We recommend any time that something feels off or suspicious checking in with the person in question. Do this face to face if possible or make a quick voice or video call to verify whether an account belongs to the person it purports to. What’s crucial here is the idea of “trust but verify.” Getting paranoid can tear at our ability to support one another and effectively organize together. The tools we use are never going to be 100% secure but at a certain point we do need to use them to communicate. Embrace scrutiny as a practice but remember that you can always just check in to see what’s real.
Social Media Red Flags:
- Is it a new account? We’ve seen adversaries set up profiles that are fairly convincing at a quick glance, especially where work history or some projects have been publicly associated with the person being impersonated. “Liking” a smattering of local pages that look good at a glance is an easy tactic for them to use. Even adding friends who are more public and accept requests without thinking is a tactic that can make a new profile look less suspicious by fleshing it out with connections. Verify all new accounts before accepting any requests or corresponding with them.
- Is it a reactivated account or one you haven’t seen used much suddenly becoming more active? This tactic is one that we expect to continue and many of us are likely to have slightly weaker passwords on our social media accounts than on our emails, increasing the risk. Sudden visibility or out-of-the-blue messages through social media are both good signs that you should contact and verify.
- Are you just plain surprised that this person has a social media profile to begin with? Yeah, when your friend who has no internet presence whatsoever aside from that one mugshot makes an Instagram account, it’s worth double checking.
Email and Communication Red Flags:
- A lot of messaging red indicators are the same ones that have been around forever for infiltrators but are good to keep in mind in this context as well. Know that if someone is in your friend’s email or messaging program (including facebook messenger), there is a good chance that they have access to personal and community information that can help them be extremely convincing.
- New accounts or reused old accounts are red flags here as well. Check in. Make sure it’s real before you answer.
- Watch out for sudden crises. In one particularly worrying case, a hacked email reached out to a comrade with a simulated doxxing-related breakdown and sought intelligence by asking “verification” questions under the guise of needing reassurance before talking. It’s an insidious technique and one to be mindful of. Don’t let the practice of care and connection override a reasonable level of caution about any information requests. If someone needs verification from you, suggest doing it by speaking face to face or making a quick phone or video call to one another.
- Be wary of messages that over-share. Is there a lot of information that you already know included in the message? We don’t normally list reasons we are ourselves and impersonators will sometimes push in an overcompensation towards attaining trust. This also applies to new people – if an account you don’t know messages you with terrible security practices or too much information, it might be an infiltrator or fake account but it also might be a real person’s account that’s been hacked. We encourage the sharing of information about these messages, especially with folks who might know the person in question and be able to get in touch. Responsibly following up on confusing or suspicious activity can keep us safe from probing interlopers as well as preventing someone whose accounts have been impersonated or compromised from being undeservedly badjacketed.
- Email information can be faked! When our contact information is known by adversaries, there’s ways to get at us without having access to one of our email accounts. Some of the tactics to watch out for on the tech side:
- Making an email address with a slight variation on an existing one and setting the same display name. This would look like getting an email from “Stompy Joe” <firstname.lastname@example.org> vs from “Stompy Joe” <email@example.com> and relies on us overlooking these small differences or not knowing emails to begin with.
- Spoofing email addresses. This is actually remarkably easy to do for how much we trust them and goes to show how insecure email ultimately is. Essentially, this is when there is an email that claims to be from <firstname.lastname@example.org> when really it comes from <email@example.com>
- Employ the behavioral scrutiny the same as if an account has been hacked and use caution and verify.
- One way to check on this is through something called “headers”. Every email includes a history of the servers it has passed through – essentially a stamp from every post office a letter stops at along the way. Different email clients and webmails will handle how you show this differently (ideally they have a button to just “show headers” but it might be called “security information” or “full email text”. We’re going to step by step looking at this here:
- You should see a giant intimidating block of fairly inscrutable text like below:
- Paste that text into a header analyzer. https://mxtoolbox.com/EmailHeaders.aspx is a fairly decent one, but there are many out there.
- Your results are going to show you an easier to parse version of the information. Two good things to look out for are whether the originating server matches the one of the email – if the email says it’s a gmail, it should come from google’s mail server originally – and miscellaneous things like outdated email clients or servers which will usually not be used at, say, your bank.
- One way to minimize ending up replying to a spoofed email is to compose a new email to the known address that you have instead of simply replying. This has the added benefit of not accidentally storing a year’s worth of correspondence in one chain that lingers after it is needed through the quoted original text.
- Both of the above tactics can be used to do something called “phishing”. If you receive an unexpected link from your bank, your account, a friend, etc. it may be directing you to a page designed to steal your credentials or have an embedded script designed to put a worm on your computer. Type links directly and if you get a notification from an account, go to the site you know and trust for that account instead of clicking a link.
Phone and Signal Conerns
- When information is being compromised, there can be a tendency to mass change phone numbers. We encourage vigilance during those periods and updating information as rapidly as possible. It can be easy to become casual around new phone numbers when they are constantly shifting. This opens us up to be interacting with impersonators without knowing it. Verify with a call.