In this article I want to share my experiences and research on social media companies and what I have found. I’ve been managing social media accounts for individuals and businesses as well as buying advertising for over 10 years (which is a long time in social media years). In that time I’ve seen glacial-sized change in very short time spans. These changes include how criminals are conducting business, how the social media companies have (and have not) reacted to these crimes, and how the companies have played with privacy and security to their own benefit and not those of the users.
2024 JAN 20: Added article link about Meta seemingly falling short of effectively tackling fake Instagram profiles even when there are sufficient signs to indicate that a profile is misusing someone else’s photos and identity.
Social Media as a Target
Within large groups of people there is always the risk of crime. This is as true in festivals, events and gatherings as it is online. The difference is that when you attend an event, you have control over your possessions. You can move your wallet to a front pocket. You can buy a slash-resistant handbag, or just choose to not take valuables to that event.
Online is a different story. When you are on social media, a great deal of your valuables are accessible through systems which you don’t have direct control over. This is the primary reason we see so much criminal activity online.
Social media users are under attack by several groups.
- Impostors who target users with large friend counts and send malicious links or requests for money.
- Political opportunists who target people who feel marginalized and welcome common cause. In fact they have no beliefs and only seek to spread malicious links.
- Scammers who weaponize viral messaging, apps, or quizzes to collect personal information and hack social media accounts.
- Fraudsters who conduct romance scams to convince the victim to send money or gifts.
- Con artists who convince people to invest in fake investment opportunities.
- Advertisers who use images and messaging that appear to be from legitimate companies.
- Identity thieves who use social media to research victims and learn interests and vulnerabilities.
Users are Products, and Products can be Victimized
In 2013 Adam Mclane made a pretty stunning observation: “In Social Media You Are the Product” It’s important to know, as a user on a community, what your value to the platform is.
At it’s heart, social media companies are here to make money. They make money from content that the users create, share, and promote. Adam’s revelation was obvious if you took a moment to think about it. It does take a little more consideration to understand exactly what that means.
The user has to interact on the platform, and that means it is designed to do just that. It encourages you to create and share. It encourages you to make new connections, and deepen them with creating and sharing. They also want to make accessibility easy, which means taking shortcuts on security.
These designs often lead to users being more vulnerable to fraud and identity theft.
Social media is regarded as a friendly place, with friends and family connections. This can make users more open to what trusted friends may say and do on the platform. The longer people stay on the platform, the more comfortable they feel. Thanks to additional features like games, memories, groups, and marketplaces, people have plenty of reason to stay online.
Default security settings upon account creation allow too much personal information exposure. Right from the start, on a new and complex platform you might not fully understand, you are made vulnerable.
Criminals have the same access to advertising tools as marketers do. They can buy advertising ads to appear on victim’s feeds. This means that their ads are being seen by people who are more likely to click on them and fall victim to scams.
What Social Media Isn’t Doing
Social media policing effectiveness has declined significantly. If you see something wrong you should report it, right? In the beginning, the companies relied on real moderators to evaluate reports and make decisions which was pretty effective at first. One example of a reported offense I’d point to is the impersonation scam.
- Impersonation scams have been common for many years
- Creating an account required little proof of identification.
- The criminal creates an account, copies the victim’s profile picture, and starts sending friend requests to the friends the victim has. Then they start sending malicious links.
- Incidents grew when Facebook split Messenger off. You didn’t have to have a Facebook account to be on Messenger.
- It was common for victims to believe their password was compromised because the criminal copied a lot of the victim’s profile.
- Initially Facebook had a specific reporting tool which was only 2 clicks to report an impersonation scam. They were clear cut issues and dealt with quickly
- Today, reporting has many more steps and the language to report it isn’t clear and you’re not sure what you’re agreeing to, which reduces the likelihood reports will be made.
- Spam and fake account reports go largely ignored. Almost all fake account reports are denied under the terms: “the profile doesn’t go against our Community Standards.”
- The time from report to response is typically less than 90 seconds. It is clear that reports are handled by automation – but there is no appeal process. In fact, the results include a “See options” button which only offers “delete this message from your Support Inbox”.
- Meta seems to be falling short of effectively tackling fake Instagram profiles even when there are sufficient signs to indicate that a profile is misusing someone else’s photos and identity. – BleepingComputer
Why wouldn’t social media companies do more about this seemingly easy issue to deal with? If there are two profiles with the same name and the same profile picture; surely this is fraud, right?
Social media companies have an interest in ensuring users trust them. While on the one hand they make changes to security which should better protect the users, they also compromise the privacy of the data and access to user information. It is harder to report because fewer reports implies a safer platform, when the opposite is actually true.
As a side note, small business owners who have Facebook pages are even more restricted in what they can report. Criminals often post positive reviews, but include a link in the review to a malicious site or another scam. Criminals know reports on reviews are largely ignored by Facebook and remain on the page as long as the business wishes to have reviews posted. The only solution is to turn off reviews – denying an important method to market themselves.
Who are the victims?
The users are victims of the crime of fraud. These crimes include romance scams, extortion, impersonation, and identity theft. They can lose money, personal information, and even their sense of security.
Small businesses. They can be targeted by criminals who use social media to post fake reviews or to solicit payments for goods or services that are never delivered.
Nonprofits. They can be targeted by criminals who solicit donations for fake causes.
It may seem like a silly question but there are beneficiaries of all this crime, and the social media company choosing to look the other way. We must know the motivations.
The criminals themselves. They are able to operate with impunity, knowing that social media companies are unlikely to take action against them. This allows them to continue to steal money and personal information from unsuspecting victims.
The companies that advertise on social media. Where better to advertise protection or recovery from fraud than on the platform it occurs? While not companies, the criminals also benefit here as they have ready access to all kinds of potential victims. They can use social media analytics and personally shared advertising information to precisely target fraudulent messages.
The social media companies themselves. They benefit from the increased engagement that fraud and theft generate. This is because people are more likely to interact with posts that are about scams or fraud. This increased engagement can lead to more ad revenue for social media companies. Impostors and fake accounts also benefit the social media companies as they are included in the counts reported to shareholders. They are also included in the advertising purchase process as potential reach.
What social media needs to do!
Make greater investments in technology and moderation teams that can detect and remove scam posts.
Enhance the reporting system and make it more transparent. Reward those who report problems by actually saying what was done. If the report didn’t have merit, actually explain why and offer an appeal process. Hiring more staff to investigate reports of fraud, and those appeals. There needs to be more accountability by the social media company.
Social media companies must work on transparency about what’s happening on their platforms. They must start working with law enforcement to prosecute fraud rather than sweep it under the rug.
The new user process should include required education on what security & privacy settings do and the consequences of the choices made. Enhanced security with 2 factor authentication should be required. New accounts should be largely locked down from sharing any information at all. Education should continue, with regular lessons in the news feed about the risks of fraud and how to protect themselves. That can go a long way to reduce the likelihood they become victims.
I shared a great deal of information about the risks posed by social media, the criminals, the victims and the role social media companies themselves play.
It is some dark messaging and doesn’t provide a lot of hope that mega-corps who are earning billions of dollars might have any interest in the safety of the users.
There is some hope in terms of new social media platforms recently growing out of the threats and instability these companies have been experiencing. These new platforms aren’t run by companies but individuals. They find strength in a decentralized network of small servers. Those servers, when connected together can have all the capacity and ability to create and share as the big platforms do. They can do that without advertising, curated feeds, and exposing private information.
The platforms are based in what is called the Fediverse (federated universe of social networking services) and while very new they have a lot of promise to remove the commercialism out of how people can interact with one another online.
I plan to do an article on the Fediverse, and perhaps a video showing how it works and what the potential is.
Thanks for reading!
PS: I did pick on Facebook quite a bit but the fact is all the big corporate social media companies are all using many of the same policies and tactics. Twitter (X), Facebook, Instagram, Reddit, and many others as you can imagine. I would recommend reading back on the story from the Facebook whistle blower Frances Haugen’s testimony to the U.S. Congress here: https://www.npr.org/2021/10/05/1043377310/facebook-whistleblower-frances-haugen-congress