# Counter C00197: remove suspicious accounts * **Summary**: Standard reporting for false profiles (identity issues). Includes detecting hijacked accounts and reallocating them - if possible, back to original owners. * **Playbooks**: Playbook 1: Create a standard reporting format and method for social platforms for reporting false accounts. Playbook 2: - Is the account compromised? - Is it known to be associated with threat actors - common/random name - Names violate terms of service - Dormant account - Change of country IP - Social network growth patterns (number of friends etc) - Evidence of linguistic artifacts (multiple fingerprints, terms/idiosyncrasies ) - Community vs. narrative vs. individuals Playbook 3: Report suspected bots. - Report ToS violations. - In all playbooks the platform must force user verification, credential reset and enable MFA. Suspend the account if it cannot be verified. Playbook 1: Use sites like https://haveibeenpwned.com to detect compromised and at risk user accounts. Playbook 2: Monitor for unusual account usage (use of VPN, new geographic location, unusual usage hours, etc). Playbook 3: Detect sudden deviation in user sentiment such as suddenly dropping hashtags linked to extremist content. Playbook 4: Purchase "likes", "retweets" and other vehicles which identify a bot and/or hijacked account. Ban the account. Playbook 5: Detect hijacked account and spam their posts. "OP is a known disinformation bot. http://link.to.proof[.]com" * **Metatechnique**: M005 - removal * **Resources needed:** R003 - money * **Belongs to tactic stage**: TA03 | Actors | Sectors | | ------ | ------- | | [A004 activist](../actors/A004.md) | Civil Society | | [A031 social media platform adminstrator](../actors/A031.md) | Social Media Company | | Counters these Tactics | | ---------------------- | | Counters these Techniques | | ------------------------- | | [T0009 Create fake experts](../techniques/T0009.md) | | [T0007 Create fake Social Media Profiles / Pages / Groups](../techniques/T0007.md) | | [T0011 Hijack legitimate account](../techniques/T0011.md) | | Seen in incidents | | ----------------- | DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW