Facebook is one of the central social media hubs around which our online lives revolve. There are more than 2.41 billion active monthly users of the site (as of October 2019). Of those billions, we typically interact with a few hundred of our closest friends and family members on a daily basis. Unfortunately, there’s also a lot of weirdness out there, and nearly everyone has been messaged by a stranger, scam artist, or possible stalker in their Facebook cruising time. It’s only natural that when we’re contacted by a stranger we immediately click on their name for more information to determine if they’re trustworthy – whether that means reading their posts, viewing their profile info, or checking out their pictures, looking at this information helps us decide what level of red flag should be triggered by a message or comment from someone we don’t know.
Because of the way Facebook sets up its privacy protection, there are limits on what you can see in someone’s profile if you aren’t mutual Facebook friends. The program has adapted a four-tier system where users can set their preferred profile privacy level:
- If you are friends with someone, you can generally see everything they have online, with the exception of posts that they have specifically chosen to exclude you from seeing.
- If you aren’t friends with someone but their profile is public, you can see most of what they have online.
- If you aren’t friends with someone and their profile is private, you won’t be able to see anything other than their existence on Facebook and their main profile photo.
- Finally, if you have a person blocked completely, they won’t be able to see anything at all (even that you exist) regardless of their other privacy settings.
There are a lot of reasons for wanting access to a profile that you aren’t currently allowed to view. Maybe you want to see what became of your old crush from college, or you’re curious about whatever happened to the high school bully. Maybe you want to check out a coworker and see what kind of things they’re into in their free time. There are, of course, legal considerations towards invading a person’s privacy too deeply, but we recognize that there may be some completely non-nefarious reasons for wanting to peek behind the privacy curtain. If your person of interest has their profile locked down and set to a private status, you won’t be able to see much, if anything. If they have specifically blocked you, regardless of their privacy settings, you won’t see them on Facebook at all.
So if the person you’re interested in does have a private profile, what can you do? Well, there used to be technological weaknesses in the Facebook site that would allow you to get at least some of the information you’re interested in despite the privacy settings. Previously, you could actually manipulate a Facebook profile URL with the person’s name to see some of their timeline and images, though this exploit has long been fixed. Other similar exploits and cracks in Facebook’s armor, like the ability to use a Facebook graph URL to access private Facebook images or the option to use third-party tools to circumvent Facebook’s own privacy locks, have all been patched and sealed.
Facebook has come under incredible amounts of fire in recent years for their privacy missteps and as a result they’re generally on top of it when it comes to letting even the most kind-hearted individuals spy on each other. Previously, they let third parties gain access to content they weren’t supposed to view, among other egregious faults. With the company in full damage-control mode on issues of privacy, it’s unlikely that they’re going to let any new kinds of software glitches grant access to stuff that people don’t want others to see. As a result, there are no technological work arounds to gaining access to a private profile. This also means that sites and tools claiming to get you secret access to Facebook profile information are likely to break, if they aren’t already broken, and might be a scam on their own.
So is it hopeless?
Actually, no. Where software engineering has succeeded in raising privacy walls, social engineering can succeed in getting past them. There are a few different approaches that you can take and in this article, I will show you how to work each one of them.
The “Brute Force” Method
The simplest and quickest way to gain access to someone’s profile information is probably to pay a data broker for it. This can be a private eye, an online investigative service, or an outright hacker utilizing data bought on the Dark Web. Not every single profile is available from this route, but many are. The downside? There are several. One is that you’re working with someone who may be breaking the law, and depending on where you’re located, you may be breaking the law as well. If you’re trying to gain access to a Facebook profile as evidence in a legal matter, this method is not recommended. Another downside is that nobody does that kind of work for fun; you’re going to pay for the information you want, and you’re going to get a snapshot, not an ongoing access to the person’s feed. Finally, even if you pay, you aren’t guaranteed to get the kind of results you want – the subject of your interest may not have a profile that anyone has archived, or what’s there may be long out of date.
The Charm Offensive
If the person you are interested in doesn’t know you, or does know you but doesn’t dislike you, then the easiest way to get access to their profile information is the obvious way: become their friend. This can be as simple as sending a friend request and hoping for the best, but if you suspect that won’t work (either because they don’t know you or because they just don’t consider you a friend), what can you do?
Getting to know someone on Facebook can be very complex and difficult, or it can be very simple. However, there are some techniques you can use to slide into someone’s Facebook life subtly (or not so subtly).
The first step is to identify Facebook groups that this particular person is a member of, as well as people that are close friends with the subject person. This method is only helpful, of course, if you know a little bit about this person. If it’s just a random name that appeared in your inbox, then this isn’t worth a shot. By close friends, I don’t necessarily mean that the two people are super significant in one another’s lives, but rather, that they interact time on Facebook together frequently. For example, if your subject person “likes” every picture that a second person posts to their feed, then that second person is a close friend for our purposes.
You want to get involved with the subject person’s groups and close friends, because that way you can find yourself in legitimate interactions with the subject person. It is in those interactions that you can familiarize the subject person with your online persona, present yourself as a good and worthy Facebook friend, and eventually wind up on their Friends list. Here are some dos and don’ts.
- “Like”, “Ha-Ha” or “Love” their posts/pictures/comments, as appropriate.
- Make meaningful responses to their comments.
- Respond to other people in the group, or other comments and posts by the third party person, so as to present the image of someone who just happens to be there.
- Post friendly responses and engage with their friends.
- Post about your own issues and ideas regardless of the subject person’s interests.
- Start reacting to or commenting on everything they say or do. Let a good 2/3 or 3/4 of it go by without comment.
- Go back into the past and like old stuff – that makes you look like a deliberate stalker.
- Comment constantly so that they feel like you’re suddenly an interloper on their feed.
- Spam their friends list trying to friend everyone.
- Get into conflicts with the subject person.
With care and patience, you can turn yourself from a stranger into a new friend of the subject person – and they’ll be the one to send YOU the friend request.
The Long Game
If you can’t hire a broker and you’ve been blocked deliberately so a charm offensive isn’t going to work, what’s left? Trickery and deception, of course.
Security experts are unanimous: the weakest link in any security system is the human element. It’s true with theft-prevention systems, it’s true with password cracking, and it’s true with Facebook profile security. The manipulation of this human element is the basis for the technique known as social engineering. A 2011 research paper by social scientists at the University of British Columbia reported an experiment in sending friend requests to complete strangers. As one might expect, sending a friend request to someone with whom the sender had no mutual friends had only a 20% success rate. However, if the friend request came from someone with mutual friends to the recipient – even just one – the odds of a friend request jumped dramatically. Requests with one friend had an almost 50% success rate, and each additional friend increased the odds of success. At 11 mutual friends, the chance of success was about 80%. We have a tendency to assume that anyone with whom we have mutual friends must be in our social network somehow – we’re just misplacing them mentally. And so we hit “Accept”.
This research shows us the way to help you get access to someone’s profile. We should note at this point that this is not an honest, forthright, or virtuous approach to connecting to someone on Facebook. If a person isn’t willing to accept your direct friend request, then it is probably unethical for you to use deceptive means to trick them into accepting a friend request from a “different” person. That said, if you are a sociology student, or otherwise legally interested in the boundaries of social engineering, the tips here might help you write a very successful thesis paper.
The basic idea is simple: you want your fake or cover profile to have multiple mutual friends with your target person. Here’s how you do it.
How to Become a Fake Friend
For this to work, you have to have two things. One, you need at least some basic information about your target – their name, or where they went to school, or where they live, or where they work – something. Just “John Smith” isn’t going to cut it, and not just because there are probably 8 million John Smiths on Facebook. Two, you need to know who at least some of their Facebook friends are. Ideally, if the target’s Facebook profile isn’t completely locked, their friends list is public. If it isn’t public, then you’ll have to back into the friends list through other means – finding out their relatives, coworkers, and real-life friends and looking for those Facebook profiles, and so forth. Yes, that’s going to require some real-life searching.
You may need to utilize LinkedIn and Google to find additional information on the person. Privacy is tough to manage, and unless they are seriously paranoid about their online privacy, you should be able to find out who at least some of their friends are.
The next step is to create a fake profile for a person who actually does exist and who is, however tangentially, within your target’s social circle. Ideally, this person shouldn’t have a Facebook profile at all, but if they have one that isn’t frequently or heavily used, you might be able to get away with creating a parallel account. For example, let’s say that our target is named John Smith, and we know that John was a computer science major at Hypothetical University in 2016. Using John’s college roommate or ex-girlfriend would be a bad choice for this fake profile; John knows those people too well, and the odds are very high that he is already friends with that person (or hates them, in the case of the ex). However, visiting the Hypothetical University website, we find out that one of the adjunct professors in the computer science department, Melissa Jones, doesn’t have much of an online persona. It’s likely that John would recognize Melissa’s name in the context of Hypothetical University. So, we create a Facebook profile for Professor Jones, complete with her photo from the HU faculty website.
So now we send John a friend request? No. We could, and it MIGHT work, but right now Melissa’s fake profile is brand new and has no friends. If John is even a little bit suspicious, he’s going to shoot down the friend request automatically. So we build up that profile. We add some images of the school, the city it’s in, and some photos of old computer parts to complete the look of the profile. We make some posts about our current research, and so on.
Now, we start sending out friend requests to everyone from Hypothetical University we can find. This part is especially easy if Hypo-U has their own Facebook Groups, because the names will just pour in. We send out literally hundreds of requests. We’re not specifically after John’s friends at this point, but there will likely be some overlap. We send out requests to other IT specialists, industry leaders, and the kinds of people a computer science teacher would be friends with on Facebook.
There is a risk here. The person whose life you are essentially imitating could be in contact with people you friend offline. All it takes is someone asking Professor Jones during their weekly squash match why she started Facebooking after years of hating it, and the jig is up. Oops. As true crime fans will know, computer forensics are real, and you will be immediately caught. We recommend protecting your own personal information as much as possible by using a VPN to mask your IP address.
Finding Mr. Smith
A lot of our initial requests will be ignored or blocked, but many people just semi-automatically approve any friend requests; who doesn’t want more friends? Once we have a few dozen friends in our orbit, we go through THEIR friends lists and send out requests to THOSE people. Remember, now we’re a friend-of-a-friend, so our odds of success should be about 50-50 for each request. Once more, we avoid sending a request to the actual target. Patience! At the same time, we continue to create more false posts and fill out the persona to make it a little more believable.
Now, if we have access to John’s friends list directly, we want to send friend requests to that whole list. We might want to avoid, at this point, other people from recent Hypothetical University history, as they are the most likely to walk into Melissa Jones’ office and offhandedly mention her posts. Also, those most likely to be in direct contact with John could tell him that someone is pretending to be Melissa online once the game has been exposed. Hopefully after this third round of friend requests, we should have at least several mutual friends with the target. It’s a good idea to make positive and appropriate small contributions on the posts of our mutual friends with John – that way he sees “Melissa” posting in his feed. He may even strike up a conversation.
Closing the trap
Finally, it is time to go for the actual goal of all this work. We have a good collection of friends, some of which are mutual connections on Facebook with the target. With a hundred or more friends on the account, enough timeline entries to satisfy a superficial look at our own fake profile, and some posts that are consistent with what our fake profile “should” be posting given her career and standing, we send a friend request to the target and cross our fingers. If we’ve done things right, the odds are very good that your version of John Smith will accept the request, and just like that (after weeks of endless work) we’re in.
Now that we are friends, do we want to continue the deception and have permanent access to John’s profile, at least until someone finds out our chicanery and shuts down our account? Or do we record the information we wanted, delete the account, and head for the hills? That’s up to you. Be aware that the longer you keep the fake account going, the more likely it is that someone is going to become suspicious and alert the real Professor Jones that there are shenanigans afoot.
A Very Serious Note!
To be very clear: neither myself nor TechJunkie suggest using social engineering to manipulate and trick someone into adding you and approving your friend request on Facebook, Instagram, or any other social network online. This is not just dangerous and time-consuming, but also possibly illegal, depending on where you reside and what laws protect your internet and identity use in your area. Even so, using the guide above essentially counts as “catfishing,” which brings up its fair share of legal and ethical quandaries anytime it’s mentioned.
Pretending to be someone you’re not, even if you don’t break a law, can cause irreparable harm to the feelings, emotions, and mental health of your target, and you should keep the social risk in mind when participating in an act like this. Whatever your motivation, it’s best to just “get in and get out,” as the saying goes, deleting the account when you’ve found the piece of information you need. The longer you keep up a false account, the more likely someone will realize you aren’t really who you say you are.
(Want to defend yourself against these techniques? Check out our articles on how to check if someone is using your Facebook account and how to tell if someone is stalking your Facebook page.)
We’ve got more tips and tricks for getting the most out of your Facebook experience.
Trying to get info about a picture? Here’s how to reverse-search an image on Facebook.
Want to be stealthy on Facebook? We’ve got a guide to logging onto Facebook without alerting your friends.
Need to put something on blast? Here’s how to send a message to all your Facebook friends.
Concerned about your privacy? Here’s how to remove location information from a Facebook post.
Want to make a chance? You can change your email account associated with your Facebook account.