They’re everywhere. Every day thousands of fake accounts are being created for selling, fraud, disinformation and all sorts of scams. And each one of them may look and act differently. How to figure them out?
This is an issue not only for OSINT researchers. It affects everyday lives of all people.
Rash reposts may help in spreading fake information. An impulsive reply in a personal correspondence of a corporate account may assist social engineers in getting confidential data. A meeting with a supposed “potential” client from the Internet may destroy a business.
That’s why it is so important to check everything, to be careful and thorough with any open source information and contacts.
So whether you’re a new to OSINT or not, we’ve got a post to help you evaluate the authenticity of an account.
Let’s get started!
Each social network is different so you have to consider different characteristics to establish if an account is fake or not. It’s because each social network works in its own way and for its own purpose. You probably noticed that on Twitter, for example, people often repost, but on Instagram they rarely do it because there is no built-in repost feature offered.
The appearance of fake accounts may also depend on why they are created:
Type I. Accounts which are created automatically and which are used for automated interaction with this or that kind of content and which are intended for many repetitive actions. When bot-network owners create such accounts they don’t pay much attention to making them look authentic. Those accounts only correspond to those minimum parameters that are required to prevent them from being banned by social networks for a certain period of time.
Type II. Accounts, created and operated by an actual person, but its name, pictures and description are not true. Such accounts’ creators think of maintaining a certain level of authenticity, they choose some legend and try to follow it.
Both types of accounts, regardless of social network, have some things in common, which you have to pay attention to from the very beginning.
The following patterns often point to Type I accounts:
2. Names which cannot be Googled, places of work which do not exist, obvious inconsistencies in bio.
3. No ‘real’ activity. What do people usually do on the Internet? Would they post all day and all night without any breaks for sleep? Would they post on some definite schedule? Would they post only on a single topic? Probably not. These accounts do not have any communication with other users or they have but only with similar accounts. No comments or messages from Friends or Followers, no tags on pictures… Or if there are tags, then it’s only in advertising/popular posts. (It’s then worth considering if those advertising accounts are the real deal or a fake as well.) Only reposted content in the feed, only ads or messages not from Friends or Followers, or just unoriginal/incoherent content.
4. Excessive officiousness in spreading information (spam comments consisting of similar phrases and links)
5. No reply to direct messages or comments to the contents of such accounts. But let’s clarify right away that this involves some live interaction rather than passive collection of data. But if you try talking to a fake, you’ll quickly learn that it’s a fake.
6. An AI generated image as a user pic (you’ll learn how to tell them here) or a picture of a celebrity, an abstract image or stolen real pictures. To check just use Google, Yandex, or Tinyeye reverse image search.
7. Too many similar accounts as Followers/Friends.
Type II account features:
1. User pics taken from other accounts. These accounts, as a rule, are unpopular and in a different social network. It’s worth mentioning that to complicate the task of searching by image the creators of such accounts edit these stolen images — applying filters, changing angles and so on. So most common tools, offered by common search engines, won’t really help here. Instead, some fuzzy search tools for searching in big data arrays of images (and user pics) are required, as well as neural networks.
2. Made up names. So searching in open sources does not confirm the indicated bio data for these names (e.g.: searching for these names along with the listed school, place of work, address, etc. We highly recommend reading this article by @MWOSINT).
3. These fake account owners as a rule try to create authentic social surroundings by following real people. However such surroundings are often out of tune with the information indicated in bio — most of friends are not from the same school, they don’t work at the same company or in the same field, they don’t live in or are not in any way linked to the same region and so on. This can be detected with specialized software, which collects data and analyzes the statistics on social settings. Try Lampyre and see for yourself (also for more details read this article).
Profiles of this type should be analyzed most thoroughly as they are also used for social engineering and are designed to interact with a certain person or group of people.
Here are the faketivity patterns in different social networks:
- A big gap between the number of Followers and the number of Following (e.g. 100 Followers and 10k Following). If it’s not done automatically then it’s difficult to start following so many accounts all at once. Instagram does not have a direct reposting feature. You can repost to stories but it’s not like reposting in Twitter. So it complicates following new accounts.
- It might also be fake if the number of Followers and Following is roughly the same — more than 1000 each.
- Just a few posts in the account (less than 6), no comments or likes, no personal pictures. Even if there are not so many posts in some accounts, it’s worth taking a look at the comments — do they look live or not? Far too many likes to the first posts of an account also might indicate that it’s a fake.
- No Stories or Story Highlights, unoriginal content in the stories. Genuine accounts may stop posting to their feed and turn to posting via Stories — this often happens in real accounts but rather seldom among fake ones. It’s worth considering both the Stories’ and the feed’s contents.
- Many tags in advertising posts for prize winning and alike. It does not bother bots that they are tagged but real users usually remove this.
- Few common factors among the Followers — no members of the same family (when their last name matches), no employees of the same company, etc.
- No account tags in real users’ posts.
Moreover, there are some services for analyzing account activities. They’re mostly created for marketing purposes — for influencer qualities’ advertising assessment, but they may be used to confirm profile authenticity.
Fakelikes — it’s worth considering the difference between real and fake likes/comments. If the number of fakes is much bigger, then it’s +1 to the possibility that the profile is a fake. It’s free for the accounts under analysis with less than 500 Followers.
Hypeauditor — is a service, which audits accounts with more than 1000 followers.
For this social network, the number of Following and Followers may be thousands and there might be only unoriginal content in the feed. Here are those fake features, which are only relevant for Twitter:
- No replies to other people tweets (just take a look in the Tweets&replies section).
- Weird long nicknames, which don’t make any sense. Most users try coming up with shorter nicknames, which are easier to remember, or nicknames, corresponding to their profiles in other social networks.
- Long names in registration emails. When recovering a password by user name in Twitter you can take a look at the registered email template. It corresponds to the real length of the email. As a rule, real users choose shorter names for their emails. Bots, however, usually register with longer ones as this way it’s easier to create unique names.
- Too many likes to the posts. If we follow a real account, we’ll see that the number of likes grows along with the increase in its followers. But a too popular 1st post looks suspicious — probably the number of likes was tampered with.
Try these services:
Sparktoro — this one shows the percentage of fake followers and statistics on the number of fakes among other accounts with similar number of followers.
Followerwonk — this service analyzes many metrics but to evaluate the followers’ quality we recommend the Social Authority metric. If most of the followers belong the lightest blue zone (1 to 10), then most likely the account is fake.
Facebook & VK
We united these social networks here as they have similar methods. Apart from the common patterns, we suggest paying attention to:
- Too many friends.
- Too many liked accounts/groups.
- No captions to pictures or comments to these pictures from Friends.
- No common factors among Friends. They’re all from different towns, schools, etc. and there are no matches with the user under analysis. (more details in this article).
- Same bio information in another active account.
- ID consisting only of numbers (can be seen in the URL of the account), no nickname or an awkward long one, making no sense.
Only for Facebook:
- Long names used in registration emails. Like in Twitter, when you try restoring the password by nickname you get to see the outline of the registration email.
Only for VK:
- Too many deleted users in Friends. They’re marked with this icon:
The same may be applied when analyzing groups. The number of deleted users, which exceeds the threshold value (usually 20%), points to too many bots in the group. You can check the number of deleted users using this service.
It’s possible to see the ratio of online to offline users (green sign under the user pic). Too big a difference (more than 1/20) might signify that there are many bots in the group or among Friends.
- No picture of the account owner. Let’s remember that this social network is for people who are potential employees or just good specialists so the goal is to present themselves and their skills in the best possible way. So everybody knows that having a picture in your LinkedIn profile adds up to your credibility. So if there’s no picture, it’s a reason for doubt.
- Lack of established ‘Contacts’ or very few of them.
- No profiles with similar bio in other social networks. Usually LinkedIn is not the first network where people create accounts. So try looking for other accounts of this person in other social networks using common search tools.
- No feedback from other people or no certificates confirming the listed in the account skills.
- No subscription to public pages in the professional area of interest of the user.
- No match between the listed skills of the user and the mentioned area of professional expertise.
- No correlation between the places of work of the user and his positions there (random changes of career and companies).
- No match between the companies and positions taken in them (random change of activity field and place of work).
We’ve covered the most common characteristics of fake accounts and highlighted some patterns for several social networks.
But this should not limit you as an OSINT researcher. These patterns are just the basics, only a launching point for you to come up with your own ideas and research ways to verify available information.
For example, if you can’t Google an account’s name and it does not have a user pic, this does not immediately prove that the account is fake. If you go down this rabbit hole and continue researching the social surroundings, you might find out that this account is not really fake, but the user is just into Orwell’s “1984” novel and did all he could to be in character.
Beefing up on your analytical skills and boosting your OSINT experience is essential for learning to tell fake accounts from real ones right away, and for so much more! We hope you have found this post a helpful starting point or addition. Be sure to let us know!