Hi to you my lovely facebook friend's this is my New account now i got a Trojan virus on the other account so that why i send you a new friend request thanks for Accepting me back.
â" Aug. 13, 2012
For anyone who knows Judie Fertig Panneton, a Sacramento-based writer and author, that grammatically mangled Facebook post was clearly not from her.
But it sure looked like Panneton's Facebook page. It had her smiling photo, along with the 86 thumbnails of her friends and daughters. Everything appeared the same, except that her hometown had changed.
It turns out that Panneton was Facebook-hacked. An impostor set up a nearly identical account, then started contacting her friends, in some cases appearing to solicit them for money.
She's not sure how or why it happened, but it left Panneton feeling "punched in the stomach."
"The creepy part is you don't know what other harm they're doing: asking your friends for money, hacking into your accounts. Even though they can't spell," she noted wryly, "they can do a lot of other bad things."
Panneton's problem with a so-called "impostor profile" raises one of the uneasy aspects of Facebook life: We expose so much of our personal lives online that we're hugely vulnerable.
Not that it's anything new.
"We've certainly been aware for some time that social networking sites can be a source of information that bad guys can use, if users don't have good privacy controls or put too much sensitive information out there," said Joanne McNabb, who heads the state attorney general's new online privacy unit.
Those who deal with the aftermath of identity theft cases via social media say they're all too common.
"We see it a lot. â¦ In a social network environment, people have a tendency to give away way too much information about themselves," said Adam Levin, founder of IdentityTheft911, an ID theft and security breach consulting firm.
"This whole 'friending' process is not the most positive thing," he said, noting that supposed "friends" can easily harvest details such as birthdates, travel plans, kids' names and email addresses, that enable all sorts of financial, medical and personal identity theft.
The personal bits of ourselves that we freely share online, Levin said, are "a pot of gold" for identity thieves.
And a lot of us are out there sharing. According to Facebook's most recent activity report, there were 955 million active monthly users at the end of June.
Panneton didn't discover her impostor profile until several friends emailed her, saying they were getting suspicious-sounding Facebook messages. Some of the phony messages claimed that "Judie" had been hacked. Some mentioned getting $200,000 cash from an "agent" of an unnamed government poverty program.
Alarmed, Panneton immediately shut down her personal Facebook account, along with a separate Facebook page promoting one of her books. And she scrambled to change â" and beef up â" the passwords on her other online accounts â" Amazon, Groupon, her iPhone, etc., something "I should have done in the first place."
What she couldn't easily do was shut down the phony Judie Panneton account. Under Facebook's online "Report a Violation" page, she needed to submit a digital image of a government-issued ID (such as a driver's license or passport), a notarized statement verifying her identity and her electronic signature.
But having been victimized once, Panneton wasn't about to hand over more personal identification online. Unable to contact Facebook by phone, Panneton could only watch as her impostor continued sending out email messages in her name for at least 10 days.
According to a Consumer Reports survey issued in June, 11 percent of Facebook households â" an estimated 7 million â" reported some kind of trouble last year, ranging from someone using their log-in without permission to being harassed or threatened online. Yet the same survey found that nearly 13 million users said they had never set, or didn't know about, Facebook's privacy tools.
In an email, Facebook spokesman Fred Wolens said the company doesn't provide statistics on incidents like Panneton's. And, he noted, Panneton's fake profile isn't technically "hacking," since it wasn't "a compromise" of access to her original account.
But Wolens said Facebook takes privacy and security threats seriously. He said Facebook has internal systems to "flag and block" fake accounts, as well as investigate users' reports of fraudulent activity.
When contacted by a reporter, Wolens immediately had Panneton's fake account shut down.
In recent years, Facebook has come under criticism for its privacy policies. Just this month, the Federal Trade Commission finalized a settlement with the social media giant, which it accused of sharing users' private, personal information without their permission. Part of the settlement requires Facebook to undergo audits of its privacy policies for the next 20 years.
Aside from financial fraud, identity thieves using social media also can wreak social or workplace havoc by posting embarrassing photos or comments.
In 2011, a Citrus Heights man was convicted of hacking into hundreds of email accounts of women in 17 states. Using details plucked from the women's Facebook pages, the 23-year-old searched their emails for sexy photos that he posted online.
For those who've been victimized, no amount of security precautions seems reassuring enough.
"Not only do you feel vulnerable, but you feel like you've put your friends in a vulnerable place," said Panneton, who's in her 50s.
Now Facebook-free, Panneton said she's never going back, even if it means she can't easily share photos of her grandchild and that her book sales might suffer.
Her only consolation is that her experience might alert others to be cautious about their social media habits.
"What this hacking has proven to me, (is that) Facebook is a fun place to be but it's not a safe place."
Call The Bee's Claudia Buck, (916) 321-1968.
What You Should Know About Comments on Sacbee.com
Sacbee.com is happy to provide a forum for reader interaction, discussion, feedback and reaction to our stories. However, we reserve the right to delete inappropriate comments or ban users who can't play nice. (See our full terms of service here.)
Here are some rules of the road:
â¢ Keep your comments civil. Don't insult one another or the subjects of our articles. If you think a comment violates our guidelines click the "Report Abuse" link to notify the moderators. Responding to the comment will only encourage bad behavior.
â¢ Don't use profanities, vulgarities or hate speech. This is a general interest news site. Sometimes, there are children present. Don't say anything in a way you wouldn't want your own child to hear.
â¢ Do not attack other users; focus your comments on issues, not individuals.
â¢ Stay on topic. Only post comments relevant to the article at hand.
â¢ Do not copy and paste outside material into the comment box.
â¢ Don't repeat the same comment over and over. We heard you the first time.
â¢ Do not use the commenting system for advertising. That's spam and it isn't allowed.
â¢ Don't use all capital letters. That's akin to yelling and not appreciated by the audience.
â¢ Don't flag other users' comments just because you don't agree with their point of view. Please only flag comments that violate these guidelines.
You should also know that The Sacramento Bee does not screen comments before they are posted. You are more likely to see inappropriate comments before our staff does, so we ask that you click the "Report Abuse" link to submit those comments for moderator review. You also may notify us via email at email@example.com. Note the headline on which the comment is made and tell us the profile name of the user who made the comment. Remember, comment moderation is subjective. You may find some material objectionable that we won't and vice versa.
If you submit a comment, the user name of your account will appear along with it. Users cannot remove their own comments once they have submitted them.