There are a lot of fake accounts out there, but not all are created equal.

There are those accounts that I typically think of as ‘bots’ accounts. These are the internet’s version of robocalls – with links in their profiles and sexually explicit photos. They will often message you, trying to get you to click those links with the goal of stealing your information or infecting your computer with some malicious code.

To deal with bots, simply ignore the message.

There are accounts designed to look and act like a real person to the social media platform called sock puppets.

A “sock puppet account”, or ‘sock’ for short, is a fake account used by a person or an organization to gain information. It can be thought of as the modern version of an alias and they are used by both white hat and black hat actors in the OSINT space. This post will show you some ways you can spot them.

Here are four red flags that I found on a recent follower account that yield a high probability of the follower being a sock account.

🚩 1: The profile picture does not match the rest of the person’s photos

Take a look at the profile picture. The person in that photo is clearly fair skinned with blonde hair. However, the woman in the posted photos is dark haired and olive skinned.

🚩 2: The photos do not feature any positively identifiable features

Looking at the account above, you find no views of the persons face. You may say “they like to be private”. However, their profile photo features a face, so why hide it elsewhere?

This is an indicator that profile photo and the photos in the account likely do not feature the same person.

🚩 3: Photos are posted in a repeated and systematic fashion.

Look at the frequency and regularity of the posts. The posts from this account are posted every day around the same time window.

Are they posted at a regular interval?

(Posting at a regular interval mimics real-life postings of real people, and is a way to maintain a good sock puppet profile page without being flagged by social media algorithms. At least not right away.)

🚩 4: If the photos are found to be copied from other sources

The photo on the left – posted October 14th 2022 was found to be a repost of the photo on the right, originally posted August 1st, 2019.

One way to verify the authenticity of a post is to run it through a reverse image search like Google Images, TinEye, or Yandex.

So you think you’ve found a sock account, now what?

If you are concerned that a sock account may be following you, chances are its nothing to worry about. Remove the follower, block the account, and move along with your day.

On the other hand, if the follower is on your children’s (under 18) social media account, reporting it to the platform is a good move.

Stay tuned for more #OSINT related insights!