« Growing Google term: how to delete FB account? | Main | Facebook protests growing »

Sarah K. Noonan: The fake Facebook 'friend' that duped hundreds

Noonan_pic Meet Sarah K. Noonan: She's attractive. She's 27. She lives in Miami and is in a complicated relationship. She's a Democrat with more than 480 friends on Facebook.

And she doesn't exist.

Sarah K. Noonan was a fake account on Facebook that duped 48 friends in my network who added her as a friend. Dozens of her "friends" have told me they added her because they assumed they met the smokey-eyed, dark-haired girl from somewhere before. And they trusted her because they had friends in common with the phony account.

Her profile was created in February as a marketing experiment by the Canadian advertising agency RPCGROUP, and had been friending an average of 20 people a day for the past few weeks. It was removed
from Facebook around 2 p.m. Monday after I interviewed the agency's chief executive, Rod Ponce, about the account.

Ponce said a group of RPCGROUP interns created the Noonan account to explore what makes a trendsetter and how users react to different types of posts. He stressed it was not used in a commercial
way to promote anything and has apologized for any confusion this may have caused.

"We don't want to offend anybody," Ponce said. "It's really to see how people socialized."

In fact, it was so easy for Noonan to get friends, Ponce said it freaked out one of his interns who unfriended anyone he didn't know on his profile. Between 30 to 40 percent of the people Noonan friended accepted the request.

"You accept people and sometimes you don't really know why you're accepting people,'' Ponce said.

Ponce hopes this helps shed light on the value of paying for advertising on Facebook.

"At the end of the day, is it really an effective tool for our clients or is it just a lot of smoke and mirrors?'' Ponce said. "It's about opening up a major can of worms with Facebook and saying, 'How many of
your people are real?' Is it really fair to those that pay for cost-per-impression?''

Ponce sent me this via e-mail Monday afternoon after we chatted over the phone:

Since our conversation we have disabled Sarah K. Noonan's profile and apologize for any confusion this may have caused.

Our Asset Project was in no way malicious in intent, but rather it took shape in the spirit of learning about the nature behind building social networks and in particular evaluating the effectiveness of Facebook as a tool for clients to commercialize their products/services.  Our experiment was initiated at the beginning of the year and stemmed from the lack of a standard ROI formula for our clients. 

There are way too many people who claim to be experts in the social media camp. We don't claim to be experts, but rather built our research through old fashioned collection of empirical data.  Since its inception we have not commercialized, nor have gained any revenues through this project.  We have been accumulating data in regards to evaluating interactions through engagement statements, the role of common interests in building social networks and how easily people create relationships through Facebook.

RPCGROUP's experiment may have been intended as innocent marketing research, but more than 480 people just gave a false account access to their information by adding her as a friend.

It rattled a few of my friends to know they had added a phony account. I contacted everyone listed as a mutual friend between Noonan and me, and every person who responded said they didn't know who she was.

Moments like this reveal that we can be too trusting of a simple profile with a pretty face. Luckily for these people, Noonan wasn't a cyber criminal.

Using a fake name or operation under a false identity is a violation of Facebook's policy. The site also has systems in place to flag or block potential fake accounts, according to Facebook spokesman Simon Axten.

"Users who send lots of messages to non-friends, for example, or whose friend requests are rejected at a high rate, are marked as suspect,'' Axten wrote in an e-mail. "We've built extensive greylists that prevent users from signing up with names commonly associated with fake accounts. There's always room for improvement, which is why we have teams of security experts and engineers working on these systems and developing new ones.''

But Facebook didn't catch ``Noonan'' -- and neither did more than 480 people.

When you consider how "she'' operated, it's easy to see why.

"Noonan'' sent a friend request to practically everyone in The Miami Herald's Business section Facebook page with the message: "Hi, I came across your profile in The Miami Herald Business section page. I am currently expanding my network base and wanted to reach out and say hi.''

Sweet girl sending out a sweet message. What fake account would do that? But the account didn't respond to follow-up messages my co-workers or I sent. Red flag No. 1.

A closer look at her profile raised more eyebrows. Noonan never made a status update or shared a link from the Facebook website. She posted via a paid application used by marketers called Sendible, but a Facebook application was created to disguise the Sendible feature, calling itself ``Mobile Phone.'' So all her time stamps ended with "via Mobile Phone.'' You wouldn't know something was weird unless you clicked on those words. Sendible's CEO, Gavin Hammar, told me the paid service used by Noonan was tied to RPCGROUP.

The third red flag: Not one post on "Sarah's'' wall was from a friend, nor did the account ever interact with friends. The posts were meaningless -- such as a music clip from YouTube, a link to a story from another publication or innocuous thought. ("Long day ... calling it a night.'')

Noonan_large David Clarke, CEO of interactive marketing agency BGT Partners in Aventura, saw Noonan's account and said he's seen more marketers use Facebook accounts to promote material.

"In many instances it is better and easier to get friends than fans -- there is very little difference,'' Clarke said. "It is just too easy to scam Facebook and create a fake person -- especially when you use a young, cute girl as your profile picture.''

Cyber criminals and spammers typically won't waste their time putting that much effort into a profile. Kevin Haley, director at Symantec Security Response, said the bad guys usually "hit and run'' on Facebook by breaking into a real account, spreading malicious links and spam until they get caught. It's not profitable to waste time building a fake account and adding friends.

Haley wrote about The Ghosts of Facebook last week when a fake account posing as a Jacksonville University student got 562 friends without even trying to look as real as Noonan did.

Dave Marcus, director of security research at McAfee, said McAfee partners with Facebook's security team. He's found that as long as there's some friend in common, people will trust and accept a friendship.

"It's amazing how many people 'friend' something,'' Marcus said. ``It's that transient trust thing.''

As in the "real'' world, it's wise to check someone out before you add them as a friend. Do a quick Google search on their name. Or send a nice message asking how they know you or where you met.

It's your profile -- protect it. Facebook can block outsiders from seeing your stuff, but it can't stop the people you let in.



TrackBack URL for this entry:

Listed below are links to weblogs that reference Sarah K. Noonan: The fake Facebook 'friend' that duped hundreds:


Feed You can follow this conversation by subscribing to the comment feed for this post.

Wonderful reporting, Bridget. Thanks for the education.

Good catch, Ms. Carey! Needless to say, the enigma known as Sarah K. Noonan is quite unsettling.

Firms like RPCGROUP should be ashamed of themselves for using covert tactics to intrusively enter our lives.

I would think that since RPCGROUP admitted to the scam (which is in violation of the TOS), Facebook could terminate their "real" accounts, as well.

Bridget, you ROCKED this! Great work. You have forever changed how I operate on Facebook.

Ms. Carey, ON THE SCENE!

My personal policy: Don't friend anyone I haven't met in person. I got Noonan's friend request, but I didn't accept it because I didn't know who she was. I understand people wanting to build big networks and have hundreds of friends. But this is the downside.

This is hysterical!

Quiet Insightful.

This article is very helpful to parents of kids who have profiles in this type of wedsited.

Ps. Esplendid work BRIDGET CAREY.

This is a terrific post, Bridget. I agree 100% with Frugalista.

We saw this at rbb - some of us accepted her request and some did not (thankfully I was one that declined!).

Great job getting to the bottom of it and rooting them out!

I'm so glad I denied her. And after this article, I'm glad I operate my Facebook account like I do: I need to actually know you in order to approve you and I need to like you. I don't accept any random person whom I have friends in common with. If they want to know more about me, follow me on Twitter.

Hopefully, after reading this, more people will become more picky about who they accept as "friends."

The bottom line and the moral of the story is that we should operate our Facebook accounts with utmost care. We are our own greatest enemies when it comes to protecting our Facebook profiles. Besides being too trusting, most of us are flattered when someone wants to "friend" us and it feels good to accept them. This "fake friend" case, that ended without serious consequences, will hopefully teach us something for the future!


Great work at getting this Canadian based company on the US radar.

I think RPCGROUP did a great job at utilizing the resources available to them to carry out this market research experiment.

This really says more about the popularity contest that FB has become. Why would 480 people accept the friend request of a complete stranger?

Perhaps your next article should be about people friend collecting.

Well by telling unsuspecting users that she had friends in common, which was a lie, they provided false information to acquire sencitive information on hundreds of consumers. This is an easy one for a class action suit. And I don't believe that it was done as an experiment, there is a lot more to this.

Rod Ponce? Surely that can't be a real name.

This is stupid. RPCGroup shouldn't be ashamed, Facebook users should be. RPCGroup executed a interesting research project on Facebook's users and determined that "between 30 and 40 percent" are idiots.

This wouldn't be an issue if people were more responsible about who they added as friends. The author didn't rescue anyone from anything. This comes down faults in the users, not of RPCGroup. Good for RPCGroup, I saw.

Facebook is a virus.

I think people shouldn't be naive to think that all FB users are genuine. We all know there are a lot of pranksters with fake account on any social network media. It's part of the game.

Users should use their own discretion to discern the true from false, who to trust or not. Use at your own risk.

The comments to this entry are closed.

Terms of Service | Privacy Policy | Copyright | About The Miami Herald | Advertise