The Crime-Riddled Back Alleys of Social Media
December 24th, 2021, Christmas Eve — on a day most Americans hope to spend enjoying the company of loved ones, ICU nurse Gina Anderson (a pseudonym) was robbed while sitting in her own home. The crime happened so quickly and surreptitiously that Gina couldn’t so much as scream for help. And due to the nature of the crime, 911 operators wouldn’t take her call if she tried (she didn’t). Nor were police going to dust for fingerprints or put out an all-points-bulletin for the suspect (they couldn’t). It’s not that there were no promising leads in the case; evidence abounded that this was a serial predator.
This was no burglary. No one kicked down Gina’s front door. Gina was hacked, or, to be more precise, she was “socially engineered”, a form of hacking whereby a scammer takes advantage of human error and trust to effectively convince a victim to open the door and invite the scammer in.
This form of hacking requires no “identity theft” such as stealing a social security number or credit card. Unlike hacking, which might be likened to the form of burglary that involves “breaking and entering” and is demonstrably illegal, it is more difficult for law enforcement to prosecute someone who merely uses cunning to manipulate his victim into taking action that will financially benefit the scammer.
On that Christmas Eve while scrolling through her Instagram feed, Gina came across a self-recorded video her friend Angelica had just posted. In the video, Angelica was talking up a woman named Nickie–username “@nickie.333_333”–who was allegedly a “stocks and crypto investor” and had helped Angelica earn some quick cash before Christmas. Gina was rightfully skeptical, but this was a friend.
But rather than go straight to Nickie, she decided to reach out to her friend Angelica to learn more, and, like many of us, she began the conversation with her friend not via text message or a phone call, but by direct-messaging her on Instagram.
In the messages that followed, Angelica explained that Nickie would be able to multiply Gina’s cash tenfold, and all she had to do was send a few hundred dollars. The scheme seemed far-fetched to Gina, but this wasn’t some stranger calling on the telephone or a spammy email about the royal inheritance of some obscure Nigerian prince. This was coming directly from Angelica’s account, and Angelica herself was on video vouching for the investment.
In the midst of a currency and investment revolution, the financially unthinkable is surprisingly common. Examples of this are legion, such as a digital coin called “Doge” rocketing upwards 12,000% in a five-month span. Or a team of rogue traders on Reddit artificially inflating the price of a stock 1,500% in two weeks. In this brave new world, making a few thousand dollars with little effort online seemed within the realm of possibility.
Following Angelica’s instructions, she reached out to Nickie and, after talking on the phone with someone purporting to be Nickie, arranged to send $800 with the payment app Zelle, a compromise from Nickie’s original request of $1,000. Gina thought she was being cautious if not a little bit untrustworthy of her friend Angelica’s investment guru, so, when she was asked to promote Nickie’s business by opening a link sent to her phone, she complied.
It would be the last time Gina would have access to her own Instagram account for more than a week. Her heart sank as she realized she’d been had. Before she could realize what was happening, She‘d suddenly been logged out of her Instagram account. Her password and associated contact information were all reset, and she grew fearful that not only her Instagram but possibly her bank account had been compromised.
Gina was now in full panic, but what could she do? It turned out that the person behind Angelica’s account sending her direct messages wasn’t Angelica at all, but Nickie, an unknown cyber criminal in control of her account.
Gina quickly took action by submitting the help form linked at the bottom of the ‘if you were hacked’ page in the Instagram help center. In fact, she claims to have done so no fewer than 80 times for good measure. She even found a phone number to report security issues with the application directly to Instagram, but the panicked voicemails she left went unanswered.
Having unwittingly handed over the keys to her Instagram account to a faceless hacker, Gina’s now-hijacked account began posting stories consisting of contrived or coerced testimonials about “Nickie”’s proven investment capability. At least two followers of Gina’s were scammed as a result of those stories, with one being robbed of more than $8,000, according to Gina.
If that weren’t bad enough, “Nickie” decided to humiliate Gina, too. After finding a direct message saved on the cloud containing a lewd video Gina had sent to her boyfriend, Nickie posted it on Gina’s own story for all of her friends, family, and colleagues to view for the next 24 hours.
Gina was understandably devastated. But sadly, her story is not an uncommon one, and it’s not limited to Instagram, Facebook, or Twitter, although the built-in audiences (friends and followers) who witness those hacks makes for greater visibility, and, if you’re famous enough, press coverage.
One high-profile case from 2016 featured then-University of Mississippi football star Laremy Tunsil having his Twitter and Instagram accounts hacked just ten minutes before the 2016 NFL draft. When video of him apparently smoking a bong went viral as part of the hack, it was estimated that he could have lost millions by dropping lower in the draft than expected.
It’s not just the rich and famous who have cause for concern, either. Among Americans, 76% worry that their social media accounts could be hacked, and many already have been. A 2016 survey revealed that nearly two-thirds of Americans say they’ve had their social media accounts hacked, a number certainly to have risen significantly since.
Instagram Stands Idle While Users are Hacked
If you’re a regular user of social media, you’ve probably witnessed a scheme similar to this. It’s become a constant issue. By letting your guard down for a second and reflexively clicking a malicious link from the silent avatar you recognize as your friend, you too could wind up losing access to your account, or worse.
We can see from Nickie’s Instagram story that Gina was far from her only target. In fact, Gina could be called one of the lucky ones. Within a week, she was able to get her account back, while others have waited months without any resolution. It’s unclear what prompted her account to be prioritized for recovery while others seem to be ignored. What we can say is that as of this publication, “Nickie”’s account (@nickie.333_333) is still active and still posting recorded videos of her growing list of victims.
What’s most alarming is the speed, or lack thereof, with which Meta (the parent company of both Facebook and Instagram) is responding to hacks. Even when they do, their efforts appear to be singularly focused on account recovery for victims without bothering to track down and hold perpetrators accountable either legally or through a platform-wide ban.
Some would say it’s a matter of limited resources on a free platform, and that Instagram couldn’t possibly police the accounts of its approximately 112 million active users in the United States. Yet Meta and other social media companies like Google (parent company of YouTube) and Twitter have no problem moving with impressive speed to censor or ban an account for a tweet, article, video, or other post they deem offensive or misleading.
For its part, Meta touts having more than 80 organizations around the globe assisting it with fact-checking operations. In 2017 Meta claimed to be in the process of hiring an additional 3,000 “content moderators” for a grand total of 7,500 globally, yet they appear, if Mark Zuckerberg’s own words are any indication, to be exclusively focused on “misleading” and “violent” content rather than scams where people lose money.
What prevents Meta or any other tech company from receiving the kind of consumer blowback we’d expect to see if rampant crime was going unpunished on a company’s physical property? Why are so few people voting with their feet? Would Disneyland be in business much longer if its guests were regularly mugged without recourse? Would Wal-Mart? One wouldn’t think so, and it suggests the extent to which these tech giants have monopolized the social media space. Disneyland, Wal-Mart, and Amazon, although in many ways uncomfortably large and powerful, have no such equivalent power over the retail domain.
The Wilder West of Social Media Boasts No Heroic Deputies Maintaining Law and Order
Where is federal and local law enforcement when it comes to cyber crime? Nowhere to be found seems to be the norm in most cities and states. At one cyber crime hotline in Texas, I was told I could expect an investigator to be assigned to a case 30–90 days after the first report is filed–a lifetime for a person in the midst of an ongoing hack. In the “metaverse” there simply are no cops on the beat save for the most lurid crimes.
Instead, Americans are forced to hire private firms if they want to enjoy some semblance of security while interacting online, mirroring a similar trend in some neighborhoods plagued by crime. In the absence of government law enforcement officials, multimillion dollar corporations like LifeLock and Home Title Lock have stepped into the breach–for a price. The identity protection industry is estimated to be worth $3.2 billion in the United States alone and it stands to reason that the industry will soon offer services to combat social media identity theft or social engineering.
A Wall Street Journal report revealed that Facebook isn’t just used by common thieves looking to hack into your bank accounts and payment apps, either. Drug cartels and human traffickers use the platform to expand their criminal enterprise, including recruiting and training hit men. Despite the elevated seriousness of such crimes, the response by Facebook/Meta appears to be similar to its response to Gina’s Instagram hack.
From the report: “When problems have surfaced publicly, Facebook has said it addressed them by taking down offending posts. But it hasn’t fixed the systems that allowed offenders to repeat the bad behavior. Instead, priority is given to retaining users, helping business partners and at times placating authoritarian governments, whose support Facebook sometimes needs to operate within their borders”.
For Americans, who now spend up to a third of their day online, the most basic tenet of the social contract–surrendering part of our income in exchange for security–is rapidly eroding. Tech giants have lured the masses onto “free“ platforms that have become all but essential for work and social life but whose features have grown so rapidly that ensuring the lawful use of them has become an impossible endeavor.
At least on Meta’s platforms, the relationship between user and platform has become something akin to that of a junkie and his dealer when the dealer is the only game in town: a junkie will put up with a lot of threats and abuse in order to get a fix. The only difference might be that the average drug dealer would notice losing a customer who finds the willpower to walk away. But when the dealer has 3.6 billion active “users”, what’s to notice?
Congress is Failing to Act
Outside of social media, a similar problem is exploding onto the scene. For some Americans, phone calls from scammers posing as government officials threatening to withhold social security payments have become commonplace. And almost no one has been spared the calls about taking advantage of your car’s extended warranty. Block the number all you want, phone numbers in the free market are a dime a dozen. Where are Apple or Google in developing new features to help device owners more quickly block and report suspected scams to corporate or government authorities? Perhaps someone from the emoji-development team could be retrained to root out criminals.
Today, more and more Americans are falling victim to telephone and social media scams, and there doesn’t appear to be any reliable mechanism for reporting these crimes to authorities. There is the FBI’s Internet Crime Complaint Center, but anecdotal reports indicate that filing complaints there is a waste of time. It certainly was no help for Gina.
Is there a role for the federal government to play? On Capitol Hill, cyber crime legislation appears to be focused solely on large scale SolarWinds-type hacks of government infrastructure, while retail hacking of individual accounts or calls posing as government authorities to obtain sensitive personal data are being largely ignored.
One year before the launch of Facebook, in 2003, the federal government addressed what might be considered a pre-social media and pre-smartphone analogue to our current predicament. Congress passed legislation called the Do-Not-Call Implementation Act, which among other things created a “National Do-Not-Call Registry” that would allow Americans to opt in and stop calls from telemarketers.
It passed by a vote of 418–7 in the House and by unanimous consent in the Senate and was signed by President George W. Bush to great fanfare in February of 2003. “When Americans are sitting down for dinner, or a parent is reading to his or her child, the last thing they need is a call from a stranger with a sales pitch,” he declared at the signing ceremony. Within two years 50 million Americans had added their numbers to the registry.
This was legislation to combat an annoyance and, for a brief period, it worked, dramatically reducing the number of unwanted calls. It’s important to note that there were by and large no scams being peddled by over-caffeinated telemarketers, though. They were selling legitimate products and services like magazine subscriptions and cruises. They were simply becoming too annoying as voice-over-Internet-protocol (VOIP) dialing and other software made people’s phone numbers easier to find and sort in addition to being cheaper to dial.
Law enforcement for its part has been given a nearly impossible task, deputized to enforce new laws but with few new resources and tools with which to prosecute. The federal department in charge of enforcing the Do Not Call Registry and other programs such as the 2009 robo-call ban have an annual budget of around $300 million, compared with the FBI’s $9 billion allotment. Still, that the United States has had no landmark legislation to grapple with new and more serious threats from social media and the advent of smartphones in the 18 years hence speaks volumes about the dysfunction in our nation’s capital.
In 2022, your life can be turned upside down with an errant click, tap, or share of a single weblink. And it’s not just the elderly and naive who fall victim to these elaborately hatched crimes, as illustrated by Gina’s example. In the cyber sphere, the person on the other end of your text and image-based conversation may in fact be a thief using the account of a friend or family member to take advantage of your trust. One false move and you could suffer substantial financial losses. When that day comes for you, who you gonna call?