Most regular web users will be all too familiar with the concept of phishing, whereby an authentic looking communication is sent in the hope that it will encourage the recipient to reveal enough information to allow the criminal to steal from them.

Such tactics are increasingly being used in the social media world too.  A few years back for instance, it emerged that terrorists were creating fake social media profiles to befriend Australian soldiers in the hope that it would enable them to find out information about the soldiers whereabouts.

A new study highlights the extent of such practices.  The practice of creating fake social media profiles is known as ‘farcing’, and the paper suggests that it is rising in popularity amongst crooks.

“Farcing takes place on popular social media platforms like Facebook, Twitter, LinkedIn, and Google Plus, and has been used for online bullying, identity theft, organizational espionage, child pornography, and even burglary,” says Arun Vishwanath, an associate professor of communication at the University at Buffalo.

It is perhaps not that surprising given the wealth of information we typically share online, both in our profiles themselves and in any updates we make to them.  There would certainly seem to be more than enough information for a criminal to steal your identity or break into things you may previously have thought of as secure.  When the criminal then multiplies this amongst your social network, the practice can be very lucrative indeed.

“This is how the Hollywood ‘bling ring’ operated,” Vishwanath says. “The scammers used information freely provided through social media profiles, updates, and tweets to locate addresses of celebrities, find out if they were home, and rob them.

“Another farcing case, which was attributed to espionage by the Chinese government, tricked senior military officials from the UK and US into becoming Facebook friends with a fictional US Navy admiral,” he says. “The phishers then collected a good deal of information about the officials from their profile pages and posts.”

Vishwanath and his team set up a farcing based simulation to explore just how this can be done.  They established four fake profiles on Facebook.  One of the profiles had neither a photo or friends.  A second had a photo but no friends.  The third came with 10 friends but no photo, whilst the final profile contained both a photo and some friends.  All of the profiles were male, with average looking photos used.

150 real Facebook users were then recruited and sent a friend request by one of the fake accounts.  Alarmingly, some 20% of people would accept the fake profiles advances.  Whilst this was bad enough in itself, the crooks then took things up a notch by actively seeking out information from their new ‘friend’ via the messaging platform on Facebook.

Of the 30 or so people that accepted the friend request, a further 13% responded positively to his request for further information, with another 41% still considering the request.

“We found that many victims of the stage 1 attack says they relied primarily on the profile and/or photo of the requester as cues and then made snap judgments in ‘friending’ him,” the study says, “while in stage 2, victims says they were influenced by the phisher’s long list of contacts. So a fake person with a fake photo and a fake contact list can be handed a lot of data without expending much energy.