STOP, THINK & RUN – Stop Innocently Giving Your Information to Cybercrooks on Social Media

Sure – you. All of us. This text is written for and applies to everybody.

We’re all targets for social engineering which is the act of manipulating, influencing or deceiving individuals into performing actions or divulging confidential data – typically by participating you or manipulating your feelings.

Probably the most expert cybercriminals accomplish their aim with out you even being conscious of what’s occurring. You’re relaxed and simply having fun with your self, checking your social media information feed. No Nigerian princes wanted anymore. They’ve moved on, taken on new personas, however are nonetheless concentrating on you.

Actually, everyone seems to be a goal.

The Unhealthy Guys Kicked It Up a Notch

The unhealthy guys have improved their expertise. Attackers discover loopholes and alternatives the place you least count on them. They achieve your belief or benefit from your defenses being down – and they’re very expert at what they do.

I see individuals who I’d assume ought to know higher participating in dangerous habits each single day, most likely as a result of they aren’t conscious that the character of the threats has advanced and altered. The unhealthy guys keep one step forward of us.

Please learn this text even when you recognize what you’re doing. Somebody you care about might not and you may assist them.

Social Media

All of us wish to use social media and public platforms for family tree and speaking with household and associates. We have to understand that due to the open nature of these platforms, they’re filled with unhealthy actors making an attempt to benefit from us in seemingly harmless methods.

To not point out that the platform is free for customers, so entry to you IS the commodity. Not simply by means of advertisements, which you’ll clearly acknowledge as such, however by manipulating your habits.

How, by luring you with “free,” “enjoyable” or “lacking out.”

Significantly, you do NOT want a brand new “free” improved profile image.

Moreover, some unnamed particular person or web site you don’t know doesn’t actually care in regards to the TV present you watched if you acquired residence from faculty as a child.

Effectively, really they DO care, but it surely’s not harmless. Scammers and unhealthy actors collect, combination, and distill knowledge about us hoping to breach our digital safety – and/or that of our social media associates.

Even when the particular person or account asking isn’t malicious, if the publish is public, cybercriminals can and do collect and compile details about YOU that they discover on public postings and pages.


In an try and defraud you, AND your pals who can even fall for these schemes. If your pals see you do one thing, they’re extra more likely to interact within the habits themselves. Simply the act of answering these seemingly harmless questions conveys details about you.

  • First, you’re susceptible and don’t perceive that “public posts” and ensuing solutions make you a goal. In different phrases, you’re promoting that you just’re a superb goal.
  • Second, in case you don’t have your Fb (or different social media) account locked down in order that solely associates of associates can ship you buddy requests, it’s commonplace to obtain a complete raft of buddy requests after doing one thing public.
  • Third, even when your account is locked down tight, your remark or reply to that seemingly harmless public posting might internet you a reply one thing like this:

Observe the unhealthy grammar and lack of punctuation. Most likely that Nigerian prince once more, with a bogus profile image.

If individuals can see your “About” data, the message or reply could also be extra particularly tailor-made – concentrating on you with some frequent curiosity. Single middle-aged feminine? You’ll obtain a message from a “widowed” male about that very same age, perhaps sporting a uniform or in any other case wanting like a mannequin, holding a pet. Yea, proper.

Now, holding the 1890 census – that may be an efficient scheme to focus on genealogists😊

Let’s speak about how one can keep secure and nonetheless be capable to profit from and revel in social media.

We’ll start with an enormous purple flag.


The present rage is a synthetic intelligence oil portray profile image that’s “free.”

Proper off the bat, you could all the time be suspicious of something “free” as a result of it usually means “they,” whoever they’re, need your data and are keen to present you one thing to get it – underneath the guise of free. Talking of them, simply who’re “they” anyway? That’s the primary query you could ask and reply earlier than participating.

Free virtually all the time by no means advantages you.

Why would anybody wish to offer you a cool new profile image free of charge? It might solely take just a few laptop cycles, but it surely’s not free for them to supply, simply the identical, particularly not when multiplied by the tens of 1000’s. What are they getting out of all these free images they’re producing?

I’ll inform you what. To achieve entry to your knowledge – together with the information in your cellphone.

Hmmm, I would like you to consider one thing for a minute.

Do you’ve got your cellphone set or apps set to scan your face and routinely open? Is that your safety? In your checking account perhaps too?

And also you simply despatched a photograph of your FACE to some unknown particular person or group in some unknown place?


You’ll be able to change loads of issues, however you can not change your face and facial recognition software program is highly effective.

Snopes says the NewProfilePic app actually isn’t any worse than many different apps – which isn’t saying a lot.

Other than the truth that NewProfilePic was initially registered in Moscow, which must be a HUGE purple flag by itself, particularly proper now, what can the app do in your cellphone?

Right here’s the listing.

In essence, you simply gave somebody the keys to the sweet retailer.

In perpetuity.

Is your blood operating chilly? It must be.

Nonetheless assume this enjoyable new app is “free?” You’re paying for it dearly, and will but pay for it much more dearly.

Here’s a warning from a state Legal professional Normal and here’s an article from MLive that interviewed a cybersecurity professional who notes that this app scrapes your Fb knowledge.

Nevertheless, so do different individuals and apps.

Public is Public

Whenever you see something on Fb with the little globe, that implies that anybody anyplace can see this posting AND all replies, together with your solutions. All the things is absolutely public.

On this case, greater than 80,000 individuals answered this query from a completely unknown particular person or web site.

Simply a few days later, this similar posting had 54K likes, greater than half one million feedback, and greater than 6,100 shares. That’s how efficient one of these seemingly harmless query will be.

A number of of my associates answered.

What does this query inform anybody wanting? Your approximate age, for inexperienced persons.

Perhaps a solution to a safety query. Simply google “prime safety questions for getting access to forgotten passwords.”

Partaking with an internet web page additionally means the Fb algorithm will ship you extra postings from that web site in your feed. So perhaps if this publish doesn’t yield something helpful about you, the following one would possibly.

Cumulatively, many solutions to many postings will reveal lots.

By no means reply these.

However There’s Extra

As a result of this posting is public, I can click on on the identify of ANY one that has answered that public query and see each different public factor they’ve shared on their timeline.

For instance, I randomly chosen Charlotte, somebody that I don’t know and am not associates with who replied to that query. (You are able to do this similar experiment.)

I clicked on her identify and scanned down Charlotte’s postings. I can instantly see that she’s a superb goal and has fallen for a number of different issues like this.

Right here’s one from her web page.

That scammer, James, latched onto her instantly. Once more. Observe the grammar.

Right here’s one other seemingly harmless recreation that Charlotte performed to get a brand new Fb profile image and “secret” information about herself. That “4 Truths” app instructed Charlotte that she was very mysterious and promised to “present what’s hidden in you.” In fact, she had to supply her photograph, give permission for this app to publish on her timeline, publicly, and entry her Fb account. Charlotte most likely didn’t even understand that was occurring, or what it meant was occurring behind the scenes to her knowledge.

However now Charlotte has the brand new NewProfilePic oil portrait, so this one isn’t in use anymore. Perhaps Charlotte’s associates needed some good issues mentioned about them too so they may have clicked on this similar hyperlink. Only for enjoyable, proper? That’s how these scams work.

These unlucky decisions on Charlotte’s timeline have been accompanied by many extra that have been related in nature. These have been interspersed with notices on her Fb web page that she has been hacked and to not settle for any new buddy requests or messages from her. The results are evident.

It’s price noting that some individuals do have their profiles cloned and haven’t engaged in any dangerous habits like this, Nevertheless, you dramatically enhance your odds of being compromised if you interact in dangerous on-line behaviors. Each time somebody clones your profile and sends messages to your whole associates with malware hyperlinks, it will increase the cyberthief’s harvest of you and your pals. Cha-ching!

Ultimately, the unhealthy actors will discover individuals who they’ll rip-off, both by:

  • Speaking your buddy, their goal, into doing one thing unhealthy for them, perhaps considering they’re serving to you or responding to you
  • By sending malware hyperlinks that individuals click on on considering the message with the hyperlink is definitely from you.
  • Gathering sufficient data to breach you or your pals’ safety questions and clear out financial institution accounts.

No, I’m not fearmongering or being overly dramatic.

I make the most of KnowBe4, a safety and vulnerability consulting and coaching firm to maintain abreast of threats. You’ll be able to follow their blog articles, here.

How Do Cybercrooks Entry Your Associates?

Charlotte’s Fb web page, all of her associates are uncovered too as a result of they’re publicly seen. Everybody can view the whole listing of Charlotte’s associates.

Now, all of these scammers have entry to Charlotte’s associates. Therefore, the scammers can clone Charlotte’s account by stealing her photograph, organising a brand new account, and sending messages to Charlotte’s associates who assume the message is from Charlotte. One thing like “Do that new photograph app, I did,” or, “Are you able to decide up an Apple present card and ship it to my buddy for me?” You get the drift.

If Charlotte’s associates have their safety set to solely settle for buddy requests from somebody that additionally shares a buddy, and Charlotte accepts a bogus buddy request – then the scammer can ship her associates a buddy request too and so they assume it’s Charlotte’s buddy.

In different phrases, seeing a typical buddy causes Charlotte’s associates to let their guard down. I have a look at it this fashion – solely one in all my associates has to simply accept a bogus buddy request to make me susceptible too.

Charlotte additionally instructed individuals in a public posting that she was visiting somebody on a particular day in one other metropolis. How do I do know it’s one other metropolis? As a result of Charlotte has posted the place she is from, the place she lives, works, and the highschool she attended in her “About” data.

Hmmm, these are safety questions too.

That very same web site the place I discovered Charlotte answering that query has additionally posted questions on your pet names.

What is among the safety questions in case you lose your password?

Yep, pet names.

Nope, these seemingly cute websites aren’t. They’re data-mining and gathering data.

Predatory Websites

First, I have to say that there are three safety threats concerned with these postings and web sites:

  1. Any hyperlink you click on which can take you to who-knows-where.
  2. That the location itself is knowledge mining. Nevertheless, this isn’t all the time the case. Some very respectable corporations ask inquiries to get you to have interaction of their topic subject. Nevertheless, if the publish is public, that’s an open door to the following risk.
  3. “Individuals” or bots who harvest details about individuals who reply these public posts after which data-mine their accounts.

Let’s have a look at just a few examples.

No particular person you don’t know cares in any respect about what you drank final. Nevertheless, that may be invaluable knowledge for different causes.

Fb makes these items much more enticing to you by exhibiting you solutions from individuals in your associates listing. I’m not going to embarrass my family and friends by exhibiting their id, regardless that it’s utterly public, however please, FOR THE LOVE OF ALL THAT’S HOLY, cease doing this.

Simply have a look at that – 14 million feedback and 193 thousand shares. For a knowledge miner, this has been extraordinarily profitable.

To make issues worse, in case you interact with a web site on Fb, they present you extra from that web site in your feed sooner or later. Since I clicked on these to put in writing this text, my feed goes to be flooded with smarmy questions from these websites for days or perhaps weeks.

Let’s check out just a few extra examples.

Take a look at this one. 200,000 individuals and virtually 3000 shares in two months. That implies that this query seems on 3000 individuals’s timelines. It’s like an enormous data-gathering pyramid scheme.

You’re more likely to be sporting your favourite shade and eat your favourite meals.

How might this be used in opposition to you?

Yep, safety, password, or account restoration questions once more.

After I went to the web page that made this posting, the following posting was a query – “In 1980, you have been…” and the primary particular person to reply mentioned, “2 years outdated.” That particular person simply instructed the world they have been born in 1978.

Did you actually wish to try this?

Personal Teams

You’re safer in a non-public group, that means solely group members can see your posts.

You’ll be able to inform if a Fb group is non-public primarily based on the lock and the phrases, “Personal Group.” You can even see an inventory of your pals who’re members of that group as nicely. Keep in mind that the criterion for becoming a member of a non-public group differs broadly and there are nonetheless a lot of individuals you don’t know. Some non-public teams that I’m a member of have greater than a quarter-million subscribers.

Most non-public teams are centered on a particular subject. Some non-public teams require answering software questions to affix, and others don’t.

You’re most secure in a bunch that does require inquiries to be answered which permits directors who’re accustomed to the subject to craft questions that (hopefully) weed out a lot of the trolls, bots, and shady characters. That’s the selection I’ve made for the teams I co-administer, but it surely does require extra consideration from the directors, which is why giant teams usually don’t implement membership questions.

Figuring out Privateness Settings

Whenever you’re wanting on the privateness settings on teams, posts in your associates’ timelines, or your individual, you’ll be able to mouse over the privateness icon. Fb will inform you precisely who can see this publish.

You’re by no means fully secure. Along with behaving safely as famous above, there are steps you’ll be able to take to teach your self and configure your social media accounts securely.

How you can Keep Secure

Each social media platform is completely different, however I’m utilizing Fb for example. Each platform can have an analogous privateness perform. Study the way it works.

Go to the Facebook help center, here and do a security checkup, here.

Nevertheless, neither of these actually handle privateness, which I really feel is definitely the most important safety risk – the trapdoor or slippery slope.

Right here’s how one can entry and assessment your privateness settings.

Click on on the down arrow beside your identify.

Click on on Settings and Privateness, then each the Privateness Checkup and the Privateness Heart.

Subsequent, you’ll see a number of brief articles. Make sure you step by means of every one

Take a couple of minutes to lock your account down.

The ONLY factor that’s routinely public is your profile photograph and any photograph you employ in your cowl photograph. Anything can and must be restricted.

Fb owns Instagram so you’ll be able to set your Instagram safety right here too.

You’re not fairly completed but!

Monitoring and Controlling Apps

Subsequent, we’re going to see what apps are put in and interacting with Fb. Have you ever licensed apps you weren’t conscious of?

Within the dropdown arrow to the suitable of your identify within the higher right-hand nook, click on on the down arrow once more.

You’ll see the Settings gear underneath “Settings and Privateness.” Click on there to see the entire setting classes within the panel on the left aspect of your display.

Evaluate every part, in fact, however pay particular consideration to “Apps and Web sites” and “Video games.”

Predatory operators will idiot you into doing one thing enjoyable, like a profile photograph app, or a little bit recreation that gives you together with your Fantasy Title or one thing else cute and engaging. That “free” recreation or app installs software program. In the event you discover software program throughout your assessment, particularly from one thing like we’ve been discussing, I like to recommend deleting it instantly.

Make certain you solely have belongings you’ve deliberately put in or licensed.

THINK – Cease, Assume and Run

Whenever you see “somebody” asking a query on Fb, STOP!

You’ve heard of cease, drop and roll in case your garments are on hearth?

Somebody making an attempt to breach your privateness is a digital hearth, so that is cease, assume and run.

Assume about who is definitely asking and why. “Who” is asking is NOT that cousin who shared the query from that public web site. The “who” that’s asking is that authentic web site.  They’re merely making the most of and utilizing your cousin. I hate to place it this fashion, however all the time assume the worst and do not forget that even when the location itself is harmless, the entire individuals who can harvest your knowledge and attempt to compromise your safety assuredly will not be.

These “enjoyable” websites asking these questions are both actively recruiting you or greatest case, leaving the door huge open for cyberthieves.

Don’t reply. Regardless of how a lot you’re tempted to share some nostalgic data or the identify of your deceased pet you’re nonetheless grieving. Regardless of in case you discover that your cousin or buddy has replied already. Simply don’t.

Cease, assume, run. It’s that easy.

And talking of your cousins or associates – if they’ve shared one thing that might compromise their safety and privateness, to not point out their associates (together with you), be happy to share this text or others, resembling KrebsonSecurity. Check out Krebs’ examples of baiting you with childhood and pet images with corresponding questions. Do they evoke an emotional response from you? They’re meant to. I imply, how unhealthy can it really be to enter the identify of the one you love childhood pet?

By now, you ought to be screaming the reply to “how unhealthy”!

Here’s an article from Tulane College. Sure, they’re promoting their diploma in cybersecurity administration, however they accomplish that by summarizing the issues that social media customers have to be involved about.

I additionally observe an organization referred to as Facecrooks which displays and writes about Fb privateness, fraudsters, different scams, and such. They’ve a Facebook page here and a Scam Watch page here.

The Baker’s Dozen Messages

The messages I wish to go away you with, except for cease, assume and run, are this:

  1. Nothing is free
  2. Assume earlier than you interact or reply
  3. Remind your self {that a} stranger actually doesn’t care about your first-grade trainer’s identify, however a criminal does
  4. Simply because somebody you recognize answered or engaged doesn’t imply it’s secure
  5. Contemplate potential penalties
  6. Can one thing you might be about to share be used to compromise both you, your loved ones, associates’, or employer’s privateness or security?
  7. Don’t overshare – solely say what’s mandatory
  8. Discover what’s public and what’s not – search for that globe and behave accordingly
  9. Don’t obtain or play free video games, or ship something to a “free” web site
  10. Don’t click on on hyperlinks to unknown locations
  11. Don’t settle for buddy requests from individuals you actually don’t know.
  12. Study the warning signs of a fake profile and report them by clicking on the three dots to the suitable of the profile
  13. Don’t click on on hyperlinks in non-public messages and watch out for instantly receiving an “odd” message from somebody you haven’t heard from shortly

I’ve written different articles about on-line privateness, safety, and security too.

Keep in mind…

Cease. Assume. Run.


Comply with DNAexplain on Facebook, here or follow me on Twitter, here.

Share the Love!

You’re all the time welcome to ahead articles or hyperlinks to associates and share on social media.

In the event you haven’t already subscribed (it’s free,) you’ll be able to obtain an e-mail at any time when I publish by clicking the “observe” button on the principle weblog web page, here.

You Can Assist Hold This Weblog Free

I obtain a small contribution if you click on on a number of the hyperlinks to distributors in my articles. This does NOT enhance the value you pay however helps me to maintain the lights on and this informational weblog free for everybody. Please click on on the hyperlinks within the articles or to the distributors beneath if you’re buying merchandise or DNA testing.

Thanks a lot.

DNA Purchases and Free Uploads

Family tree Merchandise and Providers

My Ebook

Family tree Books

Family tree Analysis