Trust & Safety Resources > Community Library > Harmful Actors > Impersonation

Impersonation

Created

Updated

Definition

Online impersonation most often involves the creation of an account profile that uses someone else’s name, image, likeness or other characteristics without that person’s permission to create a false or misleading impression that the account is controlled by them.

Related Terms

Fake Account, Parody Account, Misrepresentation.

Background

Impersonation occurs when an account is created or modified to intentionally mimic a real individual, organisation, or another existing online persona without their authorisation. This is achieved by using their name, profile picture, biographical details, or other identifiable characteristics to deceive others into believing the account is genuinely controlled by the person or entity being impersonated.

Impersonation often occurs as a result of Phishing, and can be used to sell Counterfeit products, or to publish Disinformation and MisinformationCopyright issues may also come into play if the account is infringing on a third party copyright.

Volunteer moderators often become aware of impersonation through reports from the individual being impersonated, their associates, or community members who notice suspicious similarities or out-of-character behaviour from the impersonating account. Verifying an impersonation claim, especially of individuals not well-known to the moderation team, requires careful handling.

Some jurisdictions have made it illegal (e.g. CaliforniaRhode IslandOklahomaTexasWashingtonLouisianaMississippi and Wyoming) to impersonate an actual person, usually if it’s for deceptive purposes, with punishments including fines and imprisonment. A US Federal rule prohibits impersonating a business, government agency, or person. In the UK, it is illegal to impersonate a police officer or a solicitorDenmark has strict impersonation law. Many other countries refer to existing laws against fraud.

Why We Care

Impersonation can be used to deceive, defraud, harass, or defame individuals and communities. It undermines trust, can cause significant distress and reputational damage to the person being impersonated, and can mislead community members who interact with the fake account believing it to be genuine.

Preventing and addressing impersonation helps protect individuals from harm and ensures that interactions within the community are based on authentic identities (or clearly acknowledged pseudonyms/parodies), maintaining a trustworthy environment.

Spotting Impersonation: What to Look For

Identification of impersonation usually relies on a report from the person being impersonated or from someone familiar with their genuine online presence, combined with an examination of the suspected account. Service Administrators with signups requiring approval may wish to add a side-channel verification method for notable accounts, or refer to domain-based verification methods if available on your platform.

Account Traits: The suspected account will closely mirror the name, profile picture, bio, or other identifiers of a known individual or another account. For prominent individuals, the impersonation might be obvious. For less public figures or other community members, it might be more subtle. The account might be newly created specifically for the impersonation.

Content Characteristics: Posts from the impersonating account might try to mimic the style and typical content of the person being impersonated. Alternatively, they might post content that is out-of-character, offensive, or misleading, designed to cause harm to the impersonatee’s reputation or to deceive their contacts. They might send direct messages attempting to solicit information or action as if they were the genuine person.

Posting Patterns: The impersonating account might target followers or associates of the person being impersonated. They might re-post old content from the genuine account to appear legitimate or suddenly become active on topics the genuine person is known for.

Behaviour: The account actively maintains the false persona. If reported by the impersonatee, the key evidence is the impersonatee’s attestation that the account is not theirs and is using their identity without permission.

Key Questions for Assessment (Often initiated by a report):

  • “Has an individual or organisation reported that this account is impersonating them without permission?”
  • “Does the suspected account use the name, image, and/or other specific identifying details of another person or entity in a way that suggests it is that person/entity?”
  • “Is the account clearly labelled as a parody, fan account, or commentary account? (If not, impersonation is more likely).”
  • “Is there evidence that the impersonating account is causing confusion, spreading misinformation, or harming the reputation of the person being impersonated?”

Before You Act: Common Pitfalls & Nuances

It’s important to act on clear impersonation while distinguishing it from legitimate uses of similar names or parody.

Common Names: Multiple users might genuinely share common names. Impersonation involves more than just a shared name; it typically includes other identifiers like images or specific biographical claims.

Parody/Fan/Commentary Accounts: Accounts that are clearly and conspicuously labelled as parody, fan-made, or commentary (and do not attempt to deceive others into believing they are the actual person) are generally not considered malicious impersonation under many policies, provided they adhere to platform rules on satire. The key is transparency.

Criticism Accounts: Accounts set up to criticise an individual are not impersonation if they do not claim to be that individual.

Common Gotchas:

  • Acting too slowly, allowing the impersonator to cause more harm.
  • Taking action without sufficient evidence or a credible report, especially if it involves common names.
  • Not having a clear policy on how parody or fan accounts should be labelled to avoid confusion.
  • Failing to verify the identity of the reporter claiming to be the impersonated party, especially if they are not already known or verified in the community.

Key Point: Impersonation is about the deceptive use of someone else’s identity without authorisation, creating a false impression of authenticity. The lack of consent from the person whose identity is being used is crucial.

Managing Suspected Impersonation: Key Steps

When impersonation is reported or strongly suspected:

  • Verify the Reporter (if applicable): If the report comes from someone claiming to be the person impersonated, try to verify their identity through reliable means, especially if they are contacting you from an account other than their usual one. This could involve asking for confirmation through an established, known account or other methods your Service Administrator deems appropriate. Request an email from the entity’s known domain (person@officaldomain.example) or if your platform supports it, offer assistance in using rel=”me” or domain based verification.
  • Compare Profiles: Examine the suspected impersonating account and, if possible, the genuine account of the person allegedly being impersonated. Note similarities and misleading information.
  • Check for Parody Disclaimers: Look for any clear and conspicuous disclaimers stating the account is a parody, fan, or commentary account. The absence of such a disclaimer in an account closely mimicking another is a strong indicator of impersonation.
  • Assess Intent and Harm: Is the impersonation likely to deceive? Is it causing harm, confusion, or being used for malicious purposes?
  • Discuss with Team (if applicable): Share findings with fellow moderators or your Service Administrator, particularly if verification is complex.
  • Apply Community Guidance: If impersonation is confirmed, the impersonating account should typically be suspended or banned. Content posted by the impersonator may be removed, especially if it’s harmful or misleading. Service Administrators might offer the genuine person the option to take over the username if it was deceptively registered.
  • Inform the Impersonated Party: Let the person who was impersonated know what action has been taken.

Example Community Guidance

Strike System: “Creating an account that could be mistaken for another user without clear parody labelling might receive a warning and a request to clarify. Deliberate, deceptive impersonation will lead to stricter actions.”

General Prohibition: “Impersonating other individuals, organisations, or accounts in a misleading or deceptive manner is prohibited. Accounts must not use names, images, or other personal information in a way that creates a false impression of affiliation or identity without authorisation.”

Strict Enforcement: “Deliberate and malicious impersonation will result in a permanent ban of the impersonating account. Parody, fan, or commentary accounts must be clearly and conspicuously marked as such in both the profile name and bio to avoid confusion.”

Further Reading

How do I verify my account on Mastodon and the Fediverse? (Fedi.Tips)

IFTAS
IFTAS
@about.iftas.org@about.iftas.org

Nonprofit trust and safety support for volunteer social web content moderators

43 posts
248 followers

IFTAS is a non-profit organisation committed to advocating for independent, sovereign technology, empowering and supporting the people who keep decentralised social platforms safe, fair, and inclusive..

Connect

Latest Blog Posts

see all blog posts

Library Updates

browse the library