What to do if you are Spoofed on social media (maybe you're not actually hacked)

It happened again.
a social media friend request from someone I was pretty sure I was already friends with...

A quick search of my current friends list confirmed my suspicions, and checking their original profile revealed a recent post saying they had been hacked and not to accept any new requests from them.  Unfortunately, their warning post was already filling up with scammy phishing comments linking to "someone who could help recover their account"...  And I also found in the mutual friends list of the new fake profile that some of our common friends had already fallen prey to this phishing scam and connected with the faker.

This is all too common these days, and if it happens to you, here is a little simple non-technical advice:

If it is YOUR account in question...
First realize that while it is possible you have been hacked, it is actually far more likely that you have simply been spoofed.  If someone truly hacks into and gains access to your account (or business page), they will probably quickly lock you out, change the profile name & image, and start churning out scammy garbage.  So if you are still able to log in, just change your password to be safe and relax.  Panic could prompt you to do something risky (which I will mention in a moment) and is unhelpfully stressful.

Instead of trying to hack your account, it's way easier for scammers to just copy your name and profile photos and pretend to be you.  This is called spoofing and is usually done to collect all your friends and create a legitimate-looking profile for spreading disinformation or phishing attempts.

If you've been spoofed, your account itself is probably safe.  But a security hole has been opened in your online community.  Thankfully there are a few easy things you can do to help plug it up.
​

• First, as soon as you find out that someone is impersonating you, post a notice on your own profile to warn your friends about it.  That will give them a heads up and a reference to check the fake against.  If possible, I recommend setting the visibility of this post to Friends Only so you aren't broadcasting this publicly to the world for reasons I will mention later on down.

 

• Include in your warning post a suggestion for your friends to report the fake profile.  This can usually be done by going there and clicking the three dots and "Report" from the pop-up menu.  Then, go ahead and do this yourself.

 

• Some platforms (like Facebook) allow you to set your friends list to private.  Then people can only see those who are mutual friends.  This keeps potential impersonators from being able to see and phish your friends with fraudulent friend requests.  Other platforms (like Instagram) instead only allow you to set your whole account to private, which is something to consider carefully because it can be more secure if you only ever connect with friends, but a lot less useful if you use your profile for anything public-facing...

 

• Finally, DO NOT CLICK on any of those posts that promise to show you your personality traits or spirit animal or whatever.  Clicking gives them blanket permission to scrape all of your public and private account data.  It's a big privacy risk for both you and your connected friends.  Here is my more detailed blog post about that...

Also, be aware that after you post the warning to your profile, it will likely start collecting offers to help you recover your account in the comments.  This is where panic will work against you.  Do not click or respond to any of these comments.  They are all fake.  This is especially true if your warning was publicly visible, but even if it was set to friends only, you might have a few friends in your list who have been hacked or were fake to start with.  These are the people who will actually trick you into giving them your login information and then fully hack your account.  They may be working in coordination with the spoofer, or they may be opportunists who found you through a simple keyword search of "my account was hacked".  Either way, relax, remember that you are probably fine, and don't end up getting yourself hacked by secondary scammers through "social engineering".

If you are the one receiving a duplicate friend request...
Yes, it does happen that a friend forgets their password, inadvertently locks themselves out of their account, and fixes the situation by creating a new account and sending you a new friend request.  There might even be a post on the new account saying that's what happened.

But even so,
always doublecheck your current friends list for the original and check that profile for a warning from them.  Maybe even send a direct message to their original profile asking them about the situation.

If there is nothing there, then watch the new profile carefully for a few weeks.  If it starts pumping out posts that seem inconsistent with the original profile or suddenly starts sending you suspicious or scammy direct messages making unusual requests, be very careful about your interactions with it.  Do some due diligence research and then make a carefully considered decision on it.  Of course this kind of thing always comes down to a case-by-case judgement call, but in most of these cases the best thing is to quietly unfollow, unfriend, and then block that profile.  And if you are certain it's a fake impostor account, consider reporting it by clicking the three dots and "Report" from the pop-up menu.

Sometimes a friend truly does get locked out of their account and then needs your help getting back in or paying some medical bills, but now more often than not it's just some imposter trying to scam you...

and both are very unfortunate.

Stay safe and remember that the online safety of one friend is the online safety of us all--

---

PS:  on a related note, especially if you have a business account or run ads on social media, you may often get direct messages claiming that your account is somehow in violation of copyright, community policies, etc.  Those are fake attempts to freak you out and get you to hand over your login credentials so they can hack you.  Even if you really are in violation of something, that isn't how they notify you.  They will let you know very clearly through special dialogue boxes built right into the interface itself when you login to your account.  Not through direct messages.  Don't reply to those messages at all.  If you just leave them in your inbox you will likely notice that after a few days or weeks their profile names and pictures will go blank because their fake accounts were deleted by the platform.  So just go ahead and report or delete those messages sooner than later...