Beware the social networks awash with scammers looking to befriend you

Fraudsters hiding behind fake profiles are increasingly populating social networks, on the prowl for new 'friends' to scam

PUBLISHED : Monday, 20 April, 2015, 10:41am
UPDATED : Monday, 20 April, 2015, 1:30pm

The buxom blonde in a bikini who wants to be your new Facebook friend is probably not all she seems. That brunette with the seductive smile who's following you on Instagram has only posted five photos - all in the past eight hours. Yet she's already following 1,000 other photo sharers.

Their real identity is anyone's guess. It's as likely to be a man, using stolen photos and easily available software that can create thousands of fake identities at the click of a mouse.

Fraudsters are increasingly populating social networks, where they can sniff out personal details that could make account holders victims of identity theft, or charm gullible users into opening a malicious link that will hijack their hard drive.

An average of 30 per cent of profiles on major social networks such as Facebook, LinkedIn, Twitter and Instagram are fake, according to information security specialist Ronald Pong, CEO of Nexusguard Consulting. On what Pong calls the second line of social networks, including Chinese apps WeChat and Momo - available only on mobile platforms and relying on location data - as many as 60 per cent of profiles are bogus, he says.

"The environment has been changing over the past few years as more people are now accessing social networks on their mobile phones," says Pong, who is also an adjunct lecturer at the HKU School of Professional and Continuing Education (Space). "A lot of these people are new users. They might not even know how to use social networks on a PC, so they are very easy targets."

Pong says, as with the infamous Nigerian email hoax, the most common criminal activity associated with fake profiles is credit card fraud.

While the big-hearted can be conned into charity scams, and others with business proposals, young men are the obvious targets of fraudsters posing as attractive young women. Pong says this is a big concern for companies whose employees use their mobile devices to receive emails through their corporate accounts. They may also plug their mobiles into office PCs, where viruses can be passed through the USB cable.

"Our information tells us that middle-management - those between 35 to 45 years of age - are easily interested in young girls' profiles, and there's more chance of them connecting."

This makes them vulnerable to threats such as APT and Trojan horse attacks, which can result in theft of a company's confidential information, he says.

On a wider scale, fraudsters even create bogus accounts of actual film stars, singers or high-profile businesspeople, to appear more credible and boost click rates. This allows them to build bulk spam lists. It also helps to advertise non-existent products or make it easier to suggest business proposals - both of which require the victim's credit card details. One recent target was Rose Lee Wai-mun, vice-chairman and CEO of Hang Seng Bank.

Using an incomplete profile and photo copied from the bank's website, a fake identity of the executive was used to send connection requests on the professional networking site LinkedIn. Within an hour of accepting the request, members were sent a message offering a business opportunity if they contacted "Mrs Rose" via a private Gmail address.

In a reply from the address, the fraudster claimed that a distant relative of the sender had died in a car crash, "along with his nuclear family at France", leaving behind US$22.5 million in a Hang Seng account.

The fake Lee was offering a 60:40 cut of the fortune, in the scammer's favour, but the transaction could only be completed upon receipt of a photocopy of the sender's driving licence or passport.

The email included a genuine phone number for the Hong Kong-based bank so the person could call to verify that Lee is the CEO. The victim was told to hang up once the operator put them through; they were not to speak on the phone because of the sensitive nature of the deal.

A spokesman for Hang Seng Bank says it was notified of the case and the fake profile was taken down immediately by LinkedIn.

More people access social networks on their mobile phones. A lot of them are new users, so they are very easy targets
Ronald Pong, CEO, Nexusguard Consulting

"Should we discover or be alerted to the existence of fake entries on LinkedIn or other social networking sites that purportedly relate to senior executives of Hang Seng Bank, we will immediately contact the website owner to request such entries be taken down. When appropriate, we will also inform the police. In this case, we have done both," the spokesman says. Lee does not have a LinkedIn account, he adds.

Simon Squibb, founder and CEO of start-up incubator Nest, says he has received a bogus connection request purportedly from Ayesha Gaddafi, daughter of the late Libyan dictator Muammar Gaddafi.

A spokesman from LinkedIn's Hong Kong office says the network does not disclose how many phony profiles proliferate on its site.

"We have systems in place [to trace them] but are unable to elaborate for security reasons," he says.

The network, which claims 347 million members worldwide, of which one million are in Hong Kong, encourages members to report bogus profiles they encounter, he adds. Other actions members can take include removing or blocking the specific connection. They can also decide how they want to receive connection requests.

"For example, a member can choose to let anyone on LinkedIn send them a connection request, or restrict it to only people who know their email address. We recommend that members only connect with people they know or trust," the spokesman says.

Facebook's Hong Kong office also would not give specific numbers for suspected scammers prowling its network.

"It's a violation of our policies to use a fake name or operate under a false identity, and we encourage people to report anyone they think is doing this, either through the report links we provide on the site or through the contact forms in our help centre," a Facebook spokesman says.

"We also have technical systems in place to flag and block potential fake accounts based on name and anomalous site activity. We are constantly iterating on these systems and developing new ones."

Social networks offer users various levels of privacy, but they are never the default settings - otherwise it's not very "social". When the issue of fraudsters arises, they recommend using more secure settings.

Facebook Hong Kong sent the Post a link that shows 10 ways to detect a bogus profile. No7 deals with fake girls, noting that they usually include a contact number in their details, but little else. Other clues include a single profile photo of a person, recent activity limited to making new "friends", a birth date such as "1/1/XX" or "31/12/XX", and no education or workplace details, but an interest in men and women.

People who use the photo-sharing app Instagram without keeping their account private could be looking for trouble. Pong says that, like other networks, it gives criminals many clues about who we are, where we live, places we visit and our hobbies. Users could even become kidnap victims.

There's another possible scenario when scammers can identify our hometowns or neighbourhood from landmarks and geotags. Users may post a photo of their new car, with the licence plate visible, or of a barbecue in the garden with friends. A sharp-eyed scammer would spot a house number in the background.

Later, happily posting pictures from a faraway beach holiday, the user could be leaving himself vulnerable to burglary.

Not all fake identities are created with criminal intent. Large companies and celebrities often hire people to create them for promotional purposes. One such person told The New York Times recently that he manages hundreds of thousands of Instagram "bots" to promote clients' content. This is possible through a number of affordable software packages that can instantly create thousands of fake profiles based on new IP addresses. Criminals also use such software, however.

Facebook, which stresses its "real-name culture", uses the term "undesirable accounts" for those operated by scammers, but also has millions of technically fake accounts in the form of duplicates and profiles of people's pets.

Pong recalls hearing of a university student who found someone else using her photos on a social media profile. When contacted, the offender told her: "You're much prettier than me, and I just wanted to attract more guys."

"A lot of employers go on social media to learn more about job applicants," Pong says. "So some people open alternative profiles to create a positive image of themselves for future employers. Some just create them for personal satisfaction. It makes them feel happy. It's like they have some kind of psychological problem."