1

Social Media Fraud: Identity Theft & Fraud through Facebook

By Sara Bagiatis For: Dr. Lubinski Date: Wednesday, November 14th, 2012 Period 6

2 Communication is an extremely broad area of study, but one of the newest and most innovative aspects of the communication field lies in social networking sites, such as Facebook. Statistics found on the Facebook news website show that there are over one billion monthly active users of Facebook (Key Facts) and a typical Facebook user spends around 55 minutes per day on the website (Why Do Businesses Need Facebook?). Individuals pursuing a communication degree are now often required to take a course focusing on the use of social media since it is extremely likely that communication graduates may be in charge of maintaining a businesses Facebook account in the future (Why Do Businesses Need Facebook?). Businesses use social media as a tool to market and communicate with consumers (Bosari). With such an alarming amount of users logging into Facebook every day, there are several risks that individuals, as well as businesses, can encounter through this social networking website. Users of social media websites such as Facebook are more likely to be exposed to fraud and identity theft because their profiles usually house a lot of personal or confidential information that would otherwise not be as easily accessed (Lewis). The FBI has created cyber squads in field offices across the country with more than 1000 trained analysts, digital forensic examiners and agents to help fight fraudulent acts in regards to social networks (Snow), but consumers should be educated on using social media privately and securely to reduce their risk of identity theft (Lewis). Although there are several different social networking websites, this research paper will focus on frauds associated with Facebook. This paper contains background information about the risks of password and identity theft that could be committed by utilizing the information users share on personal Facebook profiles, as well as real life examples of fraudulent behavior on Facebook. Examples include fictitious Facebook accounts, such as those created for research by

3 the IT security firm, Sophos, and a fake Facebook account created by Dana Thornton to ruin an ex-boyfriends reputation. There are also examples of individuals, such as Microsoft employee Bryan Rutberg, who has had his personal Facebook account hacked and used to gain money by criminals, and a teenage girl from California whose passwords were shared and Facebook account hacked. The more information that a user shares on social media, the greater chance they will be impersonated (Internet Social Networking Risks). One fourth of Facebook users have public profiles and these individuals have a higher risk of identity fraud because they dont restrict the information that they share. One half of users with public profiles revealed their full birthdates, which could therefore be accessed by anyone, while only one third of users with private profiles revealed this information (Carrns). Birthdates can be key in stealing identities and this information, as well as hometowns and pet names, are commonly used in passwords (Cullina). After being posted to social networking sites, this information is no longer private. Even if high security settings are used, individuals are still at risk of friends revealing and sharing private information through their accounts (Internet Social Networking Risks). If information, such as a persons home address or phone number, is displayed on Facebook, identity thieves can submit a change of address form. This will then allow the thieves to have mail forwarded and get more access to information that enables them to open accounts in the victims name to cause further damage (Facebook Identity...Guide). Another danger of identity theft and fraud through Facebook can occur by linking smartphones to the account. This puts individuals at a higher risk of identity theft because it can reveal information such as location, frequently visited locations, or a home address (Lewis).

4 Information, such as a status revealing that a user is out of town for a few days or on a vacation, can be valuable to a criminal and puts an individual at a higher risk for burglary or theft of personal information in an unguarded home (Lewis). Even though a lot of individuals only allow friends and people they know to view their profiles, several studies have shown that victims often know the person who committed this sort of identity crime against them (Facebook Identity...Guide). In 2007, an IT security firm named Sophos conducted an experimental study in order to determine how much information individuals will actually share with complete strangers through their Facebook accounts (Sophos Facebook...Thieves). Sophos fabricated a profile under the name of Freddi Staur, which is actually an acronym of ID Fraudster. The profile picture displayed nothing more than a green plastic frog (Egan). This fake account sent out 200 friend requests to random people across the globe and about 40% of the users accepted the request (Sophos Facebook...Thieves). By accepting Freddis friend request, these Facebook users were able to share all of the information on their profiles with this fake account. Freddi was able to access information about users interests, hobbies, present and past employers and schools, names of spouses, resumes, and occasionally the users mothers maiden name. Just by viewing these individuals Facebook account, Freddi had enough information to potentially guess the users passwords, impersonate the user, or even stalk some of the users friends and family members (Sophos Facebook...Thieves). A follow up experiment was conducted two years later in 2009. Sophos created two more false Facebook accounts similar to the Freddi Staur account. One of the accounts was an acronym for false identity with the name Daisy Felettin. Daisy was listed as being 21-yearsold and her profile photo was of a rubber duck. The other account was called Dinnette Stonlly,

5 an acronym for stolen identity, and she was listed as 56-years-old and the profile picture chosen for her account was of two cats lying on a rug (Noda). Because many were now aware of the dangers of sharing too much personal information on Facebook, Sophos assumed that there would be an improvement in results because of the highly publicized warnings. But they were incorrect (Ducklin). Each of these fictitious users sent out 100 friend requests to random individuals in their age groups. Ninety-five Facebook users chose to be friends with either Daisy or Dinnette and more shockingly, eight users sent out a friend request on their own to one of the fake accounts (Noda). After examination of the individuals who had accepted friend requests to either Daisy or Dinnette, it was found that 89% of the users in the 20-something age group shared their full birthdates on their profile while 57% of the 50-somethings shared theirs (Ducklin). It was also discovered that one half of the 20-something age group and one third of the 50-somethings shared personal details about their families and friends (Noda). Although accepting friend requests is unlikely to result in identity theft, it is a great way to enable criminals access to private and personal information that can be used to succeed in stealing ones identity (Sophos Facebook...Thieves). Graham Cruley, who was the senior technology consultant for Sophos, said 10 years ago, it would have taken months to gather all of the information that the fake accounts collected in under two weeks (Noda). Graham Cruley stated: Social networks have made it easier for the bad guys to scoop up information about innocent members of the public. Everyone must learn to be more careful about how they share information online, or risk becoming the victims of identity theft. (Noda) One of the best ways a person can protect his or herself from identity theft through a Facebook or other social media account is to assume that everything that he or she reveals online can be

6 viewed anywhere on the internet by anyone at anytimeforever. No matter what steps an individual takes to delete this information, it can, and most likely will, always turn up later (Ducklin). In addition to sharing personal information that can result in identity theft, Facebook and other social networking sites can be abused by people creating fake accounts to exploit other people. Users can feign everything about themselves online, from their names to their age, gender, or location (Snow). In August 2010, Dana Thornton of New Jersey was accused of creating a fake Facebook account of her ex-boyfriend, Detective Michael Lasarandra, and caused injuries to his reputation due to the content of this profile as well as the fabricated posts. This fake Facebook account of Lasarandra featured fictitious posts admitting to drug use, hiring prostitutes, and having multiple sexually transmitted diseases. Some of the posts included statements such as Im a sick piece of scum with a gun, and Im an undercover narcotics detective that gets high every day and posts like these could obviously cause severe damage to anyones reputation, let alone a detective working in law enforcement (Horowitz). Thornton was initially charged with identity theft (Horowitz). This case was one of the first times in history that identity theft was used in regards to a fake social media identity. New Jersey State laws say that identity theft laws apply to electronic media (Susman), and Thorntons actions fell under the category of impersonating to injure or defraud (Liebowitz). Ultimately, Thornton was put on probation and upon successful completion of probation all charges will be dropped (Susman). As proven in the last two examples regarding Sophos and Dana Thornton, identity thefts can be conducted by creating false identities of real or fictitious individuals through social networks and then victims can be tricked into sharing or giving away personal information, such

7 as names and passwords, which can then be used to cause further damage (Snow). The information shared on social media websites such as Facebook is not just putting individuals in danger of identity theft, but also their friends and families as well (Facebook Users...Attack). The information found on Facebook profiles can potentially be used to tip off thieves about the users passwords (Facebook Identity...Guide). Elements such as the users full name, date of birth, hometown, relationship status, school, graduation dates, pet names, or interests can all be used as tools and stepping stones in identity theft (Lewis). If a criminal figures out a way to access the victims passwords, they can hack into accounts and cause further harm. An example of this could be figuring out a potential password through Facebook and using it to hack into other accounts, such as iTunes, and purchasing hundreds of dollars worth of products (Facebook Identity...Guide). A teenage girl from California experienced how a stolen password from one online account could result in another online account being hacked. Her Facebook account was hacked by a teenage boy after receiving a text message containing the password to the girls email account was sent around (Balasubramani & Goldman). The boy used the email account password to gain further access to the girls Facebook account and then proceeded to write offensive posts and messages under the victims name (Balasubramani). The idea of Facebook hacking as an identity theft varies from state to state, but in the state of California, there is an e-personation law that went into effect in 2011 (Balasubramani & Goldman). This states that it is a misdemeanor to impersonate others online and penalties include fines and up to a year in prison (Cheng). California statute section 530.55 relates to any individual who:

8 Willfully obtains personal identifying information [of the victim and] uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medication information. (Balasubramani & Goldman). The boy did willingly obtain the victims password because he kept a record of it upon receiving it and used it for defamation of the victim (Balasubramani & Goldman). New fraud schemes involve an identity thief gaining access to a victims Facebook account and after hacking the account, the criminal then sends messages to the victims friends through the account saying that they are in danger and in need of money. Since the criminal is going through an existing account, these pleas of help appear to be legitimate and friends are more likely to wire money to the criminals without any sort of other confirmation (Snow). Bryan Rutberg, a Microsoft employee from Seattle, was a victim of this particular form of social media fraud. His Facebook account was hacked on January 21, 2009. Rutbergs status was changed to BRYAN IS IN URGENT NEED OF HELP!!!! Several of Rutbergs Facebook friends received messages and personal emails from his account saying that he was robbed at gunpoint while traveling in the United Kingdom (Sullivan). Rutberg received texts and emails from concerned friends. However, the criminal who hacked his account changed all of Rutbergs login information so that he was unable to access his own account (Sullivan). Social hackers are able to manipulate people through social media and they know that humans are a weak link in cyber security (Internet Social Networking Risks). This was possibly the case for Rutbergs account being attacked (Sullivan). This way, they are able to trick people into giving out personal information because they appear to be legitimate and harmless (Internet Social Networking Risks). Identity thieves may also send out a quiz to

9 friends with questions that initially do not seem to be invasive, but they are usually basic questions asked by websites when a user has forgotten or is trying to retrieve a password (Snow). Criminals have been using social media for more private attacks and making stories more believable and personal. As opposed to sending out thousands of spam messages that only yield a few victims, like the Nigerian prince scam, this more personal approach draws in more victims (Sullivan). The criminal that was impersonating Rutberg through his Facebook account sent out a message to friends saying: Can you get some money to us. I tried Amex and its not going throughIll refund you as soon as I am back home. Let me know, please. (Sullivan). One of Rutbergs friends wired $1200 to the criminal, thinking Rutberg was actually in trouble. After his account was restored, it was discovered that a few other friends were scammed into sending some money, but Facebook would not refund the money sent (Sullivan). Frauds occurring through Facebook and other social media sites have a huge affect on those who are studying and working in the communication field because communication professionals are usually the ones in charge of maintaining and interacting through a companys social networks. It is important for those working in communication to understand what information should and should not be shared through professional and personal Facebook accounts. As displayed through the stories of Dana Thornton, Sophos, the girl from California, and Bryan Rutberg, misuse of certain information could be catastrophic. Since a companys image is portrayed through their social media profiles, individuals in charge of managing the account must be sure that all communication through these mediums follows the communication code of ethics, meaning that it is ethical, tasteful, and legal ("Code of Ethics for Professional

10 Communicators."). Everyone needs to be educated on using social media privately and securely to reduce or even avoid fraud (Lewis).

11

Works Cited Balasubramani, Venkat, and Eric Goldman. "California Judge: Trolling with Someone Else's Facebook Is Identity Theft." Ars Technica. Conde Nast, 2 Aug. 2011. Web. 14 Nov. 2012. <http://arstechnica.com/tech-policy/2011/08/california-judge-trolling-withsomeone-elses-facebook-is-identity-theft/>. Balasubramani, Venkat. "In Re Rolando S., F061153 (CA. Ct. App. July 21, 2011)." Scribd. Scribd Inc., 21 July 2011. Web. 14 Nov. 2012. <http://www.scribd.com/doc/61340538/In-Re-Rolando-S-F061153-CA-Ct-App-July-212011>. Bosari, Jessica. "The Developing Role of Social Media in the Modern Business World." Forbes. Forbes Magazine, 08 Aug. 2012. Web. 13 Nov. 2012. <http://www.forbes.com/sites/moneywisewomen/2012/08/08/the-developing-role-ofsocial-media-in-the-modern-business-world/>. Carrns, Ann. "Careless Social Media Use May Raise Risk of Identity Fraud." The New York Times. The New York Times Company, 29 Feb. 2012. Web. 12 Nov. 2012. <http://bucks.blogs.nytimes.com/2012/02/29/careless-social-media-use-may-raise-riskof-identity-fraud/>. Cheng, Jacqui. "California Outlaws Maliciously Impersonating Others Online." Ars Technica. Conde Nast, 29 Sept. 2010. Web. 14 Nov. 2012. <http://arstechnica.com/techpolicy/2010/09/california-outlaws-using-a-fake-identity-online-in-some-cases/>.

12

"Code of Ethics for Professional Communicators." International Association of Business Communicators. International Association of Business Communicators, 2012. Web. 14 Nov. 2012. <http://www.iabc.com/about/code.htm>. Cullina, Matt. "9 Alarming Statistics About Identity Theft." Identity Theft 911. Identity Theft 911, 10 May 2012. Web. 12 Nov. 2012. <http://www.idt911blog.com/2012/05/9alarming-statistics-about-identity-theft/>. Ducklin, Paul. "Sophos Australia Facebook ID Probe 2009." Naked Security. Sophos Ltd., 6 Dec. 2009. Web. 12 Nov. 2012. <http://nakedsecurity.sophos.com/2009/12/06/facebook-idprobe-2009/>. Egan, Matt. "20% of Facebook Users Are IDiots." PC Advisor. IDG Consumer & SMB, 14 Aug. 2007. Web. 13 Nov. 2012. <http://www.pcadvisor.co.uk/opinion/internet/3269578/20-offacebook-users-are-idiots/>. "Facebook Identity Theft Protection Guide: 6 Tips to Protect Your Identity on Facebook." Next Advisor. Next Advisor, 4 Mar. 2009. Web. 12 Nov. 2012. <http://www.nextadvisor.com/blog/2008/03/04/6-tips-to-protect-your-identity-onfacebook/>. "Facebook Users at Risk of "rubber Duck" Identity Attack." Sophos. Sophos Ltd., 7 Dec. 2009. Web. 12 Nov. 2012. <http://www.sophos.com/en-us/press-office/pressreleases/2009/12/facebook.aspx>. Horowitz, Ben. "Judge Rules Case of Belleville Woman's Fake Facebook Page Can Proceed."

13

New Jersey. New Jersey On-Line, 2 Nov. 2011. Web. 12 Nov. 2012. <http://www.nj.com/news/index.ssf/2011/11/judge_rules_case_of_fake_faceb.html>. "Internet Social Networking Risks." FBI. US Government, n.d. Web. 12 Nov. 2012. <http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networkingrisks>. "Key Facts." Facebook Newsroom. Facebook, 2012. Web. 13 Nov. 2012. <http://newsroom.fb.com/Key-Facts>. Lewis, Kent. "How Social Media Networks Facilitate Identity Theft and Fraud." Entrepreneurs' Organization. Entrepreneurs' Organization, 2012. Web. 11 Nov. 2012. <http://www.eonetwork.org/knowledgebase/specialfeatures/pages/social-medianetworks-facilitate-identity-theft-fraud.aspx>. Liebowitz, Matt. "Facebook Case Tests Identity Theft Laws." Msnbc.com. Msnbc Digital Network, 27 Oct. 2011. Web. 12 Nov. 2012. <http://www.msnbc.msn.com/id/45067276/ns/technology_and_science-security/>. Noda, Tom S. "Facebook Still a Hotbed of Identity Theft, Study Claims." PC World. IDG Consumer & SMB, 12 Dec. 2009. Web. 12 Nov. 2012. <http://www.pcworld.com/article/184522/facebook_still_a_hotbed_of_identity_theft_stu dy_claims.html>. Snow, Gordon M. "The FBI's Efforts to Combat Cyber Crime on Social Networking Sites." FBI. US Government, 28 July 2010. Web. 12 Nov. 2012.

14

<http://www.fbi.gov/news/testimony/the-fbi2019s-efforts-to-combat-cyber-crime-onsocial-networking-sites>. "Sophos Facebook ID Probe Shows 41% of Users Happy to Reveal All to Potential Identity Thieves." Sophos. Sophos Ltd., 14 Aug. 2007. Web. 12 Nov. 2012. <http://www.sophos.com/en-us/press-office/press-releases/2007/08/facebook.aspx>. Sullivan, Bob. "Facebook ID Theft Targets 'friends'" Red Tape Chronicles. NBCnews.com, 30 Jan. 2009. Web. 12 Nov. 2012. <http://redtape.nbcnews.com/_news/2009/01/30/6345792-facebook-id-theft-targetsfriends?lite>. Susman, Tina. "Facebook Identity Theft: Probation Deal for Woman Who Trashed Ex?" Los Angeles Times. Los Angeles Times, 20 Mar. 2012. Web. 12 Nov. 2012. <http://articles.latimes.com/2012/mar/20/nation/la-na-nn-fake-facebook-20120320>.

"Why Do Businesses Need Facebook?" Visualscope Studios. Visualscope LCC, n.d. Web. 13 Nov. 2012. <http://www.visualscope.com/facebook.html>.