Should you be afraid if an imposter duplicates a friend's Facebook account and connects with you on the social network?
That's the question I was asked on Twitter this weekend, and I thought rather than try to squeeze my response to Michael into 140 characters it probably warranted a few more bytes worth of attention.
The short answer as to whether you should be afraid or not, even if you have since unfriended the bogus user, is "possibly".
First things first, why might someone have created an account in the name of somebody you know and attempted to trick you into accepting them as a friend? Here are some possibilities:
- Stalker. We don't know who it is who is trying to enter your circle of friends on Facebook, but it could be someone who wants to track your activity without you know. Possibilities include a jealous partner you've fallen out with, a rival in love or business, or simply someone who has an unhealthy crush on you.
Whatever their motive, someone stalking your online activities and able to read your newsfeed without your permission is creepy. Imagine, for instance, the possibility of coming to harm if you are using a service like Facebook Places which allows other users to determine your physical location.
- Identity thief. Your bogus Facebook friend may be interested in your profile because of the information you might be sharing up there.
In the past we've discovered that many users are all too willing to share a dangerous amount of personal information with complete strangers on Facebook - such as their full date of birth, email address, and phone number. This is all information that could be useful to identity thieves.
- Spammer/Malware author. You're more likely to open a message from a Facebook "friend" than a complete stranger, because you implicitly trust the person you believe has sent you the message. Therefore, if a bogus Facebook friend sends you a link to a webpage with an alluring enough title, you might well click on it.
Don't be surprised if you're taken to a webpage containing adverts for improving your sexual performance, or a website carrying a malicious Trojan horse, a rogue Facebook application that tricks you into taking a survey, or even a bogus Facebook login page that attempts to phish your password from you.
- Scammer. As well as the malware, phishing and spam shenanigans described above, one confidence trick we often see imposters performing on Facebook is the "stranded in a foreign city" scam. Although these can occur when a genuine friend's Facebook account is taken over by a scammer, it's also possible for fraudsters to create an account in the name of somebody you know with the intention of tricking you into wiring them money.
So, imposters posing as your friends on Facebook can use the tactic to keep tabs on you, to steal personal information from you, and to try to spread malware and spam.
But more than that, they can use your acceptance of them into your network of friends as a springboard for connecting with others on Facebook too. For instance, imagine Bogus Ben manages to trick you into becoming Facebook friends with him. Bogus Ben can then approach your other friends, and the fact that he is already linked on Facebook to you effectively endorses him to them.
Don't forget that anyone can create an account on Facebook which uses a bogus name, and scrape together some personal information and a photograph to make it a convincing fake identity to trick you into accepting their friend request. Websites like FriendsReunited and Classmates have made it easy to work out who individuals might have known years before, and give imposters a head start as to who they might want to pose as.
Of course, stalking, spamming, spreading malware and identity theft can all occur on Facebook without creating a bogus account. It's also important to realise that cybercriminals have often hijacked genuine users' accounts to spread these sorts of attacks too. So you may already have added a legitimate friend to your network on Facebook, only for their account to later begin to send you, for instance, spam-laden links
But to go back to the original question - should you be afraid?
Well, that rather depends on what information you share on your Facebook page, or whether you clicked on any links or ran any applications promoted by the imposter.
If you find that you've befriended a false Facebook friend, unfriend them immediately and warn your genuine friends about what happened in case they have also added them to their network. You should also check out our tips for better security and privacy on Facebook to make sure that you are following best practices to defend your account.
One thing you definitely need to learn is that it's sadly just not possible to tell if you should accept someone's friend request on Facebook just because you recognise their name. Everything on Facebook can be faked, and so the only way you can tell if a friend request was genuine or not is to speak (yes, in real life!) with the person who is trying to add you as a friend.
Otherwise, it might be an imposter, and their motive might vary from mischief to malice.
If you want to learn more about threats on Facebook, join the Sophos Facebook page where more than 100,000 people are benefiting from early warnings about the latest attacks.Follow @gcluley