ITRC Fact Sheet 138 - Social Networking and Identity Theft
This fact sheet covers:
- How it happens
- How to protect yourself
What is a Social Networking Site?
Social networking websites are a place for internet users to come together, often in groups sharing common interests in hobbies, religion or politics. These websites may require a minimum amount of personal information in order to join. Profile pages, telling other users about yourself, are another standard. Once you are granted access to a social networking website you can begin to socialize. This socialization may include reading the profile pages of other members and possibly even contacting them.
What is Identity Theft?
Identity theft occurs when an imposter gains access to personal identifying information (PII) and uses it for personal gain and exploitation.
HOW IDENTITY THEFT MIGHT HAPPEN THROUGH SOCIAL NETWORKING SITES
Because you must divulge some level of personal information in order to use and fully benefit from social networking sites, the risk of identity theft exists for people who use them. Below are some of the ways that you might put yourself at risk of identity theft:
- Using low privacy or no privacy settings
- Accepting invitations to connect from unfamiliar persons or contacts
- Downloading free applications for use on your profile
- Giving your password or other account details to people you know
- Participating in quizzes (e.g. How well do you know me?) which may require you to divulge a lot of personal information
- Clicking on links that lead you to other websites, even if the link was sent to you by a friend or posted on your friend’s profile
- Falling for email scams (phishing) that ask you to update your social networking profiles
- Using no or out-of-date security software to prevent malicious software from being loaded onto your computer and stealing personal information
Here are some examples of how people may become victims of identity theft through social networking sites:
- Example 1: A man receives a message from one of his friends which has a link to a funny video, so he clicks on it. The link does not bring up a video. The friend’s profile had been hacked, and now a form of malicious software is being downloaded onto the man’s computer as a result of him clicking the link. This software is designed to open a way for an identity thief to take personal information from the man’s system. It additionally sends a similar email to everybody he is connected with on his profile, asking them to “view the video”. Downloading free applications and software can be sources of this type of malicious software, too.
- Example 2: Someone has hacked a woman’s social networking profile to harass her and sabotage her online reputation. They are posting embarrassing photos and rude comments on her profile. These photos and comments appear to be from her and are directed to her network of contacts, when in fact they are not. Although she has used the highest level of privacy settings, she has shared too much information online with others. Someone used her posted information to fraudulently access her profile. Always remember, that even though your profile may be set to “private”, treat everything you post online as public.
- Example 3: Cybercriminals sometimes will create a page that looks just like the introductory page to a favorite social networking site. This page will ask you to re-enter your password. These criminals will get you to this page from a link in an email or private message or public post with a link to a fraudulent site. If you are already logged in to a networking site and then asked to log in again, be aware that it is a red flag and it is probably a scam designed to make you divulge a lot of personal information to someone with bad intentions.
HOW TO PROTECT YOURSELF:
- Use the least amount of information necessary to register for and use the site. Use a nick-name or handle (although this is not possible with certain sites),
- Create a strong password and change it often. Use a mix of upper and lower case letters, numbers, and characters that are not connected to your personal information (such as birthdates, addresses, last names, etc.).
- Use the highest level privacy settings that the site allows. Do not accept default settings.
- Be wise about what you post. Do not announce when you will be leaving town. Other things you should never post publicly: your address, phone number, driver’s license number, social security number (SSN), student ID number and even your home town. Thieves can figure out your social security number by what town you were born in and what year. It’s ok to post what year or how old you are, but with this information combined with where you were born, they can figure out your SSN.
- Only connect to people you already know and trust. Don’t put too much out there – even those you know could use your information in a way you didn’t intend.
- Read privacy and security policies closely – know what you’re getting into. Some major social networking sites actually say they will use or sell information about you (not individual data necessarily, but aggregate information based on your personal information and that of others using their site) in order to display advertising or other information they believe might be useful to you.
- Verify emails and links in emails you supposedly get from your social networking site (e.g. the recent Facebook scam emails that asked customers to re-set their passwords). These are often designed to gain access to your user name, password, and ultimately your personal information.
- Unclick the privacy settings that display the time stamps of your posts.
- Install a firewall, reputable anti-spam and anti-virus software to protect your information-- and keep it updated!
- Be certain of BOTH the source AND content of each file you download! Don't download an executable program just to "check it out." If it’s malicious software, the first time you run it, you’re system is already infected! In other words, you need to be sure that you trust not only the person or file server that gave you the file, but also the contents of the file itself.
- Beware of hidden file extensions! Windows by default hides the last name extension of a file, so that an innocuous-looking picture file, such as "susie.jpg", might really be "susie.jpg.exe", an executable Trojan or other malicious software! To avoid being tricked, unhide those pesky extensions, so you can see them.
- Use common sense. When in doubt, don’t open it, download it, add it, or give information you may have doubts about sharing.
Contact the ITRC toll-free at 1-888-400-5530 and speak to a victim advisor (no-cost), or email us at email@example.com
Contact the social networking site directly.
Report the situation to the Federal Trade Commission (FTC)
Free security tools from Trend Micro:
- housecall.trendmicro.com – to see if you’re computer is infected
- TrendProtect to make sure links that are shown to you in search engine results are safe to click on -- http://www.trendsecure.com/portal/en-US/tools/security_tools/trendprotect
- URL checker – to make sure a website is legitimate and not a scam, hoax or hosting any malicious software (need the URL to the site that verifies if sites are safe or scams)
This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to