Identity theft and fraud protection for your finances, personal info, and devices.
Can Your Identity Be Stolen Over Social Media?
We all know that social media is designed to make us want to share everything about ourselves. But did you know that every post, comment, and “like” can also help criminals commit social media identity theft?
Identity thieves use the information you share on social media to implement social engineering attacks, gain access to your accounts, and commit fraud and other scams.
With 4.55 billion active social media users on the planet [*], Facebook, Twitter, TikTok, and Instagram have become feasting grounds for identity theft. In the U.S., victims of social media identity theft lost close to $800 million in 2021 alone, according to the Federal Trade Commission (FTC) [*].
Social media identity theft can happen to anyone. In this guide, we’ll explain exactly how it works and what you can do to protect yourself, your family, and your accounts from thieves and scammers.
What Is Social Media Identity Theft?
Social media identity theft occurs when criminals use sites like Facebook, Twitter, Instagram, Snapchat, and others to steal your personally identifiable information (PII) or trick you into giving up access to your accounts.
By gaining enough of your PII, scammers can take over your accounts and impersonate you on social media, run phishing attacks on your followers, or even break into your financial accounts.
Watch: this video from CBS News on the dangers of social media identity theft ->
For example, someone might use a Snapchat scam to trick you into giving up your password and then use your account to scam your followers.
Sometimes, scammers don’t even need to trick you into giving up your social media account passwords. Hacked Twitter, Instagram, and Facebook accounts sell for as little as $35 on the Dark Web.
How Common Is Social Media Identity Theft?
In 2020, the FTC reported nearly 15,000 cases of social media identity theft — a 36% increase from the year before [*].
In general, social media users have a 30% higher chance of becoming victims of fraud than those who aren’t active. But people on Facebook, Snapchat, and Instagram are in even more danger — with a 46% higher risk of account takeovers and fraud [*].
And while it’s still more common to get scammed over email, phone calls, or text messages, social media users are more likely to lose money from scams [*].
Why is that?
Sharing is at the core of social media. According to research, we give up more personal information on social networking sites than we do in real-world conversations [*].
Even if you think you don’t share “that much” on social media, a scammer can still likely find your:
- Full name
- Date of birth
- City and state in which you live
- Relationship status (married, single, etc.)
- High school and college
- Favorite hobbies
- Job title and profession
- Photos of you, your family, colleagues, and friends
With just your date and place of birth, scammers can often guess the digits of your Social Security number (SSN). Then, they can steal your tax refund, open fraudulent loans and credit cards in your name, and commit many other types of fraud.
Without even realizing it, you could be giving social media scammers everything they need to know to steal your identity.
How Criminals Use Social Media to Steal Your Identity
Using social media doesn't automatically put you at risk for identity fraud. But criminals capitalize on certain behaviors when they want to scam you.
Here are some of the ways your social media habits can endanger your identity:
Your posts make it easier to crack passwords
A password attack occurs when cybercriminals use software to guess thousands of password combinations using common passwords, AI-generated word lists, and personal information you’ve shared.
Because many of us use words, dates, and numbers that are personal in our passwords, anything you share on social media can give hackers a head start. And if you reuse your passwords, you offer hackers the opportunity to access more than just your social media accounts.
The same holds true for security questions.
The most common questions can all be answered by browsing the average person’s social media accounts and looking for PII such as:
- Make and model of your first car
- High school or college
- Your pet’s name
- Your anniversary, birth date, loved ones’ birthdays, etc.
- Your phone number or email address
- Your home city
- Your childrens’ names, ages, schools, etc.
Even a one-time mistake, such as posting a photo of your mom on Mother’s Day and tagging her maiden name could reveal an answer to one of your most private security questions.
You could accidentally give criminals your location details
Social media posts ask you to tag your location. But that data can help criminals steal your identity and could even lead to stalking and home robbery.
For example, all a criminal needs is your name and home address to commit a change-of-address scam and reroute all your sensitive mail to their address. Before you know it, they could be receiving your tax documents (with your SSN), credit card statements, and more.
Your devices could be exposed to harmful apps & malware
There are thousands of free third-party apps, games, quizzes, and plug-ins offered to Facebook users alone. But these are rarely reviewed by cybersecurity experts before users download them.
In one example, games available from Microsoft’s official store were found to download malware onto users’ computers [*]. Once installed, hackers gained access to their victims’ social media accounts and could register new accounts, add comments, and “like” posts.
Third-party apps also often “ask” for permission to access your camera, microphone, contacts, location, and more. But in some cases, these permissions do much more than you think.
One iOS app developer revealed that granting an app access to your camera also allowed it to:
- Record you any time the app is in the foreground.
- Take pictures and videos without telling you (and upload them immediately).
- Run real-time face recognition to detect facial features.
Thankfully, Apple fixed this issue, but not until June 2020 [*].
You could be a target of imposter and romance scams
An imposter scam occurs when an individual pretends to be someone you trust (like a friend or government official) who tricks you into giving them money or sensitive data. Nearly a million imposter scams were reported to the FTC in 2021, totaling $2.3 billion in losses [*].
Romance scams are the most common type of imposter scam on social media sites.
In these scams, fraudsters create accounts featuring attractive photos (sometimes even using photo editor tools to enhance or manipulate their photos) and then flirt with victims in order to get them to send gifts or share personal information. The more that victims share on social media, the more easily scammers can manipulate them.
Everything you share can be used as “bait” for phishing
“Phishing” occurs when scammers send you emails, texts, calls, or social media messages with the goal of stealing your personal information or infecting your devices with malware.
To create an enticing phishing message, all a scammer needs is your social media profile.
For example, if you post about a movie you watched on Netflix, a scammer could send you a fake email claiming your Netflix account has been hacked. The email will look legitimate. But if you click on the link, it will take you to a fake login portal that will either steal your password or download malware onto your device.
🎯 Related: Executive Phishing: What Is It? How Does It Happen? →
Younger users can be recruited as “money mules”
In a recent social media scam, fraudsters trick young users (usually aged 14–30) into laundering money for them.
Criminals post pictures or videos that feature stacks of cash and extravagant lifestyles along with a caption that reads, “Message me to earn quick, easy money now!”
If you reply to the post, a recruiter will reach out with a list of PII that they need to get you started. This usually includes your full name, address, date of birth, a picture of your ID or driver’s license number, and your SSN.
Then, they deposit fraudulent money into your bank account and instruct you to withdraw most of it, convert it to cryptocurrency, and send it to them. As a reward, you get to keep a percentage.
These “money mules” think they’re making easy, risk-free cash. But if they’re ever caught, they can have their bank accounts blocked, assets frozen, or even face prison time.
Your old or unused accounts could be turned into a “Follower Factory”
“Bots” are fake social media accounts that can be used to increase follower counts, post fraudulent comments, or boost “likes.” But many bots are actually hacked social media accounts from real people who had their credentials leaked in a data breach.
Over a billion social media accounts and passwords have been leaked from Facebook, LinkedIn, Twitter, and more [*].
Without your knowledge, hackers could be using your name and face to post hate speech, promote scams, or trick people into clicking on malware-laced links. If friends, family, or even potential employers see these posts, it could ruin your reputation.
18 Ways To Prevent Social Media Identity Theft
1. Learn the warning signs of a fake social media account
Facebook removes billions of fake accounts every single year [*]. So, one of the best ways to prevent social media identity theft is to avoid engaging with scam accounts.
A verified badge is a good place to start when identifying legitimate social media accounts. However, not everyone has one.
Instead, look for these warning signs of a fake account:
- “Spoofed” names and profile URLs. The average person has 8.4 social media accounts [*]. If you think a friend request that you’ve received is a scam, google the person’s name and see if other legitimate accounts come up. Also, beware of accounts that use misspellings to trick you into trusting them (such as “MlCROSOFT” — where the “I” is really a lowercase “L”).
- Low-quality or stolen photos. Scam accounts will steal photos from legitimate users or from stock photo sites. Do a reverse image search to see where else the photos have been posted.
- Plagiarized content and non-personal content. Spam accounts will often only post memes, scam giveaways, and quizzes, while fake LinkedIn accounts often steal content from legitimate thought leaders. Check phrases or full paragraphs by googling them to see if they’ve been stolen.
- Limited engagement. If an account doesn’t make comments or “like” other posts, or if it only uses strange phrases and emojis, it could be a bot.
2. Tighten up your privacy settings to control who can view your profile
Changing your privacy settings shuts out social media scammers from seeing your personal information. This includes personal data like your birthday, location, and family members.
Click on the name of each social media site below to learn how you can update your account privacy settings on that site:
If you’re on a social media network that’s not on this list, you can most likely find your privacy settings under your account settings. Just look for the “privacy” section and choose the option with the strictest access controls.
3. Deactivate or delete old social media profiles
Your old or unused social media accounts provide goldmines for scammers.
You most likely aren’t actively updating your passwords or security settings on those accounts. Plus, there’s a pretty good chance your old passwords have been leaked in a recent data breach.
And if scammers get access to those accounts, you won’t know about it for months or even years. In that time, they could gain access to other accounts or start scamming your contacts and posting reputation-damaging content.
4. Prune your contacts and connections
Every new social media connection opens up a potential inroad for hackers. Try to limit your contact lists to people you know in the real world whom you interact with regularly.
5. Turn off automatic location tagging
Turn off geo- or location-tagging on your social accounts, and don’t tag locations in your posts either.
Try to speak in generalities about where you live (such as the Pacific Northwest instead of Oregon). And never post content that would make it easy for someone to know the general whereabouts of you or your family.
6. Shrink your online footprint
Social media is only one piece of your overall online footprint to which scammers have access to. The more you share across the internet, the more likely you will be targeted by phishing messages, password attacks, and cyberstalking.
Shrink your online footprint by being critical of everything you share. Do you need to fill out every part of your “About Me” section? Do you need to include your phone number or personal email address?
Limit oversharing on social media and across the internet to protect your privacy.
7. Skip online quizzes and surveys
Quizzes and surveys seem like innocent fun. But they’re also regularly used to steal your personal data and crack your security questions. Even unassuming questions like “What was your first pet’s name?” Or, “What time were you born?”can reveal sensitive information.
8. Be cautious of job offers and business opportunities
Scammers use fake job postings on social media to get you to give up your personal information or even pay for fake “training supplies.”
These job postings most often target younger people by offering junior-level or foot-in-the-door opportunities at creative companies. And unlike legitimate recruiters, will beseech you to share your SSN and even your banking information.
Social media isn’t the only place where these fake job scams exist. In one survey, 32% of people said they first interacted with an employment scam on Indeed.com’s job board [*].
In one famous example, hacking group Operation Dream Job targeted U.S. defense and government employees with fake job offers from Boeing, McDonnell Douglas, and BAE [*].
Now, they’re apparently sending emails to targets claiming to be recruiters working for Disney, Google, and Oracle.
9. Research any charity or crowdfunding campaigns
More people are inspired to donate to charities on social media than through any other format [*]. But charities and fundraisers on social media can often be scams designed to steal your money and PII.
You can check to see if a charity is legitimate using CharityNavigator.org. If it’s a GoFundMe or similar, research the people behind it. Who are they? Where is the money going? How will they use your personal information?
Besides stealing money, scammers can also get access to your financial details depending on how you choose to donate.
10. Use unique usernames and passwords for each social media account
Passwords are your first — and often only — line of defense against hackers. It’s so much easier to hack your social media accounts if you reuse or recycle your passwords.
Instead, choose strong passwords with at least eight characters and a combination of letters, numbers, symbols, and cases. (Make sure your passwords don’t use any of your PII like birthdates, special numbers, or pet names.)
While you might need to repeat your primary email address for accounts that require it, try to come up with unique and separate usernames for each account.
11. Use a password manager to store your secure passwords
The average person is now expected to remember 100 passwords [*]. So, it’s no wonder we reuse the same ones (or variations of them).
A password manager securely stores all of your logins and passwords so that you can easily access them when needed (and don’t have to worry about forgetting them).
As an added bonus, password managers can help ensure that you’re only entering your sensitive information on legitimate sites. If a scammer sends you to a fake sign-in page, your password manager won’t recognize it and won’t enter your password.
12. Choose security questions that scammers won’t find on your profile
Experts say a good security question should be [*]:
- Confidential. Only you should know the answer. No one should be able to guess it by sleuthing your social media posts.
- Memorable. It’s either a truth or a lie that you can easily remember. What do we mean by a lie? For example, you could choose a question like “What is your astrological sign?” But instead of the true answer, use a passphrase or code that only you know (instead of an actual astrological sign). The more random, the better.
- Consistent. Avoid answers to questions that regularly change, such as your favorite TV show. Go with something like the name of the first video game you beat.
- Simple. An intimate or obscure detail like your sibling’s least favorite candy is easy to recall but hard to guess.
- Open to multiple answers. Choose something that would take a scammer more than three failed attempts to figure out. For example, there are only 12 astrological signs, so it wouldn’t take hackers long to run through this short list, especially if they already have your date of birth.
13. Enable two-factor or multi-factor authentication (2FA and MFA)
One of the best fraud prevention tips is to enable two-factor authentication (2FA) or multi-factor authentication (MFA).
These are added security measures that require a special one-time-use code along with your login information. But avoid having these codes sent over SMS, as that can be compromised. Instead, use an authenticator app like Google or Authy.
14. Don’t connect your social media accounts to third-party apps
While it’s certainly convenient to log in to your social media accounts with your Gmail or Apple ID, try to keep these lanes separate. The more platforms that “know” your unique logins, the more you risk exposing multiple passwords during a data breach.
15. Check recent sign-ins, and force unfamiliar devices to sign out
Many social media sites allow you to view any active logins. For example, you can check to see if you’re signed into your Facebook account on your laptop and your phone.
Make a habit of checking this regularly. If you see any sessions that you don’t recognize, force all sessions to sign out. You’ll have to log back in later, but it’s worth it.
Pro tip: Don’t ignore security alert emails. If you get a warning that someone signed into your account from a device you don’t recognize, that’s a huge red flag that you’ve been hacked.
16. Use a Dark Web scanner to see if your accounts have been breached
Billions of social media usernames and passwords have been stolen and leaked onto the Dark Web. So, there’s a good chance your accounts are vulnerable.
Use Identity Guard’s Dark Web scanner to see which of your PII has been exposed on the Dark Web.
17. Monitor your credit and online accounts for signs of fraud
If hackers get access to your social media accounts, they can probably also gain access to others, such as your banks or credit card companies.
Keep tabs on your credit for any suspicious activity. You can request a free credit report from the three major credit bureaus — Experian, Equifax, and TransUnion — at AnnualCreditReport.com.
To make it even easier, sign up for a credit monitoring service that will send you near-real time alerts of fraudulent activity.
18. Sign up for identity theft protection
With identity theft monitoring, you have a team of cybersecurity experts watching your back 24/7. They’ll keep an eye on your PII and financial accounts and alert you of any suspicious activity.
Identity Guard uses advanced AI-powered security to constantly search for signs of fraud on your accounts. And if the worst happens, Identity Guard’s U.S.-based fraud remediation team will help walk you through the steps of what to do if you’ve been the victim of fraud.
Plus, you’re protected by a $1,000,000 insurance policy covering eligible losses due to identity theft.
Was Your Social Media Account Hacked or Identity Stolen?
A hacked social media account or spam message could be just the tip of the iceberg when it comes to identity theft.
If you see any suspicious activity, have been locked out of your account, or were scammed by a “friend,” follow these steps:
First, look for other signs of identity theft
Identity theft starts slowly but then spreads quickly. If you notice anything suspicious, look for other common warning signs of identity theft, such as:
- Unfamiliar charges on your bank or credit card statement.
- Calls from debt collectors about debts you don’t recognize.
- Missing mail.
- Login attempt emails from your other accounts.
Gather as much evidence as possible so you’ll know where to begin your recovery process.
File an official identity theft report with the FTC
Once you realize you’re a victim of identity theft, you need to file an official report with the FTC at IdentityTheft.gov.
An FTC ID theft report is essential if you need to remove fraudulent debts, reverse transactions, or prove to anyone that your identity was stolen. You might also want to file a police report with local law enforcement if you think your identity was used in a criminal way.
If you’ve been the victim of fraud, follow the steps in the fraud victim’s checklist to recover your accounts and clear your name.
Report any impersonation, fake, or scam social media accounts
Finally, you should report the fraud to the social media site on which it occurred. This will help the site shut down the scammer’s account and restore yours.
Here’s how to report fraud on most major social media sites:
- How to report a fake account on Facebook: Use this link to inform Facebook of any account profile that is pretending to be you, someone you know, or a public figure. (Note: You don’t need a Facebook account to report a scammer.)
- How to report impersonation accounts on Instagram: When reporting a fake Instagram account, you’ll be required to show your government-issued ID. Get that ready, and then report the fake account using this link.
- How to report fake LinkedIn profiles: You can learn how to report fake accounts on desktop, mobile, and the Lite App by visiting this LinkedIn support page.
- How to report fraudulent Twitter accounts: If you, someone you know, or your company is being impersonated on Twitter, you can file an impersonation report here.
- How to shut down scammers on Pinterest: If someone is pretending to be you on Pinterest, contact online support and select “Report harassment or exposed private information.” You can learn more about the process here.
- How to report fake Snapchat accounts: To report a fake Snapchat account, press and hold the Snapchatter’s name in the app and tap the “⋮” icon in the top corner (or tap “More”). Click “Report.” You can also report compromised accounts on the Snapchat support web portal.
The Bottom Line: Secure Your Social Media Accounts From Scammers
Social media is all about sharing. And by following these safety tips, you can keep up with your friends and family without sacrificing your privacy or security.
For added protection, consider signing up for Identity Guard. We’ll monitor your accounts and alert you about potential identity theft so that you can continue socializing safely with peace of mind.