Francesca Henry felt like she was in an episode of Black Mirror or BBC cyber drama The Capture, watching herself — or someone at least claiming to be her — peddling crypto scams on Instagram, unable to stop them.
The personal finance expert, 33, had been running her Instagram account The Money Fox (@the.moneyfox) for two years when one of her 36,000 followers first alerted her to the copycat account. Investigating, she was shocked to discover an almost-perfect replica of the Instagram profile she’d put so much time and energy into building: her name, her picture, each of her 300 or so posts, perfectly cloned from the videos to the captions. The only difference: a slightly altered Instagram handle, @the_moneyfox1, and plugs for a new cryptocurrency scheme hidden among her posts.
“I felt violated,” says Henry of the first time she discovered her Instagram had been cloned, almost two years ago. What she’d stumbled upon turned out to be the tip of the iceberg. In the two years since, she’s starting receiving almost-daily messages about as many as eight clone accounts at a time — many of them trying to scam her followers into sending them money. “I’ve tried reporting them and writing ‘this is my only account’ in my real Instagram bio, but [the cloners] copy that as well, so it’s pointless,” she says. “The thought of someone literally sitting there screen-recording my Stories is horrifying, and it really upsets me to think that people might fall victim to fraud because somone is copying my account. It’s made me think about giving up on Instagram altogether.”
Henry isn’t the only innocent social media user to find herself at the centre of a growing online cloning epidemic on sites such as Facebook, Instagram and Twitter. Celebrities and high-profile figures have found themselves being impersonated by fake accounts on these platforms for years, but security experts say there’s been an explosion in the number of cloning attacks on everyday members of the public in recent months, with Google searches for terms such as “what to do when an Instagram account is cloned” rising by 336 per cent in the last week of October alone.
The attacks are more than just an online prank. Victims say clone accounts have been used to scam them and their followers out of thousands of pounds through cryptocurrency and pornography sales, NFT projects and fake giveaways. More chillingly still, cloners have been known to send personal and often urgent messages to victim’s loved ones, asking for money, confidential personal details and even photos: clones of models offering pornographic content to their followers through a link; clones of daughters asking their parents for cash because their wallet has been stolen. So are we all potential targets? The last time you sent photos or bank details to a friend on social media, was it really them? And if someone has been out there impersonating you on social media, would you even know about it?
The implications can be horrifying and point to a wider question of whether any of us can be truly safe online anymore. So what’s behind the rise? Two issues currently seem to be at the forefront: on a micro-level, Elon Musk’s introduction of an $8-a-month blue tick subscription model certainly hasn’t helped the problem on Twitter, which has quickly descended into chaos in recent weeks after a series of fake and clone accounts managed to pay their way into getting a blue tick.
But the cost-of-living crisis seems to be the wider cause across all platforms. Not only are scams are often veiled as the offer of financial support, luring victims; but criminals, too, are seeking quick ways to make some extra cash. Cyber expert Naveen Vasudeva says cloning has become easy “low-hanging fruit” for newbie hackers “trying to make a quick buck” and Tom Lyseomose Hansen, CTO at app security platform Promon, agrees that cyber-criminals need “little-to-no technical know-how”. They no longer need to be able to hack into a user’s account; they just need to be able to replicate it, block the original account and add people from the original accounts’ friends list. There’s even software out there that’ll do that for them.
For small business owners, this rise in attacks is not only a privacy issue, but a reputational nightmare. “It felt like a real personal intrusion – I was terrified my reputation might be destroyed if people believed the scammer was really me,” says author Barbara Copperthwaite, 49, who end up leaving Instagram after a clone account began asking her readers for money. “It’s become an absolute nightmare: I need to be visible for my business but I’m more likely to be cloned because I’m so visible,” says Lisa Johnson, 45, a business strategist from Bedfordshire who says she reports at least 10 clone accounts a month, despite having a blue tick.
Even private users with small followers are being targeted: last month, Tooting marketing exec Katie Ashdon*, 29, discovered another Facebook user was using a profile picture from her private Facebook account to run a phone-selling scam. “It’s pretty chilling, seeing your picture being used, especially if it’s to scam people out of money,” says Ashdon. “Luckily they didn’t contact any of my family or friends, but it made me wonder: how many others are out there using my picture that I don’t know about? It didn’t help that I was watching The Capture the week I found out... Will there be deepfakes of me out on the internet next?”
Searches for ‘what to do when an Instagram account is cloned’ rose by 336 per cent in the last week of October
But seriously, will there? For those who haven’t seen the Black Mirror-type BBC series starring Holliday Granger and Paapa Essiedu, one of the most haunting elements of the show depicts a fictional future world in which an MP is forced to watch a deepfake version of himself saying the exact opposite of what he believes a live BBC interview. This particularly chilling form of identity-theft might be far more sophisticated than current cloning attacks, but seeing the impacts play out on screen has raised some key questions: will social media lose its legitimacy if tech giants don’t crack down on cloners? Do blue ticks even work? And what can innocent social media users do to protect themselves if they can’t get one or don’t want to pay?
Henry says she cares deeply about her business but she’d never pay for a blue tick – not only can your average social media user not afford one, but Musk’s Twitter meltdown is evidence they don’t always solve the problem, anyway. Sure, having verified status means it is technically easier and faster to have any bogus duplicate accounts taken down, but the application process for social media platforms is a delicate balancing act and certainly not uniform – an account might get verified by Twitter, but that doesn’t mean they will by Instagram, meaning followers might question their legitimacy on Instagram.
Even if an account does have a blue tick, that doesn’t stop followers falling victim to a clone account – a blue tick can be easy to miss when a duplicate account is otherwise identical. “I’ve had emails from people accusing me of taking their money when they have never been a client,” says Johnson, who has a blue tick on Instagram. “When I dug a little deeper it looked as though they bought into a crypto scam via one of my clone accounts [on Instagram], which is upsetting.”
So is improved and more widespread verification the answer? Not necessarily, according to experts who say the application process for becoming verified is already a delicate balancing act for social media platforms. If the prerequisites are too broad, the platforms can become swamped with applications, but if they are too narrow, their use becomes too limited to be beneficial.
James Bore, a security ‘hygeinist’ from north-west London, says one option is that social media companies start asking for identity documents, but this woulod mean they’re taking copies of people’s IDs, which carries its own privacy risks. “Social media doesn’t have a great track record of acting as responsible guardians of people’s data,” he says. “If they’re asking for IDs for verification, they then have to store them. They’re already targets for huge volumes of personal data, but you can imagine how much worse that gets if they’re guaranteed to have copies of legal IDs for everyone - perfect for identity fraud.”
Another option could be to go down a verification route similar to the app Signal, which uses cryptographic codes to warn people whether they’re speaking to the person they think the are. “It’s complicated to set up if your platform isn’t built for it, and carries risks,” says Bore. “But it’s definitely an option if [social media companies] really wanted to prevent cloning and impersonation.”
It’s pretty chilling, seeing your picture being used, especially if it’s to scam people out of money
Lysemose Hansen says there are two moves he’d like to see from social media platforms in the short-term: a streamlining of the reporting process, and increased moderation of fake profiles. Fake accounts reportedly represented five per cent of Facebook’s worldwide monthly active users in the second quarter of 2022.
Many say the law needs to catch up, too: not only is cloning concerningly accessible, it’s also currently incredibly low-risk. Amy Leighton, 31, a mindset and confidence coach from Tooting, says she’s reported her clone accounts to Meta, only to be told they can’t be removed because they’re “not violating community standards”.
Meta says “it’s against our rules to impersonate someone else on our platforms” and that its teams block millions of fake accounts every day, “often within minutes of creation”, but it’s often too late – and it’s not to stop the perpetrators setting up a new clone moments later. “[By the time Meta closed the fake Instagram account], the [reputational] damage had been done,” says Giuseppe Mangione from Balham-based dog rescue enterprise Muthapuppa, which had to close a competition after a clone account messaged all entrants to say they’d won, in a bid to get their bank details.
On a legal level, catching cloners is “effectively impossible,” says Bore. “Its likely they’re not even in the same country, so even if we had the legislation and enforcement to deal with this sort of fraud (we don’t) and they could be identified (they can’t) then international fraud cases for something so numerous and small in the grand scheme of things is unlikely.” Even within the UK, any legal conviction must hinge on direct evidence of financial loss, so “often there is nothing victims can do, even in cases of reputational damage,” says Lyseomose Hansen.
Jack Richards, marketing lead at consumer intelligence platform Talkwalker, says it shouldn’t be down to individual social media users to look out for each other – tech bosses need to start taking the issue more seriously or they’ll face a “breaking point” in the next few years, with users boycotting the platforms or leaving altogether. He and other techsperts say they hope the implementation of the government’s long-awaited and continually-delayed Online Safety Bill will force social media bosses to act. But security campaigners like James Walker, CEO at data privacy company Rightly, are worried that the bill - already four years in the making – is unlikely to be “fully operational” until 2024. Even then, a lack of clarity on exactly which issues will be addressed has left experts questioning how effective it will actually be for issues like cloning, given that it is largely being treated as a child protection measure.
Even if cloning is addressed in the bill, many are already questioning whether the fines expected to be introduced in the bill will be significant enough to make companies actually take the issue seriously. Then again, shouldn’t companies should be taking cloning seriously even without fines? After all, not only does cloning pose a reputational nightmare for the individual social media users; it can be a reputational nightmare for platforms, too. Victims say they’ve already started boycotting sites like Twitter and Instagram. In some cases, they’ve closed their social media accounts altogether. Will there be a move towards more “secure” platforms like Signal and Telegram instead?
Henry says she won’t be closing her account, but the attacks have definitely made her more wary of what she shares online. “It’s sad,” she says. “I’ve worked really hard to show that I’m a trustworthy person, so to get messages saying people are having to unfollow me because of all the clone accounts is really upsetting. I’ve thought about leaving Instagram, but then I realised: [the cloners] still have hundreds of posts of mine that they could run with, so they could still do damage. And if I’m driven off social media, isn’t that just letting them win?”
*Names have been changed to protect identities
How to protect yourself from social media cloning
1. Make your profile private, if you can, says Satnam Narang, a senior staff research engineer at cyber exposure company Tenable.
2. Make sure you have a back-up email address and multi-factor authentication on your account, says Scott McKinnon, a cyber security expert at VMware.
3. Hide your friends list. On Facebook, for example, there is a setting where only friends of friends can add you through Facebook search: this is a good way to ensure clone accounts can’t reach you. Fraudsters will generally target accounts that are not verified but have large followings or friend lists, therefore reducing the information available to them is a good first step.
4. Be wary of accepting friend requests from people you’re already friends with online. If the new account seems off, contact your friend and report the account immediately.
5. If you do find yourself as a victim of cloning, report it immediately, then change your profile picture so your account is distinguishable from the cloned one. Ask your friends and followers to report the account, too.