Listen to this article
Business owners with public social media accounts are easy targets for scammers who lift information to create fake accounts. The arduous process for removing fraudulent accounts leaves victims frustrated and vulnerable to further data privacy issues.
Victims say platform providers, particularly Facebook and Instagram, must improve their responses to reports of fraud.
Impersonation of a brand or executive contributed to more than 40% of all phishing and social media incidents in the second quarter, according to Agari and Phish Labs Quarterly Threat Trends and Intelligence Report released in August. Q2 marks the second quarter that impersonation attacks have represented the majority of threats, despite a 6.1% decrease from Q1.
Executive impersonation has been on the rise over the past four quarters -- representing more than 15% of attacks, according to the report -- as impersonating a corporate figure or company on social media is simple and effective for threat actors.
Thom Singer, CEO for the Austin Technology Council and a public speaker, was recently impersonated on Instagram. A scammer created a fake Instagram account with his name and photos, creating a handle with an extra "r" at the end of Singer. That account appeared to amass over 2,300 followers – nearly as many as Singer's own account – lending to its appearance of authenticity.
He learned of the fake account from a contact who texted to ask if he'd reached out on Instagram, which wasn't a channel Singer typically uses to communicate. Singer reported the fraudulent account using the platform's report button and asked his followers to do the same.
"You can't reach anyone at these platforms, so it takes days to get a fake account removed," Singer said. "These social media sites have no liability, nothing to lose when fraud is happening. They need to up their game and have a better process to get [fraud] handled in a timely manner."
How social media scammers work
Social media cloning schemes make even the most secure business accounts, with strong passwords and multifactor authentication, vulnerable because scammers don't need to hack into the original account to create a fake one.
Scammers create fake accounts with usernames similar to the authentic accounts. They pull images and profile info from the account to build out the fake. Threat actors can see all of the account holders' contacts and reach out to individuals to request financial support via wire transfer, cryptocurrency or gift cards.
Victims of Instagram or Facebook cloning who contact the fake account may be extorted by scammers who promise to delete the fake account in exchange for a gift card, for example. Scammers also use social engineering tactics to convince victims and their contacts to share sensitive information, which can then be used for identity theft.
Savvy social media users can easily spot a fake account created by unsophisticated scammers; bad grammar or messages that clearly don't read like the person being imitated are red flags. However, there are sophisticated scammers who are able to defraud users and damage the reputation of the people and companies being impersonated.
Karri Carlson, vice president of operations for Leadtail, a B2B social media services agency, works with small companies on their social strategies. In her efforts to monitor customers' social media accounts, she has noticed more fraud.
"Fraud is on the rise, in ways that pollute the experience of the individual platforms, undermine trust in social media overall, and -- in more recent developments -- escape the social platform and begin to corrupt the data from other typically credible online sources," Carlson said.
And it isn't just Facebook and Instagram. Carlson said one of her clients was victimized by a fake LinkedIn account that claimed to represent employees of its company. The imposter account's profiles mimicked HR recruiting functions and invited job seekers to apply for positions at her client's company via a malicious URL, she said.
When the company learned what was happening, they were concerned about the damage to their reputation, as candidates would have no reason to suspect the communications were not legitimate. They also worried about downstream exploitation of candidates' data, Carlson said.
The company's legal team had to get involved to handle the fraudulent accounts, which were eventually removed. They also issued a public statement alerting job candidates to the LinkedIn scam and urged victims to file reports to their own legal team, she said.
"Effectively, anyone on [LinkedIn] can claim to work at any business on the platform," Carlson said.
Fake social media accounts on the rise
LinkedIn reported a rise in fake accounts. Between July and December 2021, it stopped 11.9 million fake accounts from being created during the registration process, proactively restricted 4.4 million fake accounts, and restricted 127,000 accounts after members reported fake accounts. It also proactively removed 70.8 million accounts for spamming or scamming while 179,000 were removed following member reports of spam or scams, according to its transparency report.
LinkedIn uses automated and manual defenses to detect and address fake accounts or scams. The company continues to invest in technology to improve detection, a spokesperson said.
The largest social media platform, Facebook, reports removal of billions of fake accounts each year. The company acted on 1.6 billion fake accounts in Q1 2022 and 1.4 billion in Q2 2022. Fake accounts represented 5% of Facebook's worldwide monthly active users during Q2 2022, parent company Meta reported.
Meta claims that 99.7% of fake accounts were proactively acted upon by Facebook. The company reports .30% were acted on following user complaints – meaning 4.2 million fake accounts slipped through the cracks in Q2 and were acted on after users identified them and complained.
The company does not publicly provide data on fake Instagram accounts. Meta did not respond to repeated requests for comment.
The millions of fake accounts that evade social media platform providers' detection systems can wreak havoc. Consumers in 2021 reported losing about $770 million to fraud initiated on social media, according to the Federal Trade Commission's Consumer Protection Data Spotlight published in January. That's about one-fourth of all reported fraud losses for 2021 -- an 18-fold increase from 2017, the FTC said.
Removing fake social media accounts proves problematic
Reporting an imposter account to Facebook or Instagram is frustrating to victims who must use automated systems, Carlson said.
"Facebook support is a death spiral in which there are two choices: screaming into a void and never hearing anything back or getting looped into a support email flow that is clearly automated and having no recourse or appeals process that involves interacting with a real person in real time," she said.
In Carlson's experience, LinkedIn support is "more human and responsive" compared to Facebook. But there's a sense that they can do little more than "play whack-a-mole with individual accounts," she said.
Karri CarlsonVP of operations, Leadtail
Marketing and tech company entrepreneur Brendan Egan, who consults with clients on information security, worked with a client this week that was impersonated on Instagram. They have reported the issue to Instagram for days, he said, yet the account remains live.
"While Instagram and other social media sites have processes to deal with this, none of them are nearly aggressive enough in policing this activity," Egan said. "Why? Because there is no financial incentive for social media to hire more people to sit there and review these requests."
Instagram's process for reporting an imposter account requires the victim to fill out a form on the company's website and provide a photo of their government-issued identification. Sharing a photo of a government ID on a website can be concerning to users who don't trust the website's security or worry that their identification might be misused.
"Our client was of course asked to upload a government ID, which they were very reluctant to provide to us to do," Egan said.
He noted that a government ID isn't a useful method of verification for business owners and there are other methods of verifying identity that don't threaten a user's data privacy, such as two-factor authentication or secret passwords, like PINs, that can be used to unlock accounts.
"Just because Instagram or a social media site has my ID, that doesn't in any way verify ownership of a page, especially if it is a business page or the page exists under some other identity," Egan said.
Protecting business social media accounts
The rampant issue of social media impersonation and issues reporting such abuse have spurred a cottage industry of software providers that sell monitoring and takedown tools to protect brands.
These tools rely on technologies, including machine learning and optical character recognition, to seek out fake accounts and minimize damage. RedPoint's social media management tool, for example, includes a feature for "impersonation removal" that detects and monitors platforms to find and eliminate fake accounts. Similar impersonation protection tools are available from PhishLabs, Rapid7, ZeroFox and others.
The demand for these tools is on the rise with prevalence of fake accounts. From 2021 to 2022, ZeroFox observed a 48% increase in the number of social media impersonations of its customers, said Brian Kime, vice president of intelligence strategy and advisory at ZeroFox.
While business owners can seek verification of their social media profiles to allow consumers to see they are interacting with the official profile, large companies that can't keep up with scam accounts benefit from monitoring tools.
"We work with brands that constantly see misuses and abuse of trademarks and content, and the scale is too much for the company to handle on their own," Kime said.
Software subscriptions are an option for large companies, but small business owners and startups typically don't have the budget for social media monitoring. They resort to manual searches for fraudulent accounts and have to spend time doing damage control, Leadtail's Carlson said.
"[There is] no real recourse but to bear the time and expense of proactively monitoring using a brute force, manual approach -- search, review, look for anything suspicious, flag, vet, report if needed," Carlson said. "This is just not practical in a company with hundreds of employees around the world."
After being the target of fake social media accounts a few times, Singer regularly searches his own name to check for imposter accounts. He's also skeptical of direct messages and asks questions to verify contacts before interacting with them on social media.
"When you use these tools, you have to keep in mind that fraud is rampant," Singer said. "We are all on guard whenever someone reaches out via DM."
Bridget Botelho is editorial director of TechTarget Editorial's news team. She drives the team's coverage of breaking technology news and trends and covers a range of IT topics.