Facebook’s crazy Catch-22 lets imposters steal your identity

Found someone pretending to be you on Facebook? Getting rid of the faker can be a lot harder than you think.

Facebook’s fake-a-palooza has entered a new realm of absurdity.

It starts like this: Yesterday Jennifer X. opened up her email and found a Facebook friend request from her husband Andrew. This was puzzling to her because Andrew already had a Facebook account, and they were of course already friends. She thought maybe he’d forgotten his password and created a new account or was testing something out. She clicked the link.

Sure enough, there was a Timeline with Andrew’s name and a profile photo of her husband and his sister as children – the same picture Andrew was using on his real account. Otherwise, though, the faux account was blank.

She told her husband about it. But when he tried to check it out for himself, Facebook told him that page could not be found. Why? Because the imposter had blocked him, making Fake Andrew’s page invisible to Real Andrew.

When Jennifer went to report the fake, she discovered Facebook’s Catch-22.  The only way to report an imposter on Facebook is for the real owner of the account to go to the imposter’s Timeline, click the downward arrow in the settings box, and select Report/Block. But because Real Andrew couldn’t see Fake Andrew’s page, he was unable to do that.

So Jennifer tried using the Report/Block process to tell Facebook that Fake Andrew was impersonating her husband. But all that does is send a message to the person whose account has been duplicated, telling them to report the fake using the process I just described. Which, of course, Real Andrew could no longer do.

facebook imposter reporting message cropped.png

Maddening, right? It gets worse. You can tell Facebook another account is using a fake name, but your only options are to ask the person to use their real name (not likely in this case) or unfriend/block that person. You could simply submit a report to Facebook telling them it’s a fake, which automatically – and permanently -- blocks you from ever seeing that account. All the other reporting options (the account is annoying, spammy, inappropriate, etc,) have the same result. But then you have no way of knowing what happens after that.

Jennifer and Real Andrew were worried Fake Andrew would use his account to scam their friends. Once they reported his account, and it was permanently blocked, they would have no way of knowing what Fake Andrew was up to. They wouldn’t know if Facebook had deleted the account or not. (In my experience, fake accounts can exist for weeks or months after being reported.) So they posted something to their Facebook walls warning their friends not to be duped. But as we now know, only a small percentage of your friends will see everything you post.

Is this insane? Yes it is. Just to confirm Jennifer and Andrew’s story, I created a faux account to impersonate a real one and recreated their steps. Sure enough, Facebook has made it essentially impossible to deal with clever imposters who’ve discovered this trick.

There is, however, one other way to report an imposter to Facebook, by filling out a form on this page.

facebook report imposter cropped.png

Here’s the kicker: This option only works if you don’t have a Facebook account. If you do have an account and are logged in, you won’t even see the page I’m talking about. And, of course, you have to provide the URL of the imposter’s account, as well as a copy of a government-issued ID to prove you are the real deal.

So my question: If you’re not on Facebook, how will you find out someone is pretending to be you on Facebook?

I understand Facebook needs to balance a lot of factors here. It needs to be careful to avoid shutting down accounts that aren’t fake or abusive. But this loophole is just nuts.

We don’t know how that account will be used, but it’s unlikely to be for the good of mankind. It could be used to generate fake likes. It could be used to spread spam and malware. It could be used to run pretexting scams where someone pretends to be in distress and tries to milk Andrew’s friends for money. Or it could be used just to systematically destroy Andrew’s reputation by posting horrible things in his name.

Since the scammers decided to friend Andrew’s wife, my money is on the scam gambit. Fortunately for them Jennifer was savvy enough to spot the fake. Others might not be.

Is this really how Facebook operates? I’ve asked them to comment, and will update this post if I hear back.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Now read this:

Facebook's 'man in the middle' attack on our data

Why Facebook is full of it

Q&A: Privacy Pioneer Ray Everett

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon