Why You Need to Stop Commenting on Viral Facebook Memes

Those quizzes may seem like innocent fun, but giving away personal information leaves you vulnerable to hackers.

Which Dr. Seuss character are you? What’s your Bond girl name? If you’re on Facebook, you might have seen friends and family commenting on viral posts like these, volunteering personal information like their maternal grandmother’s surname, the name of their first pet, or the street they grew up on.

It’s all fun and games until you realize that those are answers to common password retrieval security questions—and if you post the answers in a public Facebook comment, you’ve just rolled out the red carpet for hackers to steal your identity.

“There are so many different ways criminals can use your personal information,” says Jeff Horncastle, call centre supervisor at the Canadian Anti-Fraud Centre (CAFC). “If your date of birth is public on Facebook, with certain financial institutions it’s all someone needs to set up an account in your name.”

Some of these quizzes will redirect you to an external website where you’re asked for permission to access your Facebook account (and your email address). After you’ve entered your responses, it spits out which breakfast cereal or Golden Girls character most resembles your personality, while saving the personal information you’ve innocently shared. Often, those details aren’t used to hack you individually (although they may well be), but compiled into a huge database that powers “brute force” attacks that use software to guess thousands of possible security question answers per second, obtaining or resetting the password to your account.

If you’re embarrassed to admit you’ve taken the bait on one of these Facebook memes—even though you’re normally prudent with your personal information—you’re not alone. With many of us spending more time on social media than ever before, we’re easily lulled into a sense of security on a familiar website we visit daily to share with family and friends. Unfortunately, hackers are finding it all too easy to take advantage—the CAFC reports that cyber scams of all types increased 38 per cent from 2019 to 2020, with losses amounting to $230 million in 2021. (Learn the spot the signs your phone has been hacked.)

“We estimate that only five per cent of victims ever report a fraud, so it’s safe to assume the actual losses are much greater,” says Horncastle. Without direct evidence of a crime, it’s difficult to prove that any individual Facebook meme is more than just nostalgic fun, but you can never be too careful online. Aside from not commenting on any more Facebook memes or quizzes at all, Horncastle advises changing your Facebook settings so that all of your posts and comments are limited to Friends Only. The “Limit Past Posts” setting under the Privacy tab can also hide anything you’ve previously posted from public view. (Here are more secrets to steal from people who never get hacked.)

Some experts say account security questions themselves aren’t secure at all. A study commissioned by Google found that 16 per cent of security questions had answers listed publicly in social media profiles or public records. Giving generic fake answers when responding to password retrieval questions—for example “I don’t know” or “Don’t have one”—makes it even easier for hackers to break in. The study found an attacker could successfully guess the answer to 4.2% of English speakers’ answers to the question “Frequent flyer number?” in just one try.

To better protect yourself, the CAFC advises enabling two-factor authentication, where you enter a unique six-digit code texted to your phone, for example, to add another layer of security in addition to a password (you should also have a unique password for every online account). Most importantly, keep your guard up whenever you’re online. “Don’t share personal information, especially anything that could be an answer to a security question, with anyone—period,” says Horncastle.

Next, find out the latest online scams (and how to avoid them).