How to create a fake online identity
And what you should do to avoid interacting with one
This post should not be construed as endorsing illegal activities or terms of service violations or any other dubious activities…
Fake identities are fascinating.
In the pitched battle between real news and fake news it’s getting easier and easier for misinformation to make it into the mainstream.
Simultaneously, artificial intelligence (AI) is making it easier for nefarious actors to make convincing online entities that mimic real people (H/T for the Unreal Engine to a friend.)
A sneak peek at MetaHuman Creator: high-fidelity digital humans made easy
Create unique, convincing digital humans, complete with hair and clothing, in minutes.
What are deepfakes - and how can you spot them?
Have you seen Barack Obama call Donald Trump a "complete dipshit", or Mark Zuckerberg brag about having "total control…
At the leading edge, technologists are devising ways to twist and contort real people to make them say things they never said and appear in places they never were. These “humans” can be completely digitally generated.
At the more mundane and less technologically flabbergasting edge of things, it’s become quite easy for all sorts of individuals to hack together a quick online identity for a variety of purposes.
How does one go about creating a fake online identity? Why might one want to? And what does the ease with which this can be done tell us about online security?
From … things I heard on the internet … here is some info.
How To Create A Fake Online Identity
My preferred term for a fake online identity is a “fakie.”
Many techies however will refer to such accounts as “sockpuppets.”
The leading urban dictionary definition of a sockpuppet is:
A false identity adopted by trolls and other malcontents to support their own postings.
Urban Dictionary: sockpuppet
1: A fake personality, usually a 'friend' or 'sister,' created by a drama queen/king for the sake of defending…
That really doesn’t do justice to the panoply of reasons for which people invest in creating “fakies.” But more about that later.
The basics of setting one up are quite simple. You need.
It’s a lot easier to call out a Facebook account as fake when it has an avatar or a cartoon as its profile picture.
For this reason if you want your fakie to stand any chance of making it past the attention of group moderators and participants, you’re going to want to find a face for your fake identity.
There are legal and illegal ways to do this.
The illegal way involves trawling through social media for somebody’s profile picture — ideally somebody in a distant part of the world who speaks another language and is therefore very unlikely to stumble upon your usage of their image.
Those that are really good at this will modify the image until a simple Google reverse image search can no longer link the stolen and original headshots together.
Note: this is almost certainly illegal because you’re effectively robbing somebody’s identity. Note 2: this is why identity theft monitoring and protection isn’t as paranoid as it might sound if you’re an individual of any notoriety. Effective monitoring for identity theft and impersonation involves proactively running image lookups and taking quick enforcement action.
The modern way of doing this involves hitting up an AI face generator.
ThisPersonDoesNotExist.com uses the GAN (generative adversarial network) to create totally fictitious humans. There’s even an open source Github project with code for training your own generator.
I can’t endorse using this website to create fake faces.
But through recognizing the type of face that the generator puts out — typically set against a distinctive type of background and with blurry edges around the face — I can say that they appear to be in widespread use.
Decide What Type Of Fake You Want To Operate
The next thing to say about fake identities is that they come in a few common flavors. At least on the internet.
- Robbed identities (all real elements): This is basically impersonation. You create online assets that perfectly match — or replicate — those of a real person. A Facebook profile can be replicated extremely quickly. Nefarious actors could copy a user’s identity, details, and photos and even go so far as to attempt to report the legitimate account as an impersonator. Although this is a social engineering exploit, I think it’s fair to say that this is like the identity theft equivalent of a man in the middle attack. You capture the interactions intended for somebody else.
- Synthetic identities (fake and real elements): These blend a mixture of fake and real details to create a new virtual identity. Typically this involves leveraging stolen information to do things like open up bank accounts in a real person’s name. This has limited application in the realm of online accounts. But here’s an example. One could set up an account on a chat forum using a real person’s name but fictitious details (place of residence).
- Fake identities (all fake elements): Using artificial intelligence (AI) users can attach a completely made-up identity to a fake face thereby creating a new persona. The limitation here will be that the fake identity is … not a real person. So unless you want to forge government documentation — taking you well into the realm of criminality — you’re not going to be able to back the fake ID up if challenged. The advantage is that if you’re not going down the actual fraud route a name and a face can get you awfully far.
Create A Credible Backstory
Let’s limit our investigation to the last type of identity here. Because it’s the only one that doesn’t imply — almost certainly — some type of criminality.
Take David above who I just downloaded from ThisPersonDoesNotExist.com.
Coming up with a basic cover story for this alias might involve fixing up on a few important details:
- Where is he from?
- What kind of personality does he have? Is he jocular or serious?
- Where does he live? Where did he live before that? (If you want to set up, say, a fake podcast, this is going to have implications for the accent that the identity needs)
- Where did he go to school?
- Is he single or married?
- What motivates him?
Bear in mind that the more specific you are and the more information you give away the easier it’s going to be for somebody to prove that your fake is … a fake.
One doesn’t need to be a Sherlock Holmes to call up a university and find that David Fakie never actually graduated from Economics with the Honors degree his LinkedIn claims that he did.
Nevertheless if you don’t mind using real details then you should be able to find real credible particulars just by trawling through actual social media profiles. Sift through LinkedIn profiles to find, say, the names of universities. Then integrate those into your online assets.
Make It Believable
The more effort you expend on this part the greater the impression you’re going to create on your average web browser that this person is real.
Simultaneously, the more terms of service (TOS) agreements you’re likely to break. For platforms like Facebook, for instance, this means that the account might be liable for suspension.
But if none of those things were concerns, your fake identity:
- Could set up a website
- Could operate a network of social media accounts
- Could maintain a blog
- Could issue press releases
- Could send letters to news editors
Collectively, these activities are likely to cause your average web browser to think: “no, this person is real.” Of course not everybody’s average. But in many users eyes a few prominent links will cement the notion that somebody is real. This is why creating a few profiles on high DA web properties, for instance, can be so effective.
The main limitation to a fake identity is — again — that the identity is fake. You may only have one face to use. To skirt around this you can share photos — say on Facebook — of images that don’t feature the alias or other people.
If you’re doing this, then you should be careful to scrub the metadata from any photos — or other files — that you’re uploading. Facebook for instance scrubs metadata when it presents images to users. But users cannot know that it doesn’t retain that data on its servers. The safest bet is to scrub any digital fingerprints before uploading anything to the cloud.
View Exif data online, remove Exif online
Pictures taken by digital cameras can contain a lot of information, like data, time and camera used. But last…
You’ll likely want to cover your bases a little here:
- Don’t operate your fake account from your actual IP address. TOR or VPNs are helpful in this respect.
- Create layers of anonymity. Use virtual phone numbers to protect your real phone numbers. If you set up a website for your alias, ensure that you have privacy protection enabled.
There are further techniques I could share here. But I’m trying provide only enough information to make the point that people should be suspicious of who they interact with online — not to encourage you to set up your own fake accounts.
Why People May Operate Fake Online Identities
There are many reasons that people may choose to operate fake online identities.
Some of them are decidedly “black hat” — to grossly understate it — while others learn slightly more toward the white hat side of the fence and others are arguably totally innocuous.
I’m not going to discuss the truly nefarious and criminals because those are patently obvious. And I’m writing this partially to explain the last. I think that anonymity is a double-edged sword that can wreak enormous havoc upon the world. But it is also has a vital place in our world that can realize much good, particularly good in the public interest.
Here are some of the slightly less reprehensible — and possibly illegal — activities. These are not endorsements.
General Identity Masking
One of the most common reasons for operating an alias is to mask one’s real identity. This is the reason, for instance, that some authors writing under pen names set up fake identities (although the process is somewhat less common than just slapping a fake name on the cover of a book).
Another example? If you’re the victim of some kind of abuse — whether emotional or physical — you may wish to join an online support group to get help (along with taking other courses of action, of course). If the group is on Facebook, for instance, you may not wish to divulge your identity for fear that the abuser or his/her friends or family may encounter it.
Aliases are useful for whistleblowers of all varieties. Many media outlets support anonymous drop-boxes for files and communications. But one can widen the means of contacting journalists by provisioning alias accounts on various fora.
Setting up fake identities and front companies is a relatively low cost but effective means of capturing pricing intelligence from competitors. One can create bogus request for proposals (RFPs) to induce competitors to bid on fictitious projects. And create fake job openings to ascertain salary expectations in one’s field. The last can be exploited as a blackmail tactic. This is effectively petty online spying. The constraint here is that if you’re not willing to exposure your voice or face, you’re limited to capturing information exchanged through textual means.
Want your tiny one man startup to look like something a lot bigger? Want your customers to think they’re interacting with the Customer Success manager and not just you on the couch? If you spend enough time on LinkedIn or company staff pages you’re likely to eventually hit upon a team listing that just seems a bit … off. None of the team members have employment histories. Nothing turns up for them in Google. Explanation: perhaps some of the staff members aren’t real. (Note: news websites occasionally employ this tactic to embellish their pool of “reporters”).
How can I avoid being taken in by fake accounts?
Anonymity and aliases serve an essential role. But they can of course be misused to cause harm.
What one can do with a fake online identity is quite staggering.
For instance: it’s possible to publish a book under a fake name without falling foul of Amazon’s terms of service. At least at the time of writing. And the widespread practice of pen names notwithstanding, the publication of a book — although these days quite easy — sends out an indication that the author is a real person.
Vanity URLs to match fictitious identities can be quickly acquired. If one wants to go the full nine yards one can find anonymous hosting services and fund the hosting in cryptocurrency.
One can even set up accounts on hiring marketplaces with a fake identity so long as one pays with another person’s payment method. In such instances, you can successfully shield your real identity from even those working for you. Cool? Potentially useful? Disturbing? Up to how you want to interpret that.
In light of all this, I would suggest the following takeaways for anybody concerned with online security. This essentially involves reverse engineering all of the above.
- Don’t accept friend requests on Facebook from people that you don’t know in real life (or who know those that you do).
- Be suspicious of any profiles that only contain one photograph. Or photos that contain a lot of photos but none of the purported poster. Consider running a reverse image search to see whether the image originated in a stock library.
- Remember that the fact that something is on the internet doesn’t automatically grant it legitimacy. It’s possible to create quite an array of fake profiles and assets online simply with a made up face and name.
Personally I assume that anything and anybody I encounter online is not real until proven otherwise.
Expect the threat posed by fake accounts, fake identities, and fake news to get worse rather than better in the coming years.
Over the coming years, I predict that it’s going to become increasingly easy for fraudsters to create increasingly compelling aliases that even supersede the limitations discussed here (for instance, using AI, multiple permutations of one face can be generated; the “person” can be integrated into video content; a unique voice can be used to synthesize speech.)
Legal frameworks provide some means of protection against these activities but do not offer protection from low level activity.
Ultimately real life centric social engineering — asking to meet somebody in a coffee shop, asking if your friends know this person — is probably the best way to defeat these attempts.
Because on the internet these days, it’s just too easy to pretend to be somebody you’re not.