by Lisa Norman
Let’s face it: the internet is full of killer robots out to make your life as difficult as possible. Scammers and crooks are constantly looking for ways to trick you into giving them money. And let’s not even talk about the nation-state-level hackers.
This is a digitally dangerous time.
I’ve had several clients come to me in a panic because some criminal had hacked their social media accounts. They were desperate to know what to do.
Here’s the twist: none of their accounts had been hacked.
They’d been cloned.
I gave an example of this when I talked about trolls in a previous post.
Cloning attacks are based on social engineering. If you are a friend or a follower of a specific account, you are more likely to do something that person asks you to do.
As authors, we are on social media in order to influence people and encourage people to buy our books or services. We’re building up our reputations as reliable sources of information. For example, if we say a book is good and that people should go out and read it, hopefully people will!
But what if you learn a new trick with NFTs (Non-fungible tokens) or cryptocurrency? Everyone’s a little confused by those these days. If you step up and say that you know how these things work and you’ve made a ton of money, people are likely to be interested. They’ve learned to trust you. They’re likely to follow your advice. But what if the “you” isn’t you?
And here’s where the problem comes in. No one has to hack your account. They can copy your pictures and look at your public follower list. They can create a fake account, claiming to be you, and then they reach out to your fans and followers with a story about how your old account was hacked and this is your new account. Once they get a few people to become their friends, the damage can spread like ripples, the way everything spreads on the internet.
Before long, the scammer has your followers, and they can now encourage them to embrace a crypto scheme. Your followers lose money, and your reputation is damaged.
We can’t!
All we can do is react to it promptly and use the tools available to us to make it as hard as possible for them to clone our accounts.
One important step that you may take on some platforms is to have your account verified. You’ll notice a check mark next to some accounts on various platforms. These are accounts that have gone through an additional screening process to let the platform know they’re the real individual. By necessity, social media platforms don't make it easy to become verified. Sometimes they involve taking a picture with your driver’s license or other ID and submitting it through a secure form. Some even involve getting something in the mail.
Different platforms have different procedures. Once your followers on a platform begin to grow, consider becoming verified.
A friend messages you that someone has hacked your account.
How you respond to that first moment of panic is critical. Remember: all is not as it seems on the internet.
Your friend may not even BE your friend. It could be someone masquerading as your friend in order to get you to click a dangerous link.
Do not click on any links in emails or messages. Also, don’t do a search and click on the first link that comes up! Scammers, vile con artists and thieves that they are, absolutely can and do pay for ads to get their scam advice to the top result on search engines. If you need to search for advice, pay close attention to the URL you are visiting.
This is the moment that will determine how much damage is done. You must react quickly, and you must not panic. You must stay calm and focused, checking every link before you go anywhere.
Ask your friend directly (by phone, email, or in person) for details about the message. Where did it come from (Facebook, Twitter, etc.)?
Go directly to the platform (Facebook, TikTok, etc.) and look for the evidence your friend gave that you’d been hacked.
If your friend says, “I got a message on Facebook from you that didn’t sound like you,” look at the history of your recently sent messages. If you can’t find a record of your account sending that message, you haven’t been hacked, you’ve been cloned.
What if your history shows that the message was sent from your account, but it wasn’t you who sent it? Then someone else has been using your account: you’ve been hacked.
Now, you’re sure.
Cloning requires a different response.
Our profession makes us public figures. We need to protect our reputation in any way we can. You can’t prevent cloning; you can only respond well to it.
If you think someone has been hacked, take a moment to check before scaring them. If you discover a clone, report the clone to the social media platform if you can, then let your friend know what you experienced. Remember: it isn’t your friend’s fault if they were cloned. They need to know what is going on, but you don’t want them to feel blamed or threatened.
The most important step is the one that feels less instinctive: that moment of breathing.
Social engineering attacks thrive when you react based on gut instinct. They’ll trick you into even more danger, and if they can, they’ll steal your identity, your money, and your friends. They are greedy, and they are ruthless.
Take a minute and breathe.
Then react calmly and carefully.
Have you been cloned? Have you seen someone else get cloned? What do you think the goal of the attack was?
* * * * * *
Lisa Norman's passion has been writing since she could hold a pencil. While that is a cliché, she is unique in that her first novel was written on gum wrappers. As a young woman, she learned to program and discovered she has a talent for helping people and computers learn to work together and play nice. When she's not playing with her daughter, writing, or designing for the web, she can be found wandering the local beaches.
Lisa writes as Deleyna Marr and is the owner of Deleyna's Dynamic Designs, a web development company focused on helping writers, and Heart Ally Books, an indie publishing firm. She teaches for Lawson Writer's Academy.
Interested in learning more from Lisa? See her teaching schedule below.
Copyright © 2024 Writers In The Storm - All Rights Reserved
A most important post. Thank you for this. And I didn't know about verifying your account. I'll definitely do this ASAP.
I'm glad it was helpful! I didn't go into the variety of rules and stages of verification by platform because they are varied and ever-changing. Definitely worth looking into since as authors we are often crossing into that realm of being "media personalities" and that makes us targets.
Hey Lisa, It is Jean Ross here in Australia - I did your Evernote course through the Margie Lawson Academy. It was great to read your post. I was hacked - my fault a "friend" sent a text messge asking me to click onto it to get her back into Instagram - and I did!!! jeaniegreenauthor was turned into jeaniegreenauthor___144 - I reported it and weeks later Instagram located the hacker, changed the phone number back to mine and the same day the hacker changed the address to jeaniegreenauthor___.... "Aaaaarrrrggghhhh" I am back at square one. I have had so many people DM me offering to reinstate my account for a small fee - all of which I have refused. I have now double authenticated my new Instagram account, I am starting again on jeaniegreenauthor1. SOOOOOOOO annoying and soul destroying.
But - as my daughter keeps telling me - First World Problems!
Hi, Jean! So sorry that you have experienced that! The key point you shared is how you were trapped - by a friend... who wasn't really the person they appeared to be. And you are so wise not to invest in the scammers offering help. Hard to say they aren't the same people! This is a cycle and you're working hard to protect yourself in future. Thanks for sharing your story because that can help others see how this happens and avoid repeating what was a very easy mistake to make!
A frightening but important warning, Lisa. Thank you.
Thanks for reading, Karen!
I didn't know about verifying my account either...I'm going to check into that. I've been careful and so far I've avoided that particular issue. Thanks, Lisa, for the scary but necessary information.
Thanks, Lynette. My hope is not to be scary but to help ease some fears I've seen. While many hackings are real, some are fake and don't need to be as terrifying as they initially seem.
Thank you for this information. So far I've been lucky. However, I don't understand what it means to have a platform verified. It seems risky to send a photo of yourself holding a driver's license. How does one know the request is legitimate?
Excellent question, Lori. You know it is legitimate because you are going to the platform directly, not through a search, and following established process. They aren't initiating it, you are. You are paying attention to where you are. And, fwiw, I also hate these photo requests. Often they have an option to be verified via postal service. If you initiate this before you have a problem, you'll have time for the slow path.
Great post, Lisa. I can't begin to tell you how many times I've had to explain to friends and family the difference between cloning and hacking. From now on, I'm just going to send them a link to this post. Of course, they should never click a link in an email, so if I've trained them right they might not click it... 😉
That's it exactly! We need to teach folks to type in addresses and pay attention to those addresses. It gets complicated when some browsers hide the address by default. And the prevalence of hacking/cloning confusion is the reason I wrote this. Much easier to send people to the article than keep repeating it over... and over... and over... Thanks for sharing the post!
Great information, Lisa!
You have a thorough to do list.
I thought I'd been hacked, but it was a cloning.
I went in and changed some privacy settings. I'd already changed my password, but I needed to have a more complex one anyway, so there's that.
Several years back I had my identity stolen. That was a hot mess.
Identity theft is a nightmare. Hence Lori's question about having a picture with private information even in existence being a concern. She's right. And do we trust these platforms to protect and destroy the picture as soon as it is verified (as they say they will do). Cloning plays on the terror of identity theft to try and trigger a dangerous reaction.
Cloning is also known as spoofing. I've been spoofed several times on Instagram.
I was hacked once on Facebook on my personal account. That one was a pain because the hacker was allegedly working from Japan. it was back and forth with the passwords changing, but eventually I got in with a better password and then changed all of my privacy settings. I've also been spoofed there, once. Or someone said I was, but they didn't give me the URL so I could report. I couldn't find it to report.
Another great way to help prevent both is two-factor login. It's a pain, but it makes it harder.
denise
Instagram did work quickly to take down the spoofs when I reported. It helps I have over 5k followers.
I do regularly report spoofs of friends and other accounts I follow.
Instagram won't verify until you have at least 10k followers, and then you have to jump through a few hoops if you're not using a paid account.
Denise - you're right, and I considered using the term spoofing in this article, but decided against it as that often involves email and domain names and all sorts of more complicated concepts than what these fakes are doing. These are very easy for them to generate and don't require much effort on their part at all. Since they never actually access your account, 2 factor authentication won't help - but it is DEFINITELY always a good idea. You're a good friend for reporting those.
I know what you mean about them disappearing. Usually that's a good thing: someone reported them and they got banned. But they can be back in a heartbeat, especially if they're using a bot to generate the attack.
BTW - there's something dark magic related to the 10k mark on Instagram. It isn't just that you can verify at that stage, it's that there are bots that start generating massive attacks at that stage. I'd heard it, but now I've actually seen it happen to a few people. One client I know fell into a very clever social engineering scheme that triggered once he hit 10k followers. Being very very cautious about people who reach out to you on Instagram is IMPORTANT.
Of course this makes life complicated for those of us who use social media for marketing. You have to assume - and hope - that people you are reaching out to will expect you to be a scammer, so you need to outweigh that impression. And THAT can be hard... and gets harder every day.
I assume they're all scammers when they reach out. And I check before replying, if I actually reply.
That's it exactly, Denise. You're a pro!
I love how concisely you lay all this out. This is seriously great info, especially for writers. And do you know, I have never even tried to verify any of my social accounts? I guess I thought you had to have tens of thousands of followers. Even on Twitter, I don't think I have more than 7K, so I just never bothered.
Different platforms have different rules, so it is hard to say when you need the process, but once you start collecting clones, you're probably there!