s a mirror image of their real profiles and falsely representing themselves as their victim to friends and business acquaintances.
    • This is a particularly easy trick to pull off and can have serious consequences if successfully executed. We’ve heard of hackers using this ruse to misrepresent themselves as influential bloggers and even using the dummy profiles to obtain free product samples from companies!
  • Setting up a fraudulent third party app that integrates with a popular social networking service and siphoning personal user details into a database for further attacks.
    • Practically the entirety of a user’s social media profile can be captured using this method, including fields that aren’t usually accessible or visible to non-system users or the profile-holder himself.
  • Using brute-force password-cracking techniques to enter users’ account information areas and downloading private information such as business and personal addresses. Alternatively, accessing stored payment information for subscriptions to paid services such as LinkedIn Premium, to gain financial details like credit card numbers. Granted, this requires some technical panache and most social media websites have safeguards against numerous malicious login attempts. Nevertheless, there are literally thousands of social media networks beyond the household names in the world, and many of those have outdated security settings.
  • Finally, con-men can simply find a service that users haven’t set up on yet, such as LinkedIn, and study victims’ real accounts to find all the information needed to populate a convincing profile to represent themselves as that person to the world. It helps, of course, that credible fake email addresses can be brewed up quicker than a cup of coffee. No special skills are required to pull off this particular technique and it will check out for those doubting its authenticity. Fake social media profiles have been used for everything from catfishing (posing as somebody else for dating websites) to phishing scams.

A Few Networks Give Lots of Options for Hacking

What kind of information can social media profiles betray to those looking to hijack your identity? Quite a lot, when you think about it.

  • Facebook profiles can show those viewing your profile your full name, any previous names you have used (such as maiden names), your home town, current location, as even your relationship status.
  • LinkedIn, which like many social media sites actively encourages users to divulge as much information about themselves as possible through completeness prompts, usually provides all of the basics about an individual’s professional life. This includes the names of current and previous employers, educational institutions attended and graduation dates, and other affiliations and hobbies the user is involved with such as volunteering organizations.

LinkedIn profile completeness meter

  • The list of accounts you are following on Twitter could be used with other information you leak to concoct some nice hacking strategies for criminals. Follow your bank and credit card company on Twitter? That’s a pretty likely indication that’s who you’re banking with. Keep re-tweeting posts from a web hosting provider? You’ve just given cybercriminals a head start in cracking into our website.

With all this and more just a few clicks away, users should go to lengths to make sure that this information isn’t manipulated to steal their personal identity.

How to Protect Yourself Against Social Media ID Fraud

At this stage, we’ve hopefully got you in a cold sweat thinking about the various ways in which cyber-criminals are snooping on your Facebook profile and plotting your destruction.

But at Secure Thoughts, we’re all about providing actionable information to help you better your online security. So what are some steps that prudent users can take to harden their profiles and avoid falling into the scammers’ cross-hairs?

  • Maximize privacy settings. Limiting the audience to those who you trust and know is one of the first steps you can take to ensuring that the information you put on social media isn’t used against you.

Facebook privacy settings

  • On Facebook, this might mean settings the privacy on photo albums to “friends only”. Facebook users should also make sure to review their activity and login log on a regular basis and make sure that nothing untoward has slipped out.
  • If you spot a suspicious login attempt that you haven’t been automatically notified about, it’s time to change your password post haste. If you’ve recently used the device from a public computer such as a web café but can’t remember if you signed out or not, chose the “log out of all sessions” option under privacy to kick any potential intruders off your profile.
  • On LinkedIn, you may wish to limit the information that is put out in your activity feed. Users can also choose to restrict who can see their connection lists and even deny unknown users the ability to see their complete name (to tweak this, edit the “who can see your last name” setting)

LinkedIn privacy settings

  • Check third party applications. Google every third party integration you are considering adding to a social media site, or have already added, and make sure that it’s a trusted and reputable company ideally with a web presence or some means of getting in contact with. We realize that it’s very easy to rush through the authorization process when creating an authenticated social login for a new service you’re signing up for online, but it’s important to know that such applications can also corral your personal information into the wrong hands. In LinkedIn, review what’s in the ‘permitted services’ area. In Facebook, check in ‘apps’. Always read exactly what you’re agreeing to if you chose to use a social sign up or sign in service.
  • Don’t divulge personal information publicly. Some common sense tips should also help prevent you from giving the bad guys too much detailed information about you through your social media accounts. It’s often a bad idea, for example, to geotag your location in a photograph that will appear publicly on your profile, as by doing so you’re effectively providing anybody in the world with real-time information about current physical location. Tweeting photos from your vacation also gives potential thieves (which could be those known to you) a useful heads-up that you’re currently out of town. Finally, exchanging private details online with those who aren’t known to you is simply a big no-no.
  • Use multifactor authentication. Most social media networks now allow users to enable multifactor authentication, although it usually isn’t enabled by default. Multifactor authentication works by generating temporary passwords that are generated through a secondary device and used in place of a fixed password that does not change. Methods of receiving the passwords range from working with an authentication phone application to receiving codes by SMS. Facebook can also work with Universal Second Factor (U2F) security keys.

What to do if You Are a Victim of ID Fraud on Social Media

But let’s say you’re reading this article as a post-mortem and have already had your identity usurped by an online criminal.

What are some steps you can take to regain control of the situation?

Tip #1: Stay calm. Due to the surge in incidences, social media ID theft is now on all major network operators’ radars. Networks such as Facebook and Twitter have well-oiled procedures for dealing with these incidents. Don’t worry, they’ve seen this before!

Tip #2: Notify the social network. If a fraudster has set up on impostor account in a bit to steal your identity, or has managed to take offer your actual account, it’s time to notify the social network immediately. If it’s a Facebook account that they’ve taken hold of (or your company’s page, for that matter), fill out this form. Twitter’s form is here. For fake LinkedIn profiles, you need to report the profile and submit an explanation for their support staff who will take action to remove it from the website.


Tip #3: Notify the authorities. If a successful impersonation attempt or password crack has managed to provide the criminals with more than just a fake profile (say, access to your online bank account), it’s time to bring the matter to the attention of the law enforcement agencies in your locality.

Don’t Be a Victim!

If not properly maintained, social media assets can be a potent method for those looking to sniff out personal information to take over your identity.

Once you’ve managed to re-secure your online assets, it’s time to re-read the above and make sure that you’re properly set up to minimize the chances that your online identity is taken over by a thief again.


Article comments

Becca says:

Everyone needs to sit and read this with their kids, thanks!

Matt says:

I don’t click 99% of links and almost never do shortlinks. I also NEVER click links in private messages etc. I ignore most private messages. That alone will eliminate the majority of people’s problems if they would do the same – but they won’t…so they will get screwed over.