Do You Have an Online Imposter?

It starts with a text message from a friend or family member.  Have you set up a new account on Facebook?  Or someone who is already a friend on your social networks asks why you are looking to “friend” them or connect with them again? You quickly check your account, everything seems normal, but you change your password anyway.  But you keep getting questions about some sort of “new” account.  Finally someone sends you the web address, or through searching yourself you find an online doppelganger, and impersonator with an account very similar to yours.

This is different from an account high-jacking attack, where someone gets your user name and password and actually takes over your account. This is more like cloning.  An online impostor  creates a new look-a-like profile for you on Facebook, Instagram, LinkedIn, Twitter or another popular social networks.  Usually the address will be the nearly the same, with the addition of a dash or underscore, so it looks authentic.The fake site will include your profile picture and other personal information that they harvested from your real site.

Why would someone do that?  Well, the usual reason is to make money, and sometimes these fake accounts are used to target your contacts with requests for money, or to promote the latest multi-level marketing scheme, CBD oil miracle cure or crypto-currency scam.  Sometimes these fake accounts are used for trolling, political shenanigans, cyber-bullying or revenge attacks.

What should you do if this happens to you?

  • Believe the reports – Often, when someone tells us about a problem like this we dismiss it.  After all, what does Uncle Albert or Aunt Edna know about the Internet?  Take a moment to run a small investigation to check if these reports are true.
  • Screen shots – Use the Microsoft Snipping Tool to take screen shots of the fake profile(s), and save them for your records.  You may want a copy for evidence.  Once you report these frauds to Facebook or Twitter’s security teams, these site will be gone, and it will be too late to make a copy.
  • Keep calm – Avoid investing in the problem emotionally.  After all, this is better than someone hijacking your actual account.
  • Tell everyone – Get on your social networks and let your friends, followers, and connections know that someone is impersonating you.  Now send the same warning to your email contacts.  Provide them with the account name and web address of the impostor site.
  • Forget the impostor – Resist the urge to contact the impostor.  What are you hoping for, an apology?  Your doppelganger may be in Europe, Russia, or China, so you are not likely to sue them.  And it is technically not illegal to create an impostor site.
  • Report the impostor – Contact the security or abuse teams at the social network in question.  Methods will vary by platform.  Have some of your friends report the impostor site as well.  Google for information if you need help.  Generally these sites are taken down in an hour or two.
  • Check other accounts – If you had an impostor on Instagram, you should check other social networks for impostors as well.  No telling how many fake accounts they might be creating.
  • Prune your list – How many times have you accepted someone’s friend or connection request out of politeness, without really knowing who they were?  Some of these strangers in friend’s clothing may be the source of your trouble.  Drop some of these strangers from your contacts.
  • Stay vigilant – If someone was interested in you for a specific reason, they may come back and do it again in a few weeks or a few days.  Again, it depends how important your persona is the their overall goal.

Taking care of impostors is relatively easy compared to other sorts of attacks and exploits, but it can be aggravating to have to put time into cleaning up after they create a mess. All of the social networks have tools in place to make it easy to report impostor accounts.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.