You may have seen a friend request on Facebook from someone you know and had thought you were already friends with. Not thinking anyone is trying to impersonate your friend you may accept their friend request. Others may stop to see if you are in their current friend list. They may see their friend is in fact in their list. Here we often see people naively claiming that an account is hacked when in fact it is spoofed. What the difference? Well, the difference is important because it dictates what you should do about it.
This came up because the number of spoofed accounts in Facebook has jumped in the few months. A friend of mine, Bob, had been frustrated at all the people saying their accounts were hacked or contacting people letting them know they saw a friend request from a friend and told them that their account was hacked. His comment was about trying to explain the difference between spoofed and hacked accounts. Most tech professionals know the difference and know what to do in each situation.
So what is the difference and why you should care?
When someone spoofs an account or person it is like someone putting on a mask, like one of the Presidents they have at the Halloween custom stores, and pretending to be that person. When you see President Obama or Trump at your door on October 31st you know it is not the President. He is spoofing or impersonating the President. You can safely ignore it or give them a treat. When it comes to a spoofed account, you can safely ignore or report them.
When spoofed it is not the real President who is at your door and if you get an email or friend request that is spoofed it is not the real President it is an impersonation. You can safely ignore the email or friend request. You can also report the spoofed account to Facebook or the host for the email.
I should add that criminals spoof accounts on social media like Facebook, they spoof emails and they spoof people via phone calls. It is not limited to Facebook accounts.
When we say hacked, what do we mean? Hacked is different than spoofed in that its when a criminal gains access to the person’s account, either email account or social media account. This is a much more serious situation for the person whose account was hacked. To keep with my Halloween theme it is as if the person has been possessed!
The hacker has had to gain access to the person's real account. That means they have that person’s username and password. This requires immediate action by the user. They need to change their password and possibly upgrade to two-factor authentication. In short, we need an exorcism, we need to get the hacker out and keep them out. This means the victim needs to find out how their account was compromised and make sure it doesn’t happen again. No more Ouija boards!
Criminal hackers prize hacked accounts and gaining account credentials is one of their main goals. With it, they have access to everything that account has access to and with email, they can use it to reset passwords for other accounts that use that email address.
Know the difference because the difference is important. And knowing is half the battle!