Earlier this year, Derbyshire-based freelance model Elle Jones was informed by acquaintances that they had been contacted by someone claiming to be her. Investigating, Jones discovered an Instagram account had been created mimicking her own profile, which offered pornographic content through a link. Jones reported the account, but two days later received an automated response saying the account had not been removed. She then emailed Instagram, contesting the inaction, and two days later the fraudulent account was removed.
Jones’s experience is not unique. Author Joe Dunthorne had his identity exploited when an Instagram profile, which claimed to be him, attempted to convince people to buy cryptocurrencies. Of course, the problem is not restricted to Instagram. For example, artist and cosplayer Giulietta Zawadzki had her Twitter account cloned earlier this year, in an attempt to sell pornography.
These impersonators are targeting businesses just as much as individuals – any account that has a significant following on social media can become a target for identity theft. In 2020, the Little Soap Company had its account cloned. Participants in its online competition were then privately contacted by the fraudulent account to be told they had won – and asked for their PayPal details.
As we become an increasingly digital society, there has been an associated rise in the number of fraudulent social media profiles being created. These accounts are then used to distribute misinformation, share fraudulent links, sell goods or attempt to solicit bank details.
“It’s fairly easy to create and clone the account of someone else, trying to steal their identity – of a person, company or institution – and using that account to force information from other people, force money, but also for spreading misinformation and so on,” says Piotr Bródka, a professor in the Department of Artificial Intelligence at Wroclaw University of Science and Technology.
The impact of social engineering attacks extends beyond any immediate losses due to malicious activities – the person whose profile is copied can become associated with the actions of the impersonator, causing reputational damage
The impact of these social engineering attacks extends beyond any immediate losses due to malicious activities. The person whose profile is copied can become associated with the actions of the impersonator, causing reputational damage. “The bigger problem, which we possibly don’t see, is the damage to the people; how they are seen by their friends and how damaging the misinformation is,” says Bródka.
“I’m seeing a lot of clients that will have a rival account set up on Twitter that looks very similar to them,” says reputation consultant Madelaine Hanson. “That person will then claim that the original account was hacked, or they can’t remember their password, and will then share recommendations on NFTs [non-fungible tokens] or cryptocurrencies to invest in.”
A problem for platforms, not just for users
There is also an impact on social media platforms, because as more of these incidents occur, there will be an associated loss of trust in that platform’s ability to protect its users. This will lead to user habits changing, such as limiting their use of platforms perceived as being vulnerable to identity theft, or switching to platforms that are seen as more secure.
“Since it happened on Instagram, I have changed my profile to a private account,” says Jones. “I was previously a business account, but with a private account I can see who asks to be a follower.”
A cloned account mimicking that of freelance model Elle Jones offered pornographic content through a link
One of the problems with social media identity theft is that the reporting mechanisms are limited. The support teams for social media platforms can often be swamped by demands, and reports of identity theft can be overlooked. When reporting cloned accounts, there is usually an option for blocking the account. Of course, the malicious account can also block the original account, thereby obfuscating the cloned account’s activities.
It is often several days before any response is received, and even then, it is not guaranteed that any action will be taken. Jones had to wait more than four days before an account was taken down. To date, there has still been no action taken against the profile mimicking Zawadzki on Twitter.
There are also limited legal avenues that victims can pursue. As identity theft is covered by fraud, it is only considered criminal if the victim has lost money through the perpetrator’s actions – irrespective of money made by the perpetrator through exploiting the victim’s identity.
“A crime will only be recorded when the individual or company who has or may have suffered a financial loss through the use of a stolen identity reports it,” explains a government spokesperson for the Home Office. “We encourage all victims to report incidents to Action Fraud, as it provides important information to law enforcement.”
However, equating reputational harm to financial loss can be challenging, as there needs to be evidence proving there has been a loss of earnings through the malicious activities by the cloned account. “Defamation law, in general, needs to be completely reformed,” says Hanson. “I’d like to see more focus on crime, such as impersonating others for information, being included under fraud.”
Is being verified enough?
The “blue tick” system, which is used by major social media platforms Facebook, Twitter and Instagram to indicate accounts that have had their identity verified, has had mixed success. Having verified status means it is easier and faster to have any bogus accounts taken down. However, only certain users are currently able to apply for the verified status, often depending upon the business they are associated with.
Freelance model Elle Jones reported the cloned account, but two days later received an automated response saying the account had not been removed
“A lot of people are perhaps not noteworthy enough to get a blue tick, but they’re big enough to influence markets,” says Hanson.
The application process for becoming verified is a delicate balancing act for social media platforms. If the prerequisites are too broad, the platforms can become swamped with applications, but if they are too narrow, their use becomes too limited to be beneficial.
Likewise, the verification systems used on each platform are not uniform. While one platform may grant a verified status, another will not, even if a user is already verified on an existing platform. This can cause people to question the legitimacy of a genuine but non-verified profile.
There has been some research into detecting cloned social media accounts. In 2014, Bródka published a paper titled Profile cloning detection in social networks. Profile cloning detection enables platforms to spot potentially fraudulent social media accounts, which are exploiting people’s trust for malicious purposes.
“We created a simple app, which was collecting your friends and friends of friends,” says Bródka. “Based on that, we did some experiments on how effectively we can create a cloned profile and how effectively we can detect them.”
In the paper, Bródka demonstrated two methods that could be used. The first method examines the similarity of attributes between profiles, the second evaluates the similarity between their social networks.
Both techniques proved useful in detecting cloned profiles, but the volume of data on social media platforms means the initial outlined methodologies would be unsuitable for mass deployment. “You would need to simplify that because I don’t think there is a possibility to effectively run it online for every account in big social networking services like Facebook,” says Bródka.
Unfortunately, in the wake of the Cambridge Analytica scandal, Facebook data has become harder to acquire for research purposes. As such, it has become challenging to research cloning detection.
What can be done?
The proliferation of social media and inadequate reporting mechanisms on the platforms has seen identity theft flourish online. This will continue until further action is taken to counter these malicious activities.
“I hope it’ll be much faster to freeze an account that’s impersonating you, as it’s very easy to do at their end,” says Hanson. “We need to recognise that people who commit crimes online are harmful and impactful.”
A proactive social media strategy should be followed, such as regularly checking for any cloned profiles. If any are found, the reporting mechanisms should be used for them to be taken down
The Online Safety Bill has been introduced to the UK Parliament and is currently at the committee stage. It includes a duty to prevent fraudulent advertising on the largest social media platforms, but only time will tell how effective it will be in tackling identity theft on social media.
“We are determined to crack down on fraudsters and are introducing legislation to make digital identities as trusted and secure as official documents such as passports and driving licences, including setting up a new Office for Digital Identities and Attributes,” says the Home Office.
Until then, individuals and organisations with a social media presence need to maintain vigilance regarding account cloning to protect their brand and reputation. Having verified status will help in that regard, but this measure is not foolproof.
Following his planned takeover of Twitter, Elon Musk tweeted “authenticate all real humans”, which implies a push for more Twitter profiles to be verified in the future.
In the current digital climate, a proactive social media strategy should be followed, such as regularly checking for any cloned profiles. If any are found, the reporting mechanisms should be used for them to be taken down. Screenshots of all comments and posts by the fraudulent account will provide further evidence of their illegal activity.
However, there is only so much that social media users can do to protect themselves from identity theft on social media. “The main responsibility lies on the authorities and social media platform owners to create mechanisms that will allow them to quickly identify such cases,” says Bródka.