Whether you are evaluating incendiary political posts, a target of cyber-stalking or being asked for money, it is important to know how to separate real Facebook accounts from fake ones.
Over a period of nine months in 2019, Facebook removed more than 5.4 billion fake accounts, up from 3.8 billion for all of 2018 (source: Facebook Transparency Reportage).
“We estimate that fake accounts represented approximately 5% of our worldwide monthly active users on Facebook during Q2 and Q3 2019, Facebook says. “There are two types of accounts we identify as fake: abusive and user-misclassified.”
According to Facebook, there are several clues one should look for if they suspect a profile is fake by examining their names, photos, mutual friends and shared content.
Names which are characteristic of fake accounts can use combinations of popular names (i.e. John, Sam, Rachel, Miller, Smith, Brown). This is true for all languages. They can also include names of famous people.
PROFILE AND COVER PHOTOS
Types of images that could be red flags include: photos of models for their profile pic, photos of only themselves, photos that are “too perfect” (most normal users will not have a professional profile photo). Sometimes scammers will use photos of people in military uniforms or wearing formal attire, like tuxedos.
Some tell-tale signs of fake accounts include: a recent date of creation when it comes to timeline posts, almost no shared content, shared fake content, zero to few mutual friends.
According to a new security report , scammers and cyber attackers worldwide are scraping social media posts for data that may seem irrelevant, but are actually key personal identifiers.
Using social engineering and scraping information off the open web, hackers are targeting unsuspecting users These include personally identifiable information posted casually by users on social media Such tactics are being used by cyber criminals to send targeted mails with malware payloads Your personal cat videos, stay at home birthday party photos and casual snaps of yet another day spent under Covid-19 restrictions may not just be what meets the eye.
casual social media posts made by many of us staying at home appear to be leaking key identifiers on to the open cyber space. While such things, such as you celebrating your birthday party, sharing your adoration for the puppy whom you rescued, or even something as trivial as a mid-work snap to break the boredom may not have anything sensitive at all, such data can be put together by cyber attackers, scammers and hackers to form a pool of identifiable data, all linked to you. This, in turn, is helping threat actors create targeted cyber advances and dupe individuals, in a spree of advanced online scams that no longer remain simple.
How trivial is trivial data?
“Scams are a preferred form of attack for many criminals. They are often simple to launch and, if well-executed, can have relatively good success rates. As we have become more aware of scams, criminals have had to become more cunning. One way they have sought to boost success rates is to personalise scams – think spear phishing-type attacks. No longer do we see “Dear user”, but rather “Dear [your name]”. And, scams now even use your old passwords within their messages to you,”
Such incidents aren’t particularly unprecedented – cyber crime has always evolved to keep pace with what’s topical, and in today’s world, this has a far greater reflection. For instance, numerous reports highlighted the now-well documented surge in Covid-19 related scams and spear phishing efforts during the early months of the global pandemic. As the times evolved, attackers adapted to target the Covid-19 contact tracing and vaccine efforts, and subsequently, more advanced tasks too.
But as it turns out, one of the key signifiers of advanced cyber threats were born out of casual social media posts, including very basic stuff such as a photo of your first Zoom meeting. Thanks to AI image resurrection tools, even compressed images shared on social media could be refurbished to reveal details – sometimes highly sensitive in nature. Such social media posts, as the Sophos report claims, have included personal details under popular hashtags. As it states, “Photos tagged with WorkFromHome, WorkingFromHome, HomeOffice have also revealed birthday parties (celebrated on Zoom or Teams), thereby exposing birth dates; home addresses through photos revealing addresses on Amazon parcels or postal mail; and names of family members, children and pets.”
The risks that they represent.
To put things in perspective, such identifiable data can be stitched together by attackers to contact you via email, pretending to be a work acquaintance – or from social engineering, a friend whom you have not been in touch with for a while. These attacks can, in one of the methods, include emails with attachments that directly address you. All it takes is to pique a target’s interest, enough to make them download the attachment sent via email. Once downloaded, the attachments can use one of the thousands of malware available for nominal cost, thereby handing attackers a direct route to access your files on your work PC.
For example, an attacker may contact an employee under the guise of a known supplier, drawing on information gathered from an email. Or, they may get in touch with the employee, pretending to be from the IT department and with a request that the staff member update key software that only internal employees would (should!) be aware of.
“In both cases, employees may be tricked into providing more sensitive files or data, directed to download malware, or exploited through a range of other attacks. There have been similar issues with numerous data breaches in the past where unsecured corporate servers online have leaked data, including millions of business and customer records.
The perils of casual social media posts.
While such risks may not be apparent at first,it establishes the latest favourite tactic used by cyber attackers on the open internet – social engineering. Such processes can help malicious users to create a digital map of yours by using your social media posts, and use this data to gain your trust and trick you into downloading ransomware, malware and stalkerware payloads. In extreme cases, such tactics are being used to target celebrities and personalities to infect them with spyware.
As general security advice, users are urged to not download any attachment from emails where they are not personally confident of the sender. For video conferences, users are advised to use virtual or neutral backgrounds that do not have identifiable details, and in general, social media posts are better kept to the least possible.
Your profile picture is used as a primary tool for identification on social media. Trouble is, anyone can create a fake Facebook account using your name and even your actual profile picture. To stop this from happening, Facebook has added a feature called ‘Profile picture guard’. Open your Facebook profile and click on the current profile picture (don’t click on ‘Update profile picture’). When the profile picture opens up, click on options at the bottom of the image and select ‘Turn on profile picture guard’. A blue shield will appear on your picture and no one will be able to share or download it anymore.
2) Make your friends authenticators If Facebook detects an unrecognised login or hacking attempt, it will lock down your account, and you wouldn’t be able to access it. The process to regain access to your account used to be a long one and complicated one, but now Facebook allows you to simply choose up to five trusted friends who can help you regain access to your account. Go to Settings Security and login Choose friends to contact, and select at least three people from your friend list. If you get locked out, these friends can send you verification codes for authentication to help you regain access to your account.
3) Know which devices you use.
Under Settings Security and Login, Facebook shows a section called ‘Where you’re logged in’. This section lists all the devices (laptop, phone, tablet etc.) on which you have logged in to your Facebook account. Remove any devices you don’t recognise or don’t have access to anymore. If you’re unsure of the status of certain devices, we recommend that you use the ‘Log out of all sessions’ option, and log in afresh. This will ensure no one else has access to your Facebook account.
4) View all your information When you open your Facebook account settings, you will notice a new menu item on the left – ‘Your Facebook information’. Facebook has consolidated access to all of your information on a single page. You can view information about you by category (posts, photos, comments, likes, etc.) and download any information you want. You can even view and manage your activity log from this page and control which of your activities appear on your friends’ timelines.
5) Manage your Facebook data ADVERTISEMENT
In the Facebook Information page, you also have a shortcut to ‘Manage your data’. When you access this feature, you need to select if you want to manage data on Facebook or Instagram. For Facebook, you get advanced control on how and where Facebook uses any of your data. You can manage your location data, control contacts uploaded to Facebook, face recognition setting, ad preference and various other features.
6) Control your third party login The majority of websites and apps give you the option to log in using your Facebook account instead of creating a new account from scratch. While this makes things easier, we often forget to revoke Facebook access for these third-party apps and websites when we stop using them. Head to Settings Apps and websites. You will see a list of all the active apps and websites that have access to your Facebook account. You can choose the apps you want to remove from the list, as well as delete any posts that a particular app or website might have published on your behalf.
Fake profiles are a common sight to come across on social networking websites. Facebook is one of the biggest platforms to come across a fake account. A fake account is an online profile made by someone trying to impersonate another person. These accounts are often made with the purpose of harassing other people, for spreading spam as well as viruses to steal private data, and the most common purpose is to take revenge on other people and uploading malicious photos. With the country becoming more equipped with the services of the internet the cases of fake profiles are piling up at an increasing rate. With the alarming increase in fake accounts, the real question stands:
whether creating a fake Facebook account is a punishable offence? In India, there are various remedies available by the law for the inconvenience caused by these fake accounts.
It is necessary to first distinguish whether the fake account was made up of a person who exists in reality or it was a random fake account in order to hold a person liable for punishment. Section 66D of the Information Technology Act of 2000 states that a person will be punished with imprisonment of either description for a term extending to three years and shall also be liable to fine which may extend to one lakh rupees if they cheat by personating through the means of any communication device like a computer. To hold the person responsible one of the most important ingredient is that the person must cheat or the person who created the fake account must gain a pecuniary benefit from it.
Under Section 468 of the Indian Penal Code 1860, a person shall be punished with imprisonment of either description that may extend to seven years, and shall also be liable to fine if they commit the offence of forgery intending that the document or electronic record forged were used for the purpose of cheating.
Under Section 67 of the Information Technology Act of 2000, any material which appeals to be of prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it or any lascivious material is published or transmitted or caused to be published or transmitted by a person, such person shall be punished with imprisonment of either description for a term which may extend to three years and with fine which may extend to five lakh rupees on the first conviction, and in case of a second or subsequent conviction will be subjected to imprisonment of either description extending a term of five years and with a fine that can extend to ten lakh rupees.