The whole thing veers perilously close to the kind of “if it’s too good to be true” territory your mother warned you about, but Publishers Clearing House is a legitimate marketing company that’s been around for decades. Unfortunately — because it does sound a lot like getting something for nothing — scammers often leverage the familiar sweepstakes’ name recognition to relieve you of your own money.
PCH started in the Long Island basement of Harold and LuEsther Mertz in 1953. In those days, magazine subscriptions were sold door-to-door, and Harold managed a few of those sales teams. He recognized that it was inefficient, and hit on the idea of using direct mail to cover the territory more efficiently.
It was an immediate success, and Harold used his massive sales volume to negotiate ever-bigger commissions from the publishers, who in turn benefited from renewals and the ad sales that came from increased circulation. The company diversified into general merchandise beginning in the 1980s, and now generates much of its revenue from its websites, online advertising and a variety of games and apps.
The iconic sweepstakes started in 1967 as a way to drive sales, and quickly became a mainstay of the company’s marketing. The path hasn’t always been smooth — the company has been accused of misleading marketing, and paid numerous settlements as a consequence — but the sweepstakes and the company are legitimate. You can enter the sweepstakes in many, many ways, prizes are awarded as advertised (if you read the very fine print) and ordinary people do indeed find the Prize Patrol arriving at their door to surprise them with an oversize check.
The problem, of course, is that wherever there’s a well-known prize — like Cash App’s Friday giveaways on social media — scammers will swoop in like vultures to profit from its familiarity. In fact, there are several common versions of the Publishers Clearing House scam.
These include:
They look impressive, and they’ve got a good copy of the PCH logo. You’ve won one of the grand prizes, is the message, and the only catch is that you’ll need to send them a modest amount to cover fees or taxes on your prize. Usually they’ll request payment in the form of a transfer from Western Union or Moneygram, or on gift cards, which means it’s virtually impossible to get your money back afterwards.
Sending real mail is relatively costly, so many scammers rely on email instead. This can take a couple of directions, once you open the bogus notification. One ploy is the same: you’ll need to pay them in order to cover fees or taxes on your prize. A second is a straight-up phishing attack, providing a link to click (or a number to call), where you’ll be prompted to divulge a lot of personal information on the pretext of direct-depositing the winnings into your bank account. Pro tip: You can run a reverse email search to learn more about suspicious email senders.
Phone scams are common because they’re cost-effective for criminals, so of course there’s a phone-based variation on the PCH scam. The format is the same: the caller tells you you’ve won, and will cheerfully walk you through the prize-claiming process, which of course involves giving them money or your personal information.
This is basically the same as the email scam, except you receive the bogus prize notification through text messaging rather than your inbox.
FIND OUT WHO’S REALLY TEXTING YOU WITH A REVERSE PHONE LOOKUP
Yet another variation on the theme involves direct messages and friend requests on social media from scammers claiming to be PCH, or one or another of the high-profile PCH employees who make up the Prize Patrol. If you respond, they’ll again hit you up for either money or personal information.
Another variation on the mail scam cuts to the chase and sends you a fake check, along with instructions that after it’s deposited — say it with me now — you’ll need to send them some money to cover fees or taxes on your prize. Of course the check will eventually bounce, and you’ll be out any money you’ve sent (plus a chargeback from your bank for the bad check, which will add insult to injury).
If you’ve read the previous few paragraphs, it’s not hard to spot the recurring theme that distinguishes all of these scams. When you win a prize, the money should flow in only one direction — into, not out of, your pocket.
If you have any doubts about what PCH does or doesn’t do when reaching out to its winners, your best bet is simply to look at the company’s own Fraud Protection page. First and foremost, the real Publishers Clearing House will never, ever, under any circumstances, ask you to pay. Period.
A few other things they don’t do:
There are a few potential gray areas, because the real PCH does send email notifications if you’ve entered any of their online giveaways, and winners of the smaller prizes will often be notified by registered mail or courier. You’ll know the legitimate ones because they don’t ask for money or personal information, and — an important point — you won’t receive one unless you’ve actually entered a sweepstakes.
If you receive one of these scam calls, texts, mails or emails, there are a few things you should do. First, of course, just don’t engage. Hang up the phone, don’t deposit the check, don’t reply to the friend request and above all don’t click on any links.
Next, you should report the scam at the FTC’s ReportFraud website. This helps the FTC and law-enforcement agencies track how the scam evolves and where it’s actively exploited. Also, if you’ve fallen victim to the scam, it will help you create a recovery plan to minimize the damage.
Publishers Clearing House itself would love for you to file a report if you’ve been approached by a scammer. It’s very much in their interest to draw a clear distinction between the real PCH sweepstakes and impostors, and they’ll frequently circulate information about new scams through their sites and social media feeds.
It doesn’t take long, and you’ll have the satisfaction of knowing you may have helped others dodge a costly life lesson.
The advent of chip cards was intended to provide a hedge against skimming and similar threats. It has worked well, by and large, but criminals can now do an end run around your card’s chip-driven security features through a newer technique called “shimming.” It’s not as obvious as skimming, so it’s harder to know if you’ve been victimized. Here’s what you need to know about it.
Skimming was always a relatively clumsy operation. Disassembling an ATM or payment terminal to install a bogus reader is seldom an option, so they were designed to install over the existing, legitimate card readers. That meant there were typically telltale signs you could watch for, such as a bad color match with the rest of the machine or fit-and-finish issues.
To get the PIN as well as the card number, scammers required a little extra ingenuity. In retail settings they could simply “shoulder surf” and try to catch your PIN visually, by eye or with their phone camera. At ATMs and unattended settings, they could install a pinhole camera to record your hand movements, or even a bogus PIN pad that would directly record the buttons you pushed.
Chip cards made those attacks largely obsolete, because inserting your chip card in a retail terminal bypasses the swipe reader entirely, and ATMs won’t read the strip if a chip is detected. Unfortunately, crime rings can afford to fund a lot of illicit research and development, and they found a way around some of the chip’s protections. Instead of a bulky reader, they insert a tiny circuit board — a shim — into a chip-card reader, where it’s largely undetectable. When you insert your card, it can read the information from your chip.
The good news is that even a successful shimming attack can’t make a duplicate of your chip card. The chip was designed with built-in security features that prevent it from being duplicated. The bad news is that the chip contains all of the information that’s encoded in your magnetic strip, and that can be duplicated.
So while scammers aren’t able to make a perfect copy of your credit card, they can make a “good enough” copy. It’ll work in any ATM or debit terminal that still has swiping as an option, and of course it’s just as good as your original card for online shopping.
The bottom line? Scammers can still max out your credit in a hurry if you use your card in the wrong machine.
Spotting the shim is just about impossible, because it’s a tiny, wafer-thin board that’s inserted directly into the machine’s card slot. The only tangible way to know it’s there is that your card may stick a bit when you’re trying to insert it. That’s actually how one of the first shims was detected in the wild: a Canadian retailer testing its point-of-sale terminals noticed that cards weren’t inserting smoothly in one of them, and found shims when the terminal was disassembled.
Most banks and retailers won’t be very sympathetic if you ask to tear down their machines, so you’ll need to rely on other methods to protect yourself. Before you use a payment terminal or ATM, take a moment to look around and check for signs of cameras, a PIN-pad overlay or a potential shoulder surfer loitering nonchalantly in the vicinity. If you do feel an unusual degree of friction when you insert your card, don’t take chances: use another machine instead.
The machines most likely to be tampered with are those that aren’t monitored and aren’t in an employee’s line of sight (the back pumps at a gas station, for example), so avoid those if you can. Retailers can take some steps to make shimming more difficult, but often if a shimmer is detected it’s because a vigilant customer reported spotting something dodgy.
It’s always good to be vigilant when you’re using your card — especially in an unfamiliar place — but the harsh reality is that shims are really, really hard to spot. If you’re ever the victim of a shimming attack, you probably won’t know it until your credit card’s evil twin is up and running.
So, bad news: your first warning will often come when you have a purchase declined because you’re already at your limit. Alternatively, you may recognize that something’s amiss when you look at your monthly statements or check your accounts online and find a number of purchases you didn’t make.
Sometimes, to their credit (no pun intended), it will be your bank or credit card provider that sounds the alarm. Those institutions are ultimately on the hook for any losses due to fraud, and they have suitably robust algorithms to detect unusual use on an account. That might be an uncharacteristic buying pattern, or a rash of purchases outside your normal geographic area. Either way, if you get an alert from your provider, take it seriously.
Your first few steps will be the same no matter how your card has been compromised. First, reach out to the card provider’s fraud department and alert them — if they weren’t the ones to alert you — that there’s fraudulent activity on your card (don’t delay; it’s a lot harder to dispute charges after 60 days). Next, contact Experian, TransUnion and Equifax to place a fraud alert or credit freeze on your account at each of those credit-reporting agencies.
After that, you’ll need to report your loss to the pertinent authorities. Start with the FTC’s IdentityTheft.gov website, which will walk you through the creation of a useful step-by-step checklist designed to minimize the damage and speed your recovery. You should also report your case to the FBI’s Internet Crime Complaint Center (IC3) and potentially to local law enforcement, if you haven’t been traveling and suspect that the criminals were operating locally.
If you have reason to believe your card’s data was stolen through shimming, you should also give a heads-up to the retailer or institution where you think the attack took place. This is easiest to spot if it’s a card you seldom use, because it narrows down the list of potential shimming sites pretty drastically. Whatever the circumstances, be specific: lay out in detail the date and time of the suspected incident, and which machine you used. It’s just possible that security footage from the site might have captured the shimmer in action.
After you’ve viewed your statements and learned where the cloned card was used, it’s often worth reaching out to those merchants. If the transactions were conducted in person, there’s a chance the criminals may have been caught on camera or have left behind a clue that could lead to identifying them. A few years ago, for example, the wife of one fraud victim used Spokeo to track down the criminal through a phone number he’d used, and forwarded his identity to the police.
In the case of online purchases, the merchants may be able to provide useful information such as a delivery address, an email address or phone number that was used by the purchaser, or the IP address where the order originated. None of these is necessarily conclusive in its own right (many can be faked), but taken together they can help tighten the net around a suspect.
It’s not that police forces can’t or won’t run down this kind of information themselves, but a bit of (legal) citizen sleuthing on your part can help grease the wheels. Police have lots of cases to juggle and prioritize, but you’re interested in just one. If you can use Spokeo’s search tools to track down a phone number or an email address, that saves them the corresponding investment in time and effort.
Proverbially, an ounce of prevention beats a pound of cure. That’s definitely the case with shimming and skimming. The best way to avoid both is also the simplest: if tapping is an available option, using your card or a payment app on your phone, do it. A card that’s never inserted can’t be duplicated.
Otherwise, your best defense is your own vigilance. That includes physically checking the machine where you plan to use your card, as detailed earlier, and making a conscious choice to pick the safest locations: in a bank or store rather than outdoors or in a vestibule, and whenever possible in a place where either security cameras or staffers can keep eyes on their machines. Conceal the PIN pad with your other hand as you enter your PIN, in case there’s a camera watching.
Finally, be proactive and check your statements (and online accounts) diligently. The earlier you can catch a potential scammer, the less scope they have to cause you trouble.
You don’t often need the physical card; just knowing your SSN is enough for most purposes. That doesn’t mean the card itself is meaningless, though. If yours is lost or stolen, the repercussions can range from mild inconvenience to a lengthy (and costly) nightmare of identity theft. Here’s a quick look at what to do if you lose your Social Security card, and what the consequences might be.
Most of the time you’ll be able to get by with simply knowing your SSN, but occasionally you’ll need to physically show the card (if you’re starting a new job, for example). That’s only a minor inconvenience, because replacing the physical card is not a terribly arduous process. If this was all you had to fear from losing your card, it wouldn’t be a very big deal.
Unfortunately, that’s not the case. A valid SSN card is pure gold to an identity thief, because it has come to be such an important piece of identification. Criminals could sell your SSN card to someone who’s not legally entitled to work, or use it themselves to get credit or file a tax refund in your name, or incorporate it into a hard-to-detect “synthetic” identity. The potential for trouble is limited only by the criminals’ imagination and resources, which should leave you very worried indeed.
So what should you do?
GET SOCIAL SECURITY NUMBER MONITORING WITH SPOKEO PROTECT
There are a number of things you’ll need to do if your Social Security card goes missing. The first is to report it to the Social Security Administration and to begin the process of replacing your card. You’re entitled to three replacements in the course of a year, and 10 in your lifetime.
In most states, you can order your replacement online by setting up a my Social Security account online. You’ll need to have a state-issued driver’s license or equivalent state-issued ID, and you can’t be a minor. You also can’t make any changes to your card, such as a name change. At the time of writing, only residents of six states — Alaska, Minnesota, Nevada, New Hampshire, Oklahoma and West Virginia — and the overseas U.S. territories can’t apply this way. If you live in one of those places, you’ll need to download and complete a paper application, then go to your nearest SSA office with that and your physical ID.
After you’ve taken this first step, prudence suggests that you should also be proactive about reducing the risks of identity theft.
Your missing card may eventually turn up somewhere, but it’s safest to assume that it’s out “in the wild” and will eventually fall into the wrong hands. It’s probably the single most useful piece of ID a scammer could find or buy, so there are a number of additional things you should do to limit the risks (and impact!) of potential identity theft. These include the following.
You’re entitled to a free one every year from each of the “Big Three” reporting agencies (Equifax, Experian and TransUnion), so if you take them in turn that’s a free one every four months. If you spot any irregularities (new applications you didn’t make, overdue payments you’re not aware of), it’s worth paying to get them more often.
Placing a fraud alert and/or a credit freeze on your file with each of the Big Three means potential creditors can’t pull a report, and therefore identity thieves are less likely to get credit in your name. The downside is that you’ll need to have it temporarily lifted if you need to apply for credit yourself.
Check your bank and credit accounts periodically online, and scrutinize your statements every month. If you see unexplained purchases, new accounts being opened or any other activity you didn’t initiate, that’s a red flag and you’ll need to follow up with your institution.
If you notice signs that identity thieves have your information, report it immediately to your financial institution, the credit reporting agencies and to law enforcement. It’s also a good idea to open a file at the FTC’s IdentityTheft.gov website. As part of the process, you’ll be guided through creating a personalized recovery plan laying out steps you should take to minimize the damage to your reputation and finances.
For added peace of mind — and tireless eyes to see the things you miss — consider using an identity protection service like Spokeo Protect. Spokeo’s service actively monitors the dark web, where criminals traffic in personal data like SSNs. If your information is offered up for sale, we can give you a heads-up, so you can take preemptive counter-measures before your good name is actively compromised.
If your identity has been seriously compromised — or if you’re concerned that it could be — there are a few stronger measures you can take to protect yourself. These involve some inconvenience at a minimum, and can potentially complicate your life, but they’re worth knowing and considering.
There are several steps you can take to tighten security around your SSN. One is setting up two-factor authorization, which means you’ll need to receive a verification code by text or email whenever you log in. You can also choose “Add Extra Security” in your my Social Security account settings, which will require you to enter additional information (from your credit card number, your W-2 or your 1040 Schedule SE if you’re self-employed). You can also Block Electronic Access, which thwarts automatic access to your SSN by phone or computer. You’ll need to suspend the block when you apply for credit or a new job, but a scammer can’t do that.
There’s one further step you can take, which is locking your SSN. To do that, you’ll need to create and log in to a myE-Verify account, then provide and “lock” your SSN. Once it’s locked, no one can use your SSN to get work with an E-Verify employer, which in turn means you’re less likely to have identity theft mess with your taxes. Again, you’ll need to unlock your SSN if you apply for a new job.
Identity thieves can really complicate your life by filing bogus tax returns with the IRS, claiming your deductions, or simply working under your SSN (which creates income that you won’t report, because you don’t know about it). Setting up an Identity Protection PIN with the IRS means nobody can file under your name, and with your SSN, unless they have that six-digit PIN. It slows your refund slightly, and you’ll have to keep track of a new PIN every year, but it can block a lot of nefarious activity.
This is the “nuclear option,” and it’s not a step to take lightly. You absolutely are entitled to request a new SSN if you have solid proof that identity thieves are actively exploiting your existing SSN. It’s not necessarily going to give you a clean start, though: A lot of businesses and government agencies will still have your information attached to the old number, so there are still gray areas scammers can exploit. The only way it’s a completely “clean slate” is actually a negative: Your credit history will still be attached to the old SSN, and you’ll often have to re-establish your creditworthiness from scratch.
There’s always a possibility that your original card might still turn up, perhaps down behind your nightstand or stuck to the back of the library card in your wallet. Realistically, though, it’s probably gone forever and this increased level of vigilance represents your “new normal.”
The good news is that it’s probably also the “smart normal,” whether or not you currently see signs of active identity theft. There’s a surprising amount of your information out there (search yourself on Spokeo periodically as a benchmark; it’s a good habit to develop), and it’s only reasonable to assume that some of it will get into the wrong hands sooner or later.
If you make a habit of checking your accounts regularly and maximizing account security, you’ll be better positioned to recognize identity theft if (or when) it happens, and to nip it in the bud before it can become troublesome. That’s not just peace of mind, it’s a genuine modern-day life skill.
At the height of the COVID-19 pandemic, research found that 82 percent of the most active Twitter accounts were, in fact, bots. These accounts can churn out Tweets to unsuspecting users, often with an invitation to access adult content or cryptocurrency offers with a free introductory pass — all you have to do is enter your credit card information. Not surprisingly, this scam doesn’t end well. There’s no free pass; instead, your credit card is charged repeatedly.
Top tip: Check the account’s Twitter feed to see what they’re tweeting and how often interactions look authentic.
This scam will be familiar to email users, but unfortunately there’s no spam folder in Twitter. You might see a tweet from an account you trust, but clicking on the link or expanding spreads malicious Javascript embedded in the tweet. Luckily, worms are not that common on Twitter, but watch out in particular for accounts that piggyback on trending hashtags.
When the offer drops into your feed, it seems too good to be true. (It is.) You receive an invitation to earn income by sharing or retweeting about a product or service. All you have to do is submit your credit card details to access your account Twitter Cash Starter Kit. The idea of making money from your Twitter account might be enticing, but you should never have to pay money in advance to take advantage of an authentic service. It’s a cash starter kit indeed, but not for you.
If you’re an up-and-coming brand or influencer, your follower numbers matter. Building your followers takes time and dedication, however. Step forward bots that offer to shower you with followers for a fee or membership. Some might even offer to give you free followers in return for sharing content or submitting your password. By now, the alarm bells should be ringing. The most likely outcome of falling for this trap is that Twitter will block your account, leaving you with significantly fewer followers than you started with.
Even users who bring a healthy dose of scepticism to what they see in the general feed can fall victim to a Direct Message (DM) that is well worded and looks authentic. In many cases, scammers use hijacked accounts that look legitimate or familiar. This phishing scam invites the user to visit a log-in page and enter personal information, their password or credit card details. Given that the average Twitter user has 707 followers, scammers rely on the fact that it’s not easy to vet and verify every single account. And it’s one of the reasons why there are growing calls for more robust account verification on Twitter.
DMs are Where Romance Scams Flourish
Many scammers treat DMs as their safe space. Because interaction is hidden and more intimate, Twitter DMs are one of the targets for common catfishing and romance scams that end in a request for money, payment of fees or emergency assistance.
Top tip: Take any conversation of this nature to at least a video call. And check the person’s number, name and background using Spokeo to expose any catfishing attempts.
The blue badge on Twitter signifies that an account is verified, which is a big deal for brand managers, public figures or influencers. Scammers know that, so they will invite you to sign up with your password or hand over your credit card details for immediate verification. Even if the URL looks authentic, watch out for this common phishing scam. Only Twitter can hand over the coveted blue badge.
Most of us can’t resist posting a zinger or witty response and heading straight to the account activity tab to see our tweet go viral. But when that doesn’t happen (which is often the case), it’s easy to fall for a scam in your DMs that offers enhanced transparency for your followers and engagement activity. The numbers you’re given could well be bogus, after which you’re invited to enter your personal information or cell phone number to complete a seemingly innocuous survey. You’ll only realize it’s a scam when you start receiving paid texts or find yourself locked out of your account.
Some scams target greed; this one targets fear. It starts with a seemingly well-intentioned message that alerts you to sensitive information or photos circulating about you online. The user has spotted it and wants to help. All you have to do is click on a link and submit your password — with predictable consequences.
Top tip: Use Google reverse photo lookup or perform a sweep of what information is posted online about you linked to your email address or phone number using Spokeo.
Although Twitter is a great platform for engaging with others, you should set safe boundaries to keep your account secure. Don’t answer DMs from people you don’t know, treat links with suspicion and never log onto a different site that asks you to enter your Twitter password.
Even tech-savvy Twitter users — from President Obama and Mark Zuckerberg to Britney Spears and Ashton Kutcher — have fallen victim to these scams, so there’s no shame in finding yourself compromised. But if you watch out for these and stay on top of your online identity, you’ll make yourself a harder target to reckon with.
The reality is that a lot of that response (ironically) has no reality. Many of the apparent users harassing people online, or spreading misinformation, are actually sock puppet accounts: fake identities created for purposes including deception, bullying and greed. If you’re unfamiliar with the concept, here’s what you need to know about sock puppeting.
Let’s start by differentiating sock puppets from bots and trolls, two other kinds of accounts that are often problematic. Trolls may or may not be legitimate users, but their primary purpose is to generate reactions and outrage. According to the Oxford Dictionary’s website, the term was originally a riff on the idea of trolling for fish, but in this case the “fish” were other people’s reactions. Undoubtedly, the comparison to the trolls of Nordic folklore helped the name stick.
Sock puppets are fake accounts, giving the user a measure of anonymity to hide behind. Usually (but not always) it’s for the purpose of engaging in shady or undesirable behavior, and some trolls hide behind sock puppet accounts (but not all trolls are sock puppets, and not all sock puppets are trolls).
Bots can behave similarly, but they’re not managed directly by a person. Instead, they’re minimalist pseudo-accounts run by software algorithms and (sometimes) artificial intelligence, designed to flood targeted accounts with auto-generated or predefined messages. All of these can be used to harass and bully legitimate users, but sock puppet accounts are the most varied.
There are several reasons a user might opt to create a sock puppet account. A few of the more common reasons include the following:
Pundits are calling our brave new online world an “attention economy,” meaning the ability to gain and hold people’s attention is one of the most marketable attributes anyone can have. That’s measured in a number of ways, but on social media it typically comes down to how big a following you have, and how engaged they are (how much you interact with each other).
Using sock puppets to inflate your numbers is an obvious ploy, and it’s been done at scale: In 2019, one marketing agency settled lawsuits with both Florida and New York for packaging and selling its services as a sock puppet factory.
One high-profile use of sock puppets is the spread of misinformation (you believe it, but it’s wrong) and disinformation (you know perfectly well it’s wrong, but you’re spreading it for your own ends). You won’t have to think very long to come up with real-world examples from your own experience, so ’nuff said.
This is closely related, but a distinct variation on the theme. In this instance, anyone from self-interested lobbyists to nation-states or local authorities utilize sock puppets to trumpet their own talking points, stir up trouble, and harass or drown out dissenters.
Notorious examples include China’s use of bots and sock puppets in its online propaganda efforts, and all of the tumult around American politics. Law enforcement agencies use sock puppets to infiltrate, manipulate and monitor activist groups (often in ways that skirt or outright violate the law). Court cases have established limits on this practice, but it’s likely to continue.
This is another big use of sock puppets. The perpetrators can be anyone from a disgruntled high school kid to a nation-state or organized interest group, but the outcome is the same: The victim is swarmed and overwhelmed by a barrage of aggressive tweets, posts or messages from sock puppets (and/or bots).
It’s a big deal: Cyberbullying sharply increases the risk of kids committing suicide, for example, and it’s not unknown for a concerted online campaign to cause real-world repercussions (like getting someone fired).
Catfishing could be considered a specialized form of sock puppetry, in which the sock puppet account attempts to strike up a relationship with you (often with the intention of pulling off a romance scam).
That’s a whole other subject in its own right, but a savvy catfish or scammer often uses secondary sock puppet accounts to serve as bogus friends or family members who interact with the catfish’s social media accounts (and may even exchange messages with you directly). It’s the social media equivalent of bogus product reviews and recommendations.
Sock puppets aren’t always used for nefarious purposes. Sometimes the person behind a false account has a legitimate need for privacy: an abused spouse discreetly reaching out to a support site, for example. Others include whistleblowers, journalists, and activists living within authoritarian regimes. Law enforcement use of sock puppets, when done legally and ethically, fits into this category as well.
Another use case that may be familiar to some Spokeo users is “Open-Source Intelligence,” or OSINT, aka online sleuthing. You probably won’t need a sock puppet if you’re just trying to reunite with family (unless there’s some bad feeling at play), but if your hobby is trying to solve notorious murders or track down criminals, it’s probably best if you yourself are hard to find.
Researchers can draw on sophisticated software routines to identify sock puppets (or even detect puppets controlled by the same person), but you don’t really need to bring that kind of firepower to bear. Sock puppet accounts usually share a handful of common characteristics that make them easy to spot once you know what you’re looking for. These include the following:
A profile has to have pictures to be convincing, and it’s easier than ever for someone to fake profile pictures. Manufacturing them in bulk is time-consuming, however, and most puppeteers don’t bother. It’s simpler to just steal photos from someone else’s social media accounts (or even professional stock photos) and perhaps — at most — use software tools to swap in a fake face.
You can easily search a photo using Google’s reverse image search, but often you won’t need to expend even that much effort. Just look at the photos on the suspect account, and then at those on your profile and those of your friends. A real person’s photos are casual and messy (and frequent), and usually include pets and lots of other friends and family. Even a well-faked sock puppet account won’t usually go that far.
That brings us to another point: the whole point of social media is to, well…socialize. Real people go places, tag each other in memes, talk about their pets, and console each other in their moments of sorrow.
Sock puppet accounts, by and large, only chime in to agree with each other or to repeat talking points.
Similarly, accounts whose cluster of friends and followers seems oddly large or small, and accounts that appear to seldom post except to agree with or amplify other posts, are red flags that you are probably dealing with a sock puppet.
Another way to test potential sock puppet accounts is by messaging them directly. A sock puppeteer managing multiple accounts (or accounts across multiple platforms) will often be too busy to notice or respond to messages, or may respond in ways that are vague or unconvincing. A bot account may not respond at all, or may come back with the kind of weird response that sounds (duh) like it was machine-generated.
It’s not always possible to find out exactly who is behind a sock puppet account. Accounts operated by sophisticated nation-state hackers are pretty good at hiding their origin, but your bitter ex, your toxic former employee or an intern at a dodgy company or political consultancy will probably have a less robust understanding of how to cover their tracks.
That means anyone with access to Spokeo’s people search tools (which is basically everybody) has a fighting chance at uncovering the puppeteer. Start with whatever identifying information you can glean from the profile: a name or username, a phone number, a location, or perhaps an email address.
All of those things can feed into each other: Typing a name into Spokeo’s name search, for example, might bring up the corresponding social media account, as well as the email address or phone number used to set up the account. From there, you can search the email or the phone number, which in turn can lead you back to personally identifying information about the puppeteer (a skilled hacker will use a “burner” phone to set up accounts, but your ex or your competitor might not think of that).
After a few rounds of Spokeo searches — taking the information you turn up in each search, using that for further searches, and then using the information from those search results to do more searches — you’ll figure out pretty quickly whether the account belongs to a real person (the information will all agree) or a sock puppet (it won’t). You may not be able to trace a sock puppet account back to the puppeteer, but at least you’ll know what you’re dealing with.
What you do with that information once you have it is a judgment call, depending on the situation you’re in, such as the following examples illustrate:
The platform where you’ve encountered the sock puppet will usually take down the account once you’ve notified them of it. In the interim, you can cut down the “background noise” on your own account by blocking as many fake accounts as you can (or even turning off replies for the short term).
Your Spokeo searches may even turn up a large number of accounts associated with one puppeteer (or organization), which can be taken off the platform in one stroke once they’re identified.
That kind of search wizardry isn’t just a benefit to you, it can help make online life better for everyone.