A recent Facebook post from a family member made me realize that I needed to write about an overused term. A term which, when used, causes chaos and concern. I don’t blame the family member for using it, I’ve seen it used hundreds of times over the past few years and I’ve seen IT and cybersecurity professionals respond without even correcting, occasionally giving bad advice.
So what is the term? Pirate. We all know what it means when we hear that a website has been hacked or a business has been hacked. Depending on the context, synonyms can be degraded (although this seems less common these days) or violated. Ultimately, however, the term “hacked” is completely valid and used correctly in these situations. So when is it used incorrectly? When used to describe a fake social media profile.
Here is the situation, the one we have all seen dozens of times. “Do not open my messages, I have been hacked!” or “Do not open messages from they’ve been hacked!” There are definitely times when people’s legitimate accounts are used to spam malicious links and, in those cases, “I’ve been hacked!” feels appropriate. I believe, however, that context matters, and a duplicate social media profile should not be labeled as “hacked” and actions associated with an account breach should not be taken.
So what is a duplicate social media profile? If you’ve lived under a rock or are sane enough to avoid social media, you may not have encountered this phenomenon. This happens when someone takes your publicly visible social media photo and creates a new account using your name. They then send spam or friend requests to everyone on your contact list. That’s why restricting access to your profile picture and friends list are such important privacy steps (and yes, before you look, it’s 100% a “do as I say and not what I do”).
It used to be very common within a single social media network, but with the integrated Facebook-Instagram messaging system, cross-platform instances are definitely on the rise. Once you respond to the fake profile or accept the friend request, malicious links or a scam conversation may begin. Additionally, if you have now granted access to your profile by accepting a friend request, malicious individuals (or bots) now have the ability to harvest your information and spread the scam.
So why am I against calling it “hacking” or saying the account is “hacked?” In other words… that’s not the right term. The word hack implies certain things and for the general public those things usually include resetting your passwords, running malware scans and, for people who go to extremes, erasing the ‘computer.
Over the past few years, we have increasingly recognized that regularly changing passwords is a bad thing. If your profile is frequently cloned and used, you become guilty of the very thing we try to keep companies away from. Since the person didn’t have access to your account, changing your password just doesn’t make sense. However, when someone posts “Oh I know, my account was hacked!” “, a dozen people will respond with” Quick! Change all your passwords.
While this may seem like a pet peeve, I think it’s a bigger issue. If people believe these are hacked accounts, it creates a false sense of insecurity that can potentially be just as dangerous as a false sense of security. Quickly changing passwords is not good and these types of occurrences are on the rise.
So, as a reminder, your account was not hacked… someone copied your profile in an attempt to leverage and profit from the personal connection you have with others. One of the clearest indicators of this is that the messages come from a different account and appear in a different chat or involve a new friend request. The best thing you can do is report the person, tell other people who receive the requests to report the person, block the account, and move on. Beyond that, there’s really nothing else to do.
