Spam Bots and Fake Accounts: Helping Solve the Security Identity Crisis

Despite how it sounds, in today’s age of fake news and fake accounts, websites that collect more identifiable information about their users are better-positioned to protect identities and even solve the widespread problems of spam bot and illegitimate user accounts.
For context, look at the likes of Twitter and Facebook, which are still struggling to keep spam bots out of their platforms. A recent Pew Research report sheds light on this, finding that two-thirds of links to popular sites shared on Twitter come from automated accounts. And these accounts aren’t just malicious bots or fake activists looking to scam or troll users—many play a valuable role in the social media ecosystem by automatically retweeting or publishing news, media or other content.
The problem is that these accounts can be used to alter perceptions, spread “fake news,” and manipulate reviews. These accounts are created, in part, due to the years-old practice of reliance on an email address as the primary way to identify a user. In the battle to better know the customer, the trend is moving to using a phone number as the main identifier.
 Why phone numbers? Unlike email addresses, phone numbers provide a strong connection to their owner. They are much more difficult to fake, en masse, than email (is a hacker going to buy thousands of pay-as-you-go SIMs at $5 a piece?). Phone carriers can provide specific data to determine the legitimacy of a number and will show if, for example, the number is out of the country of origin (is roaming abroad) or has moved to another phone. This is why more businesses are considering phone numbers as a central part of their users’ profiles and some are even starting to use it as the main username.
Let’s look at the reasons why fake accounts are created, the options you can take to better protect users and how you can reduce the number of fake accounts and bots on platforms.

Why Fake Accounts Are Created

There are many reasons why fraudulent accounts are created. Opening an account in someone else’s name is an integral step in stealing their identity. It’s also a great cover hackers can use to “game” the system to abuse free trials and other offers. What’s more, bogus accounts are pervasive in social media or other social apps, allowing bad actors to troll, spread fake news and attack legitimate users.
Creating fake email accounts takes minimal effort and costs cybercriminals next to nothing. Automated software bots can cost-effectively exploit applications that verify email accounts, thereby creating an unlimited number of phony profiles. It’s low-hanging fruit. Digital leaders including Google, Facebook, Microsoft and Twitter have shifted to asking for emails and phone numbers at signup, and many mobile-only solutions are now using phone numbers exclusively. This allows them to verify phone number ownership during account creation and even send recovery codes via text for people who have forgotten passwords or lost devices used to authenticate.

Verify Real Users and Reduce Harmful Spam and Fraud

Businesses have long relied on email addresses to prove ownership of newly created accounts. But in today’s changing cybersecurity climate, assuring new user signups are real human beings is becoming critical—and challenging.
The U.S. federal government is even involved, investigating companies that purposefully created hundreds of thousands of fraudulent accounts that were “sold”  to eager social media personalities keen for followers. Earlier this year, Twitter faced scrutiny over the proliferation of fake accounts, which led to the sudden disappearance of more than a million followers from prominent Twitter users. More recently, data firm Cambridge Analytica and Facebook have become embroiled in an ongoing data privacy scandal. How can we strike a balance between maintaining privacy and getting the information needed to protect against identity theft?
Part of the solution is educating users. The anonymity of an email is desired by those who don’t trust big technology companies, and many consumers are resistant to giving away their phone number either way. But at the same time, these same users demand that their accounts are secured and their data is kept private. By identifying users with their phone number, applications have greater assurance that their user base is legitimate. It’s up to businesses to improve their data protection strategy by securing the storage and use of customer’s private data and then communicate the benefit of using that data to secure accounts to their users.

Phone Verification is Preferred

Thanks to bots, fake accounts, data leaks and scandals, millions of people are exploited and manipulated on the internet, and phone number verification is one step to prevent this. By verifying that a phone number is not only valid but can be accessed by the user, businesses everywhere can rely on it for an extra layer of security.
A phone number is convenient, familiar and immediate, and is the perfect medium for consumers to communicate with businesses they trust. Add in the fact that phone verification is the ultimate way to verify a user’s identity, and this is a sure-fire way to decrease the potential for fake accounts and spam bots.

Simon Thorpe

Simon Thorpe

Simon Thorpe works in the product group at Twilio working on Authy, Verify and Lookup. He has over 19 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information. At Twilio he works closely with the whole team to deliver a world class solution for developers to build security into their applications.

simon-thorpe has 1 posts and counting.See all posts by simon-thorpe