Sarah K. Noonan: The fake Facebook friend' that duped hundreds

By Bridget Carey

McClatchy Newspapers

(MCT)

Meet Sarah K. Noonan: She's attractive. She's 27. She lives in Miami and is in a complicated relationship. She's a Democrat with more than 480 friends on Facebook.

And she doesn't exist.

Sarah K. Noonan was a fake account on Facebook that duped 48 friends in my network who added her as a friend. Dozens of her "friends" have told me they added her because they assumed they met the smokey-eyed, dark-haired girl from somewhere before. And they trusted her because they had friends in common with the phony account.

Her profile was created in February as a marketing experiment by the Canadian advertising agency RPCGROUP, and had been friending an average of 20 people a day for the past few weeks. It was removed from Facebook around 2 p.m. Monday after I interviewed the agency's chief executive, Rod Ponce, about the account.

Ponce said a group of RPCGROUP interns created the Noonan account to explore what makes a trendsetter and how users react to different types of posts. He stressed it was not used in a commercial way to promote anything and has apologized for any confusion this may have caused.

"We don't want to offend anybody," Ponce said. "It's really to see how people socialized."

In fact, it was so easy for Noonan to get friends, Ponce said it freaked out one of his interns who unfriended anyone he didn't know on his profile. Between 30 to 40 percent of the people Noonan friended accepted the request.

"You accept people and sometimes you don't really know why you're accepting people," Ponce said.

Ponce hopes this helps shed light on the value of paying for advertising on Facebook.

"At the end of the day, is it really an effective tool for our clients or is it just a lot of smoke and mirrors?" Ponce said. "It's about opening up a major can of worms with Facebook and saying, 'How many of your people are real?' Is it really fair to those that pay for cost-per-impression?"

Ponce sent me this via e-mail Monday afternoon after we chatted over the phone:

"Since our conversation we have disabled Sarah K. Noonan's profile and apologize for any confusion this may have caused.

"Our Asset Project was in no way malicious in intent, but rather it took shape in the spirit of learning about the nature behind building social networks and in particular evaluating the effectiveness of Facebook as a tool for clients to commercialize their products/services. Our experiment was initiated at the beginning of the year and stemmed from the lack of a standard ROI formula for our clients.

"There are way too many people who claim to be experts in the social media camp. We don't claim to be experts, but rather built our research through old fashioned collection of empirical data. Since its inception we have not commercialized, nor have gained any revenues through this project. We have been accumulating data in regards to evaluating interactions through engagement statements, the role of common interests in building social networks and how easily people create relationships through Facebook."

RPCGROUP's experiment may have been intended as innocent marketing research, but more than 480 people just gave a false account access to their information by adding her as a friend.

It rattled a few of my friends to know they had added a phony account. I contacted everyone listed as a mutual friend between Noonan and me, and every person who responded said they didn't know who she was.

Moments like this reveal that we can be too trusting of a simple profile with a pretty face. Luckily for these people, Noonan wasn't a cyber criminal.

Using a fake name or operation under a false identity is a violation of Facebook's policy. The site also has systems in place to flag or block potential fake accounts, according to Facebook spokesman Simon Axten.

"Users who send lots of messages to non-friends, for example, or whose friend requests are rejected at a high rate, are marked as suspect," Axten wrote in an e-mail. "We've built extensive greylists that prevent users from signing up with names commonly associated with fake accounts. There's always room for improvement, which is why we have teams of security experts and engineers working on these systems and developing new ones."

But Facebook didn't catch "Noonan" - and neither did more than 480 people.

When you consider how "she" operated, it's easy to see why.

"Noonan" sent a friend request to practically everyone in The Miami Herald's Business section Facebook page with the message: "Hi, I came across your profile in The Miami Herald Business section page. I am currently expanding my network base and wanted to reach out and say hi."

Sweet girl sending out a sweet message. What fake account would do that? But the account didn't respond to follow-up messages my co-workers or I sent. Red flag No. 1.

A closer look at her profile raised more eyebrows. Noonan never made a status update or shared a link from the Facebook website. She posted via a paid application used by marketers called Sendible, but a Facebook application was created to disguise the Sendible feature, calling itself "Mobile Phone." So all her time stamps ended with "via Mobile Phone." You wouldn't know something was weird unless you clicked on those words. Sendible's CEO, Gavin Hammar, told me the paid service used by Noonan was tied to RPCGROUP.

The third red flag: Not one post on "Sarah's" wall was from a friend, nor did the account ever interact with friends. The posts were meaningless - such as a music clip from YouTube, a link to a story from another publication or innocuous thought. ("Long day ... calling it a night.")

David Clarke, CEO of interactive marketing agency BGT Partners in Aventura, saw Noonan's account and said he's seen more marketers use Facebook accounts to promote material.

"In many instances it is better and easier to get friends than fans - there is very little difference," Clarke said. "It is just too easy to scam Facebook and create a fake person - especially when you use a young, cute girl as your profile picture."

Cyber criminals and spammers typically won't waste their time putting that much effort into a profile. Kevin Haley, director at Symantec Security Response, said the bad guys usually "hit and run" on Facebook by breaking into a real account, spreading malicious links and spam until they get caught. It's not profitable to waste time building a fake account and adding friends.

Haley wrote about The Ghosts of Facebook last week when a fake account posing as a Jacksonville University student got 562 friends without even trying to look as real as Noonan did.

Dave Marcus, director of security research at McAfee, said McAfee partners with Facebook's security team. He's found that as long as there's some friend in common, people will trust and accept a friendship.

"It's amazing how many people 'friend' something," Marcus said. "It's that transient trust thing."

As in the "real" world, it's wise to check someone out before you add them as a friend. Do a quick Google search on their name. Or send a nice message asking how they know you or where you met.

It's your profile - protect it. Facebook can block outsiders from seeing your stuff, but it can't stop the people you let in.

Upcoming Events