Sunday, January 15, 2017
Phishing for Friends
This is about how impersonators may try to pass for some of the people you consider friends and acquaintances, and what I suggest one do about it, with little explanation of why they do so. Impersonation on Facebook does not imply "I was hacked" or that it is imperative to change password. It might just mean one or more of your friends is too friendly (and not wary enough) with strangers, that you are too free with information about who your friends are, or both.
I received an invitation to become "Friends" on a popular social network today, once again. I recognized the name, it was that of someone who might conceivably want to become more intimate, since we had friends and experiences in common, but why now? And I have seen enough impersonators of other friends by now to be wary: I always check out the available information on the source of the invitation before replying, now, but have not always done so. It was clearly a new account, with only two friends as yet.
It wasn't long ago that I received a similar invitation, but from someone with whom I was already connected (if one believes the name given). It was easier to check that said person was already in my contacts list, refuse the invitation, report the invitation to "the powers that be," and post a message on the original's stream to warn any other friends; the warning may not be very helpful, who knows who will see it in time (before accepting the impersonator' invitation) but one hopes. And I hope he was not actually the original trying to replace his account (he hasn't responded one way or the other, so I have a slight lingering doubt).
How does this happen? Common reaction is "I've been hacked! Must change password!!" Let's think about it. The new profile, that of the imitator, typically shows cover page and profile portrait pictures, and may not show much else, as if it is the account of someone starting over because they got locked out somehow. The imitator also has a list of people to invite to connect. The pictures are easy, on a network like Facebook they are necessarily public--anybody can see and copy them, knowing whose they are. I presume that the imitator/impersonator gets access to the list of friends of the impersonated, then sends invitations. Many of us leave our friends lists visible to at least some others, for various reasons. The friends list may not be public, that is one of the privacy settings one may tighten; one may even make it completely only-me private. Important (as stated in the sequence of texts on the page cited above)
If you’re friends with someone, you’ll be on their friend list and it’s up to that friend who sees their list.
The impersonation does not require "being hacked" or having an impersonator acquire access to one's account. It only requires an impersonator having access to a list of people to "invite" to connect.
The impersonator might, if the impersonated person keeps the list my-eyes-only or friends-only, use the friends lists of one of the friends of the impersonated (or more friends' lists, particularly if they overlap). So one is a candidate for impersonation if any or several of one's friends share their lists of friends, even if one does not, oneself. And the impersonator is probably, depending on sharing policies, a friend or a friend of a friend, and I am tempted to add "new" to friend unless there is some reason to imagine that they have been dormant and suddenly decided to start impersonating.
Why do they bother? That I find harder to say. What is clear is that with their impersonation account, they will have a view of all information their new "friends" share only with friends, be that photos, timeline posts, contact information, friends list. They will also enter the category of "friends of friends" of all those new friends, and gain access to everything other friends of those new friends share with that category. There is thus a wide range of information they might be seeking, and they might just be trawling to see what they can happen upon, and where they can extend their imposture-based web.
What to do about it as individual users is not a simple question to answer. I suggest three axes: what one shares even only with friends, one's privacy settings for information imposters might exploit, and one's vigilance when one receives invitations.
First, one should recognize the risk of making a mistake and connecting with an imposter. What they see you cannot make them un-see. Same as for friends with whom you later have a quarrel and end your connection. As my grandmother used to say, twirl your tongue in your mouth some number of times before speaking (to give yourself time to recognize something better not said); same goes for sharing, especially since everything you share in digital media is recorded and impossible to deny.
Second, privacy settings for friends list, especially. One can make one's friends list private, and check that all one's friends do, too, and estrange any friends that don't: that will make it much harder for the potential imposter to know who to invite. It may be dissuasive. But one might lose a lot of friends that way, and one might--as one's friends might--have good reason to display one's friends list: to help disambiguate for people who are looking for you (my room-mate from 1975-6 I still haven't found, and his name is much more common than mine so I'm counting on him to find me) and want to be sure they have the right one. One of the things that soured the invitation today was the lack of friends; if the phisher is lucky, that may change, and snowball as people recognize the others who have already "arrived."But had the friends not been visible to me at all, I would have considered that suspicious and would have been at least as wary of the invitation.
What one can and should do is not click on "accept invitation" until one has vetted the source of the invitation. In some cases it is easy because one has communication through other channels (real life, telephone, etc.) or the invitation is apparently redundant (connection already existed). In others it may be harder, and I have failed in at least one instance when I recognized a dozen friends in the new account's list and assumed it was a replacement account (someone was hacked or locked out and began anew) rather than an imposter; I realized too late, and someone may have learned whatever I share with friends and nobody else. When in doubt, hesitate, wonder what you'll lose by waiting, think about who to ask, and then do ask.
AddendumOn Facebook, one can use the "Report" procedure, initiating it on the suspect profile page. It is accessed by clicking on the little "..." button next to"Following", "Message" in the lower right corner of the cover photo area. For yesterday's invitation, I did so, choosing "fake" as my objection. Facebook replied just a few hours later,
Thanks for your report - you did the right thing by letting us know about this. After reviewing the profile you reported, we've decided to follow up with the account owner directly. When we think a profile may be fake or pretending to be someone else, we ask them to confirm their identity. If we see something on a profile that goes against the Facebook Community Standards, we remove it.