ITRC Fact Sheet 138
Social Networking and Identity Theft
This fact sheet covers:
Social networking sites are a place for internet users to come together, often in groups sharing common interests. These websites may require a minimum amount of personal information in order to join. Profile pages, telling other users about yourself, are another standard. Once you are granted access to a social networking website, you can begin to socialize. This socialization may include reading the profile pages of other members and possibly even contacting them.
What is Identity Theft?
Identity theft occurs when an imposter gains access to personally identifying information (PII) and uses it for personal gain and exploitation.
Because you must divulge some level of personal information in order to use and fully benefit from social networking sites, the risk of identity theft exists for people who use them. Below are some of the ways that you might put yourself at risk of identity theft:
- Using low privacy or no privacy settings
- Accepting invitations to connect from unfamiliar persons or contacts
- Downloading free applications for use on your profile
- Giving your password or other account details to people you know
- Participating in quizzes which may require you to divulge a lot of personal information
- Clicking on links that lead you to other websites, even if the link was sent to you by a friend or posted on your friend’s profile
- Falling for email scams (phishing) that ask you to update your social networking profiles
- Using no or out-of-date security software to prevent malicious software from being loaded onto your computer and stealing personal information
Here are some examples of how people may become victims of identity theft through social networking sites:
Example 1: A man receives a message from one of his friends which has a link to a funny video, so he clicks on it. The link does not bring up a video. The friend’s profile had been hacked, and now a form of malicious software is being downloaded onto the man’s computer as a result of him clicking the link. This software is designed to open a way for an identity thief to take personal information from the man’s system. It additionally sends a similar email to everybody he is connected with on his profile, asking them to “view the video.” Downloading free applications and software can be sources of this type of malicious software, too.
Example 2: Someone has hacked a woman’s social networking profile to harass her and sabotage her online reputation. They are posting embarrassing photos and rude comments on her profile. These photos and comments appear to be from her and are directed to her network of contacts, when in fact they are not. Although she has used the highest level of privacy settings, she has shared too much information online with others. Someone used her posted information to fraudulently access her profile. Always remember, that even though your profile may be set to “private,” treat everything you post online as public.
Example 3: Cybercriminals sometimes will create a page that looks just like the introductory page to a social networking site. This page will ask you to re-enter your password. These criminals will get you to this page from a link in an email or private message or public post with a link to a fraudulent site. If you are already logged into a networking site and then asked to log in again, be aware that it is a red flag and it is probably a scam designed to make you divulge a lot of personal information to someone with bad intentions.
- Use the least amount of information necessary to register for and use the site. Although this is not possible with all social networking sites, it is best to use a nick-name or handle.
- Create a strong password and change it often. Use a mix of upper and lower case letters, numbers, and characters that are not connected to your personal information (such as birthdates, addresses, last names, etc.).
- Use the highest level privacy settings that the site allows. Do not accept default settings.
- Be wise about what you post. Do not announce when you will be leaving town. Other things you should never post publicly: your address, phone number, driver’s license number, social security number (SSN) or student ID number. Only connect to people you already know and trust. Don’t put too much out there – even those you know could use your information in a way you didn’t intend.
- Read privacy and security policies closely – know what you’re getting into. Some major social networking sites actually say they will use or sell information about you in order to display advertising or other information they believe might be useful to you.
- Verify emails and links in emails you supposedly get from your social networking site. These are often designed to gain access to your user name, password, and ultimately your personal information.
- Install a firewall, reputable anti-spam and anti-virus software to protect your information-- and keep it updated!
- Be certain of both the source and content of each file you download. Don't download an executable program just to "check it out." If it’s malicious software, the first time you run it, you’re system is already infected. In other words, you need to be sure that you trust not only the person or file server that gave you the file, but also the contents of the file itself.
- Beware of hidden file extensions. Windows by default hides the last name extension of a file, so that an innocuous-looking picture file, such as "susie.jpg,” might really be "susie.jpg.exe,” an executable Trojan or other malicious software. To avoid being tricked, unhide those pesky extensions, so you can see them.
- Use common sense. When in doubt, don’t open it, download it, add it, or give information you may have doubts about sharing.