Yes – you. All of us. This article is written for and applies to everyone.
We are all targets for social engineering which is the act of manipulating, influencing or deceiving people into performing actions or divulging confidential information – generally by engaging you or manipulating your emotions.
The most skilled cybercriminals accomplish their goal without you even being aware of what’s going on. You’re relaxed and just enjoying yourself, checking your social media news feed. No Nigerian princes needed anymore. They’ve moved on, taken on new personas, but are still targeting you.
Literally, everyone is a target.
The Bad Guys Kicked It Up a Notch
The bad guys have improved their skills. Attackers find loopholes and opportunities where you least expect them. They gain your trust or take advantage of your defenses being down – and they are very skilled at what they do.
I see people who I would think should know better engaging in risky behavior every single day, probably because they aren’t aware that the nature of the threats has evolved and changed. The bad guys stay one step ahead of us.
Please read this article even if you know what you’re doing. Someone you care about may not and you can help them.
We all want to use social media and public platforms for genealogy and communicating with family and friends. We need to realize that because of the open nature of those platforms, they are full of bad actors trying to take advantage of us in seemingly innocent ways.
Not to mention that the platform is free for users, so access to you IS the commodity. Not just through ads, which you can clearly recognize as such, but by manipulating your behavior.
How, by luring you with “free,” “fun” or “missing out.”
Seriously, you do NOT need a new “free” improved profile picture.
Furthermore, some unnamed person or site you don’t know doesn’t really care about the TV show you watched when you got home from school as a kid.
Well, actually they DO care, but it’s not innocent. Scammers and bad actors gather, aggregate, and distill data about us hoping to breach our electronic security – and/or that of our social media friends.
Even if the person or account asking isn’t malicious, if the post is public, cybercriminals can and do gather and compile information about YOU that they find on public postings and pages.
In an attempt to defraud you, AND your friends who will also fall for these schemes. If your friends see you do something, they are more likely to engage in the behavior themselves. Just the act of answering these seemingly innocent questions conveys information about you.
- First, you’re vulnerable and don’t understand that “public posts” and resulting answers make you a target. In other words, you’re advertising that you’re a good target.
- Second, if you don’t have your Facebook (or other social media) account locked down so that only friends of friends can send you friend requests, it’s not unusual to receive a whole raft of friend requests after doing something public.
- Third, even if your account is locked down tight, your comment or answer to that seemingly innocent public posting may net you a reply something like this:
Note the bad grammar and lack of punctuation. Probably that Nigerian prince again, with a bogus profile picture.
If people can see your “About” information, the message or reply may be more specifically tailored – targeting you with some common interest. Single middle-aged female? You’ll receive a message from a “widowed” male about that same age, maybe wearing a uniform or otherwise looking like a model, holding a puppy. Yea, right.
Now, holding the 1890 census – that might be an effective scheme to target genealogists😊
Let’s talk about how to stay safe and still be able to benefit from and enjoy social media.
We will begin with a big red flag.
The current rage is an artificial intelligence oil painting profile picture that’s “free.”
Right off the bat, you need to always be suspicious of anything “free” because it often means “they,” whoever they are, want your information and are willing to give you something to get it – under the guise of free. Speaking of them, just who are “they” anyway? That’s the first question you need to ask and answer before engaging.
Free almost always never benefits you.
Why would anyone want to give you a cool new profile picture for free? It may only take a few computer cycles, but it’s not free for them to produce, just the same, especially not when multiplied by the tens of thousands. What are they getting out of all those free photos they are producing?
I’ll tell you what. To gain access to your data – including the data on your phone.
Hmmm, I want you to think about something for a minute.
Do you have your phone set or apps set to scan your face and automatically open? Is that your security? For your bank account maybe too?
And you just sent a photo of your FACE to some unknown person or group in some unknown place?
You can change a lot of things, but you cannot change your face and facial recognition software is powerful.
Snopes says the NewProfilePic app really isn’t any worse than many other apps – which isn’t saying much.
Aside from the fact that NewProfilePic was initially registered in Moscow, which should be a HUGE red flag by itself, especially right now, what can the app do on your phone?
Here’s the list.
In essence, you just gave someone the keys to the candy store.
Is your blood running cold? It should be.
Still think this fun new app is “free?” You’re paying for it dearly, and may yet pay for it even more dearly.
Here’s a warning from a state Attorney General and here’s an article from MLive that interviewed a cybersecurity expert who notes that this app scrapes your Facebook data.
However, so do other people and apps.
Public is Public
When you see anything on Facebook with the little globe, that means that anyone anyplace can see this posting AND all replies, including your answers. Everything is fully public.
In this case, more than 80,000 people answered this question from an entirely unknown person or website.
Just a couple of days later, this same posting had 54K likes, more than half a million comments, and more than 6,100 shares. That’s how effective this type of seemingly innocent question can be.
Several of my friends answered.
What does this question tell anyone looking? Your approximate age, for beginners.
Maybe an answer to a security question. Just google “top security questions for gaining access to forgotten passwords.”
Engaging with a web page also means the Facebook algorithm will send you more postings from that website in your feed. So maybe if this post doesn’t yield anything useful about you, the next one might.
Cumulatively, many answers to many postings will reveal a lot.
Never answer these.
But There’s More
Because this posting is public, I can click on the name of ANY person who has answered that public question and see every other public thing they’ve shared on their timeline.
As an example, I randomly selected Charlotte, someone that I don’t know and am not friends with who replied to that question. (You can do this same experiment.)
I clicked on her name and scanned down Charlotte’s postings. I can immediately see that she’s a good target and has fallen for several other things like this.
Here’s one from her page.
That scammer, James, latched onto her immediately. Again. Note the grammar.
Here’s another seemingly innocent game that Charlotte played to get a new Facebook profile picture and “secret” info about herself. That “4 Truths” app told Charlotte that she was very mysterious and promised to “show what’s hidden in you.” Of course, she had to provide her photo, give permission for this app to post on her timeline, publicly, and access her Facebook account. Charlotte probably didn’t even realize that was happening, or what it meant was happening behind the scenes to her data.
But now Charlotte has the new NewProfilePic oil portrait, so this one isn’t in use anymore. Maybe Charlotte’s friends wanted some nice things said about them too so they might have clicked on this same link. Just for fun, right? That’s how these scams work.
These unfortunate choices on Charlotte’s timeline were accompanied by many more that were similar in nature. Those were interspersed with notices on her Facebook page that she has been hacked and not to accept any new friend requests or messages from her. The effects are evident.
It’s worth noting that some people do have their profiles cloned and haven’t engaged in any risky behavior like this, However, you dramatically increase your odds of being compromised when you engage in risky online behaviors. Every time someone clones your profile and sends messages to all of your friends with malware links, it increases the cyberthief’s harvest of you and your friends. Cha-ching!
Eventually, the bad actors will find people who they can scam, either by:
- Talking your friend, their target, into doing something bad for them, maybe thinking they are helping you or responding to you
- By sending malware links that people click on thinking the message with the link is actually from you.
- Gathering enough information to breach you or your friends’ security questions and clean out bank accounts.
No, I’m not fearmongering or being overly dramatic.
I utilize KnowBe4, a security and vulnerability consulting and training company to keep abreast of threats. You can follow their blog articles, here.
How Do Cybercrooks Access Your Friends?
Looking at Charlotte’s Facebook page, all of her friends are exposed too because they are publicly visible. Everyone can view the entire list of Charlotte’s friends.
Now, all of those scammers have access to Charlotte’s friends. Hence, the scammers can clone Charlotte’s account by stealing her photo, setting up a new account, and sending messages to Charlotte’s friends who think the message is from Charlotte. Something like “Try this new photo app, I did,” or, “Can you pick up an Apple gift card and send it to my friend for me?” You get the drift.
If Charlotte’s friends have their security set to only accept friend requests from someone that also shares a friend, and Charlotte accepts a bogus friend request – then the scammer can send her friends a friend request too and they think it’s Charlotte’s friend.
In other words, seeing a common friend causes Charlotte’s friends to let their guard down. I look at it this way – only one of my friends has to accept a bogus friend request to make me vulnerable too.
Charlotte also told people in a public posting that she was visiting someone on a specific day in another city. How do I know it’s another city? Because Charlotte has posted where she is from, where she lives, works, and the high school she attended in her “About” information.
Hmmm, those are security questions too.
That same website where I found Charlotte answering that question has also posted questions about your pet names.
What is one of the security questions if you lose your password?
Yep, pet names.
Nope, those seemingly cute sites aren’t. They are data-mining and gathering information.
First, I need to say that there are three security threats involved with these postings and websites:
- Any link you click which may take you to who-knows-where.
- That the site itself is data mining. However, this is not always the case. Some very legitimate companies ask questions to get you to engage in their subject topic. However, if the post is public, that’s an open door to the next threat.
- “People” or bots who harvest information about people who answer those public posts and then data-mine their accounts.
Let’s look at a few examples.
No person you don’t know cares at all about what you drank last. However, that might be valuable data for other reasons.
Facebook makes these things even more attractive to you by showing you answers from people on your friends list. I’m not going to embarrass my friends and family by showing their identity, even though it is completely public, but please, FOR THE LOVE OF ALL THAT’S HOLY, stop doing this.
Just look at that – 14 million comments and 193 thousand shares. For a data miner, this has been extremely successful.
To make matters worse, if you engage with a site on Facebook, they show you more from that site in your feed in the future. Since I clicked on these to write this article, my feed is going to be flooded with smarmy questions from these sites for days or weeks.
Let’s take a look at a few more examples.
Look at this one. 200,000 people and almost 3000 shares in two months. That means that this question appears on 3000 people’s timelines. It’s like a huge data-gathering pyramid scheme.
You’re likely to be wearing your favorite color and eat your favorite food.
How could this be used against you?
Yep, security, password, or account recovery questions again.
When I went to the page that made this posting, the next posting was a question – “In 1980, you were…” and the first person to answer said, “2 years old.” That person just told the world they were born in 1978.
Did you really want to do that?
You are safer in a private group, meaning only group members can see your posts.
You can tell if a Facebook group is private based on the lock and the words, “Private Group.” You can also see a list of your friends who are members of that group as well. Remember that the criterion for joining a private group differs widely and there are still lots of people you don’t know. Some private groups that I’m a member of have more than a quarter-million subscribers.
Most private groups are focused on a specific topic. Some private groups require answering application questions to join, and others don’t.
You’re safest in a group that does require questions to be answered which allows administrators who are familiar with the topic to craft questions that (hopefully) weed out most of the trolls, bots, and shady characters. That’s the choice I’ve made for the groups I co-administer, but it does require more attention from the administrators, which is why large groups often don’t implement membership questions.
Determining Privacy Settings
When you’re looking at the privacy settings on groups, posts on your friends’ timelines, or your own, you can mouse over the privacy icon. Facebook will tell you exactly who can see this post.
You’re never entirely safe. In addition to behaving safely as noted above, there are steps you can take to educate yourself and configure your social media accounts securely.
How to Stay Safe
Every social media platform is different, but I’m using Facebook as an example. Every platform will have a similar privacy function. Learn how it works.
Go to the Facebook help center, here and do a security checkup, here.
However, neither of those really address privacy, which I feel is actually the biggest security threat – the trapdoor or slippery slope.
Here’s how to access and review your privacy settings.
Click on the down arrow beside your name.
Click on Settings and Privacy, then both the Privacy Checkup and the Privacy Center.
Next, you’ll see several short articles. Be sure to step through each one
Take a few minutes to lock your account down.
The ONLY thing that is automatically public is your profile photo and any photo you use for your cover photo. Anything else can and should be restricted.
Facebook owns Instagram so you can set your Instagram security here too.
You’re not quite finished yet!
Monitoring and Controlling Apps
Next, we’re going to see what apps are installed and interacting with Facebook. Have you authorized apps you weren’t aware of?
In the dropdown arrow to the right of your name in the upper right-hand corner, click on the down arrow again.
You’ll see the Settings gear under “Settings and Privacy.” Click there to see all of the setting categories in the panel on the left side of your screen.
Review everything, of course, but pay special attention to “Apps and Websites” and “Games.”
Predatory operators will fool you into doing something fun, like a profile photo app, or a little game that provides you with your Fantasy Name or something else cute and enticing. That “free” game or app installs software. If you find software during your review, especially from something like we’ve been discussing, I recommend deleting it immediately.
Be sure you only have things you’ve intentionally installed or authorized.
THINK – Stop, Think and Run
When you see “someone” asking a question on Facebook, STOP!
You’ve heard of stop, drop and roll if your clothes are on fire?
Someone trying to breach your privacy is a digital fire, so this is stop, think and run.
Think about who is actually asking and why. “Who” is asking is NOT that cousin who shared the question from that public site. The “who” that is asking is that original site. They are simply taking advantage of and using your cousin. I hate to put it this way, but always assume the worst and remember that even if the site itself is innocent, all of the people who can harvest your data and try to compromise your security assuredly are not.
Those “fun” sites asking those questions are either actively recruiting you or best case, leaving the door wide open for cyberthieves.
Don’t answer. No matter how much you’re tempted to share some nostalgic information or the name of your deceased pet you’re still grieving. No matter if you notice that your cousin or friend has replied already. Just don’t.
Stop, think, run. It’s that simple.
And speaking of your cousins or friends – if they have shared something that could compromise their security and privacy, not to mention their friends (including you), feel free to share this article or others, such as KrebsonSecurity. Take a look at Krebs’ examples of baiting you with childhood and puppy photos with corresponding questions. Do they evoke an emotional response from you? They are meant to. I mean, how bad can it actually be to enter the name of your beloved childhood pet?
By now, you should be screaming the answer to “how bad”!
Here’s an article from Tulane University. Yes, they are advertising their degree in cybersecurity management, but they do so by summarizing the things that social media users need to be concerned about.
I also follow a company called Facecrooks which monitors and writes about Facebook privacy, fraudsters, other scams, and such. They have a Facebook page here and a Scam Watch page here.
The Baker’s Dozen Messages
The messages I want to leave you with, aside from stop, think and run, are this:
- Nothing is free
- Think before you engage or answer
- Remind yourself that a stranger really doesn’t care about your first-grade teacher’s name, but a crook does
- Just because someone you know answered or engaged doesn’t mean it’s safe
- Consider potential consequences
- Can something you are about to share be used to compromise either you, your family, friends’, or employer’s privacy or safety?
- Don’t overshare – only say what’s necessary
- Notice what is public and what is not – look for that globe and behave accordingly
- Don’t download or play free games, or send anything to a “free” website
- Don’t click on links to unknown places
- Don’t accept friend requests from people you really don’t know.
- Learn the warning signs of a fake profile and report them by clicking on the three dots to the right of the profile
- Don’t click on links in private messages and beware of suddenly receiving an “odd” message from someone you haven’t heard from in a while
I’ve written other articles about online privacy, security, and safety too.
- Stay Safe: Phishing Moved to the Next Level – Meeting Invitations and File Transfer Links
- Genealogy, Identity Theft and Equifax Update
Stop. Think. Run.
Follow DNAexplain on Facebook, here or follow me on Twitter, here.
Share the Love!
You’re always welcome to forward articles or links to friends and share on social media.
If you haven’t already subscribed (it’s free,) you can receive an email whenever I publish by clicking the “follow” button on the main blog page, here.
You Can Help Keep This Blog Free
I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.
Thank you so much.
DNA Purchases and Free Uploads
- FamilyTreeDNA – Y, mitochondrial and autosomal DNA testing
- MyHeritage DNA – Autosomal DNA test
- MyHeritage FREE DNA file upload – Upload your DNA file from other vendors free
- AncestryDNA – Autosomal DNA test
- 23andMe Ancestry – Autosomal DNA only, no Health
- 23andMe Ancestry Plus Health
Genealogy Products and Services
- MyHeritage FREE Tree Builder – Genealogy software for your computer
- MyHeritage Subscription with Free Trial
- Legacy Family Tree Webinars – Genealogy and DNA classes, subscription-based, some free
- Legacy Family Tree Software – Genealogy software for your computer
- Newspapers.com – Search newspapers for your ancestors
- NewspaperArchive – Search different newspapers for your ancestors
- DNA for Native American Genealogy – by Roberta Estes, for those ordering within the United States
- DNA for Native American Genealogy – for those ordering outside the US
- Genealogical.com – Lots of wonderful genealogy research books
- Legacy Tree Genealogists – Professional genealogy research
Your post made me think of my elderly aunt in England, often guessing at puzzle questions on FB. But then I realized I am constantly liking and sometimes commenting when I get fed posts from what appear to be history interest groups. I just “liked” a photo and post about Josephine Baker’s WWII espionage efforts. Was I just exploited in a nanosecond to be part of some entity’s data mining? Ugh.
I know better and I’m still tempted from time to time. Hopefully this article will help buy you that minute to stop and think.
The problem is “Social media” and the Human condition requiring “approval” from other humans to boost egos. I do not use “Social media”. Yes, I have profiles on a couple of Social media websites but I do not visit them. I do not bother with the “Social Media” tab on my email account. Mother had a saying “Sticks and stones can break my bones or hurt me, words cannot”. Why is it that, apparently, many people are “hurt” by adverse criticism?
what I don’t like is when either (or both) the public cover photo or profile picture is changed, and then generally “liked” by friends — whose names can then be seen by the public…. that, in turn, unwittingly opens up your private friends’ list. Someone can then lift your info and public photo and make a new page in your name, and the perp sends friend requests to those whose name s/he can see. (Many think their pages have been hacked, but in actuality, they’ve simply given con artists the means to copy their page.)
You’re absolutely right.
Good post, Roberta.
Actually, the posts like “What was your first car?” and such are not so much for data mining (altho that’s a side effect in some cases I suppose). They are to improve some business’s “organic engagement” on FaceBook. The people who post that are trying to game FaceBook’s algorithms for choosing what shows up on people’s feeds. If they can get thousands of people to comment on one of their posts, their posts in the future are viewed by FaceBook as more “relevant” and float to the top of feeds. If you look at the poster’s profile on the next post like that with tens of thousands of comments, you’ll almost always see they are selling something either on their profile or on a group they created. By commenting, you are just helping businesses advertise. It’s frustrating to see how much of this is going on all over my feed. Wish FB would crack down on it.
W/re to scams, I’m a bit more worried about “free” smartphone apps that have access to your cell phone number (yes they do!) and can use it to sign you up for CashApp or some bank account. It’s happened to me a couple of times now. Nothing’s ever free.
I didn’t know about the bank accounts. That’s frightening.
I had a bank create an atm card (with no $ on it) and send it to me asking me to activate it. I’m pretty sure I know which “free” app I had recently downloaded did it. I’ve deleted that app and sent a letter to the issuing back asking them to remove the account. Hopefully that will be the end of it.
Most of what I post on The Social Media Site is friends of friends. If I don’t know you, and you’re not friends with anybody I know, and there’s nothing on your profilr … NOPE!
I never open videos in Messenger. But most importantly, I may or may not tell the truth!
My home town? That’s the town I lived in when I graduated HS. You want the first name of my BFF … are you sure? Maybe I used the name of the person that hated my guts. Or maybe I used the middle name … or Mom’s name … or ….
Ask the (security questions) of the maiden name of my paternal grandmother., and I’m just as likely to give you the maiden name of my 2g grandmother … or mabye the maiden name of the 3rd Aunt from the left …
You can play along IFF you are judicious in your answers … and never tell the truth!
Oh, and I don’t log onto anything with facebook credentials … and my FB and Insta can’t talk to each orher.
Me either! Good point.
Yeah, I know. It is for my safety. But the side effect of such warning is that I have found quite few cousins who would never answer my mails because of the obsessive fear of cyber attack.
My facebook picture is my mother when she was 10 years old. FB tried to force me to post a “current” pic but I never did; and they just gave up. Thank you for sharing this very important info.
I deactivated my Facebook account last year. Sorry to lose my genealogy groups, but I had had it with FB and its policies. I don’t miss it!
Excellent reminders. I quit doing those tests long ago and have often answered those questions with my favorite band or whatever being “The Data Miners”. My favorite teacher- Miss Fish or something like that- but after reading your article- I will even refrain from liking and commenting at all. We have to be aware of groups as well. I am still part of a group that is run by what looks like a data mining or click bait company. A moderator constantly posts about things totally unrelated to the group topic. I did a little research and the “company” the admins work for looks to be a data mining or something along those lines. All the posts from this woman are from companies related to the original company the admins work for- data mining at worst- but clickbait to get eyes on the pages for sure. Time to leave said group.
What a great presentation on a huge problem. So many don’t appreciate the threats. I’m sharing widely. Thank you.