Once upon a time, in another millennium and on another planet, a famous politician used the words, “Trust, but verify.” Those days of genteel conversation are long gone, but those words of advice still apply, especially when we confront social media and other forms of digital communications.
This came to mind a few days ago when my boss, eWEEK editor-in-chief, John Pallatto, showed up on Facebook Messenger. While we had been friends on Facebook itself for years, John hadn’t been on Messenger, so I dropped him a profound greeting. “Hi John,” I said.
We began a desultory conversation, and after a few words, I began to wonder if the “John” communicating with me by Messenger was really the same one I worked with at eWEEK. Once he began discussing how I could be come rich, it was clear that the John I knew wasn’t writing these messages.
It could only be one of two things. Pallatto’s account had been hacked or he was being spoofed. So I dropped him an email letting him know what I’d found. He replied that he already knew his account was being spoofed and was trying to shut down the imposter.
I investigated the alleged account in detail (at least as much as you can on social media) and it appeared that he was probably right. The account under his name had no Facebook profile, and there was no other background that would indicate authenticity.
Then I found out from Pallatto that Scott Mace, another journalist we both knew, had suffered the same problem a couple of weeks previously. Scott had found out the same way John did. His friends told him about it.
The problem for Scott and then for John, was that there didn’t appear to be an obvious way to do anything about it, at least not directly. Meanwhile, the bogus John was sending me get-rich-quick schemes. So I got in touch with the folks at Facebook to find out what to do about fakes.
The first step, according to the Facebook spokesperson, is to determine if they really are someone you know by looking at their photo and seeing if there’s a Facebook account to go with it. If you can’t tell from looking at Facebook Messenger, then go to your contact’s Facebook account. If you click and see the conversation show up it means your Facebook friend has likely been hacked. You can report this to Facebook as such.
If it’s an imposter, then you won’t see the conversation. Go back to Messenger and block the account. This will prevent annoying messages and it will send a message to Facebook engineers that there’s something going on.
If the person is apparently trying to run a phishing operation, as it was in this most recent case, Facebook suggests you go to their page about the topic, under the heading, “What can I do about phishing?” There’s an email address where you can report phishing as well, phish@fb.com.
But suppose it’s you that’s being spoofed? The Facebook Help Center has a page on reporting an account that’s pretending to be you, as well. If you don’t have an account on Facebook or on Messenger, there’s a form you can fill out.
More important is to keep it from happening in the first place. While there are many who will suggest making everything you do in Facebook private, that’s not a solution for many of us who want our posts to be seen in public. But you can make your friends list private, which you can do by going to your profile and clicking on the down arrow on the line with the search bar. Then look at the column on the left.
You’ll see an item labeled “Privacy” that you should click on. Then you go to “who can see my friends list” and change the setting to “Friends” instead of “Everyone.” That way, no one can use your friends list against you and they can’t use it as a source for names to gain your confidence.
According to Facebook’s spokesperson, “our systems are designed to check whether the recipient already has a friend with the same name, along with a variety of other factors that help us determine if an interaction is legitimate.” The spokesperson said that the company is continually working on this problem.
But to do that, you have to have an account on the service, so the algorithms will check if it’s on Facebook, or it will check if you’re on Messenger. But it doesn’t appear to check between systems if you don’t have a Messenger account. Since Pallatto didn’t also have a messenger account it made it easier to spoof him. Having an account on both will reduce the chance of spoofing.
In addition, Facebook will take action against someone who is spoofing an account and pretending to be another person.
“Claiming to be another person on Facebook violates our Community Standards, and we have a dedicated team that’s tasked with helping to detect and block these kinds of scams,” the Facebook spokesperson said. “We encourage people not to accept suspicious requests and report suspected phishing messages.”
Facebook considers fake names to be a scam, and has published some guidance on how to avoid them.
However, all of this isn’t as easy as it might be. It means you have to be suspicious when someone shows up in Messenger, for example, and doesn’t appear right. But it can be worse.
It’s pretty easy to see from recent news that assertions of wrongdoing and bad behavior are taken very seriously by the public. If there’s evidence confirming the wrongdoing then the consequences can be significant.
But providing fake evidence is easier than ever when all one needs to do is create a fake account and then begin to say things that appear to be compromising. What this means is that evidence arriving via social networking must always be suspect unless it can be verified. Taking active control of your identity online will make it harder for fakes to be verified.