A recent Facebook post from a family member made me realize that I needed to write about an overused term. A term, that when used, causes chaos and concern. I don’t blame the family member for using it, I’ve seen it used hundreds of times over the past few years and I’ve seen IT and cybersecurity professionals respond without correcting, even, on occasion, offering bad advice.
So, what is the term? Hacked. We all know what it means when we hear that a website was hacked or a company was hacked. Depending on the context, synonyms could be defaced (although that seems less common these days) or breached. At the end of the day, however, the term “hacked” is completely valid and used correctly in those situations. So, when is it used incorrectly? When it is used to describe a fake social media profile.
Here’s the situation, one that we’ve all seen dozens of times. “Don’t open messages from me, I’ve been hacked!” or “Don’t open messages from <insert person here>, they’ve been hacked!” There are definitely times when people’s legitimate accounts are used to spam out malicious links and, in those cases, “I’ve been hacked!” feels appropriate. I believe, however, that context matters, and a duplicate social media profile should not be referred to as “hacked” and the actions associated with an account breach should not be taken.
So, what is a duplicate social media profile? If you have been living under a rock or are sane enough to avoid social media, you may not have encountered this phenomenon. It occurs when someone takes your publicly visible social media photo and creates a new account using your name. They then spam out messages or friend requests to everyone on your contact list. This is why restricting access to your profile picture and friends list are such important privacy steps (and yes, before you go look, this is 100% a ‘do as I say and not as I do’ moment).
Previously, this was very common within a single social media network, but with the integrated Facebook-Instagram messaging system, cross platform instances are definitely seeing an uptick. Once you are responding to the fake profile or have accepted the friend request, malicious links or a scam conversation can begin. Also, if you’ve now given access to your profile by accepting a friend request, the malicious individuals (or bots) now have the ability to harvest your information and propagate the scam.
So, why am I against calling this “hacking” or saying the account is “hacked?” Simply put… it isn’t the correct term. The word hack implies certain things and to the general public, those things generally include resetting your passwords, running malware scans, and, for people who go to extremes, wiping the computer.
Over the past few years, we’ve acknowledged more and more that changing passwords regularly is a bad thing. If you frequently have your profile cloned and used, you become guilty of the very thing that we’re trying to push enterprises away from. Since the person did not gain access to your account, changing your password simply does not make sense. However, when someone posts “Oh know, my account was hacked!”, a dozen people will reply with “Quick! Change all your passwords.”
While this may seem like a minor pet peeve, I believe it is a bigger issue. If people believe these are accounts that are hacked, it creates a false sense of insecurity which can potentially be just as dangerous as a false sense of security. Rapidly changing passwords is not good and these types of events are definitely on the rise.
So, as a reminder, your account has not been hacked… someone copied your profile in an attempt to leverage the personal connection you have with others and take advantage of them. One of the clearest indicators of this is that the messages come from a different account and appear in a different chat or they involve a new friend request. The best thing you can do is report the person, tell others who get the requests to report the person, block the account, and move on. Beyond that, there’s really nothing else to do.