In the era of "pics or it didn't happen," it's natural to want to share proof online the second something happens. But you might want to think twice before you post a screenshot of your stimulus check.
Facebook, Twitter and reddit are being flooded with questions and complaints about the coronavirus stimulus payments, which the IRS started sending out to some 150 million Americans last week. As posters dissect the CARES Act, compare notes and crowdsource solutions, screenshots are increasingly becoming part of the conversation. People have been sharing images of their bank accounts, transaction histories and Get My Payment messages as evidence to support their claims of either receiving or not receiving their relief money.
And in the process, they could be exposing themselves.
"Your social media profiles are gold mines of information for cybercriminals," says Ed Bishop, chief technology officer at security firm Tessian. "People need to be aware of the risks that come with sharing screenshots of their stimulus checks."
Stimulus Check Deposit Screenshots — and Scams
It may sound alarmist, but basically any piece of information you post online can be used against you. Here's a hypothetical scenario: You wake up to a Wells Fargo notification that your $1,200 has come in. Yay! You excitedly screenshot your home screen and attach it to a funny tweet about how you're going on a shopping spree.
"With the knowledge that individuals have received their stimulus check, hackers could send people emails or SMS messages ... impersonating the IRS and tricking people into clicking a malicious link by asking them to 'confirm they have received their payment,'" Bishop says.
The more details you tell the internet, the more vulnerable you are.
Imagine you're in a Facebook group trying to spread the news that your stimulus check was successfully direct deposited in your Chime account. You include a screenshot of your recent transactions, and while the only part you're trying to share is the line that shows the IRS payment on Wednesday, but viewers can also see you spent $10 at McDonald's on Tuesday and $50 at Walmart on Monday.
Fraudsters can use this peek into your spending habits to craft a believable phishing email. By impersonating those brands, they can lower your defenses — and then harvest your credentials.
You're not immune just because you think you can spot a suspicious email or text from miles away, either. Bad actors can collect crumbs of information you've shared in the past to gain access to your accounts.
"When's the last time you posted your superhero name on one of those silly Facebook posts where you match up the year you were born for your superhero first name and the month of your birthday for your superhero last name?" says Chris Hinkley, the head of the threat resistance unit at Armor. "Did you potentially help someone figure out your password or answer your security questions?"
Say you're complaining on Instagram about how frustrating it is to deal with the IRS. You post a screenshot of the Get My Payment tool after you've entered your personal information. It only displays the last four digits of your checking account number, and you're only showing this info your trusted friends, so you think you're safe.
By now, you probably know how this goes. If friends reshare your photo, they may not have the same privacy settings you do. Hinkley says a random viewer could see the post and start doing recon. With some quick searches and data gathered from previous breaches — of which there were 3,800 last year alone — attackers could possibly reset your bank password.
Now they have access to your money.
It's easy to overshare on social media, and that's especially true now while we're relying on the internet to connect us. But as exciting or helpful as it may be to post a screenshot of your bank account or IRS message, there's a lot at stake. As of April 20, people who have reported coronavirus-related scams to the Federal Trade Commission are out $17.5 million.
Even innocuous details can be weaponized later on, which is why Kaspersky principal security researcher Brian Bartholomew says you should assume anything you share will be online, and exploitable, forever. That includes details about your stimulus check.
"Just because it may seem harmless now doesn’t mean, in the future, this information couldn’t be used along with other bits of data to conduct an attack against a target," Bartholomew says.