Social Media Security Checklist: Protect Your Privacy Now

Social media platforms have become intelligence goldmines for criminals. Your vacation photos, check-ins, birthday celebrations, and casual comments create detailed profiles that bad actors exploit for scams, stalking, identity theft, and targeted attacks. In 2024, social media scams alone cost victims approximately $1.1 billion.

The fundamental problem is simple: platforms monetize your data by collecting behavioral, location, and relationship information, then offering granular targeting that scammers also exploit. Even with privacy settings enabled, most content shared on social media should be considered effectively public and permanent.

Understanding how criminals operate and implementing comprehensive security controls can dramatically reduce your exposure. This guide provides actionable steps organized into essential measures everyone should implement and advanced protections for high-risk users.

How Criminals Exploit Social Media

Targeting Everyday Users

Romance investment scams cost 945 victims more than $50 million in Canada in 2023 alone. Criminals develop relationships through social media and dating apps, claim success in cryptocurrency investments, push victims toward fake trading platforms, then disappear after extracting funds. Research tracking over 4,000 victims found these "pig butchering" operations moved over $75 billion to crypto exchanges between January 2020 and February 2024.

Fake e-commerce shops on Facebook Marketplace and Instagram exploit trust in social platforms, delivering counterfeit goods or nothing while stealing payment information. Phishing attacks use personal details gleaned from profiles to craft convincing messages that appear to come from friends, colleagues, or legitimate businesses.

Targeting Influencers and Public Figures

Content creators face doxxing attacks where home addresses and personal details are publicly exposed, leading to swatting incidents, physical stalking, and harassment. Nick Frags, a cooking streamer, had armed police surround his home after a caller falsely claimed he had shot everyone inside. In 2018, Andrew Finch was killed by a SWAT team on his porch after a false address was provided during an online dispute.

Targeting High-Net-Worth Individuals

Approximately one in three high-net-worth individuals report being targeted by financial scams or cybercrime in a recent six-month period. Deepfake fraud increased 700% in Q1 2025 compared to the previous year. Criminals mine social media for family photos, voice clips, and travel posts to create convincing deepfake videos demanding urgent payments. Synthetic identity fraud combines real user data with fabricated information to access accounts and commit crimes that may go undetected for years.

Essential Security Checklist: For Everyone

These foundational measures represent the baseline that every social media user should implement immediately.

Account Security

Use strong, unique passwords for every platform

• Create passwords with at least 12 characters combining uppercase, lowercase, numbers, and symbols

• Never reuse passwords across different accounts

• Store passwords in a reputable password manager like NordPass, RoboForm, 1Password, or Bitwarden

Enable two-factor authentication (2FA) on all accounts

• Activate 2FA on every social media platform

• Use privacy-focused authenticator apps rather than SMS when possible:

  • 2FAS (iOS, Android, Browser Extension) - Open source, free, supports encrypted backups, minimal data collection, works without account creation

  • Aegis Authenticator (Android) - Open source, stores codes locally on your device, requires no personal information, supports encrypted backups

  • Bitwarden Authenticator - Open source, transparent security audits, end-to-end encryption, integrates with Bitwarden password manager

  • Ente Auth - Open source, encrypted cloud backups, strong cross-platform support

• Avoid Google Authenticator and Authy, as they collect more user data and are closed source

• Save backup codes in a secure location

Privacy Settings and Visibility

Review and configure privacy settings on each platform

• Restrict who can see your posts, stories, and contact details to trusted connections only

• Set your profile to private so only approved followers can view your content

• Disable public visibility of friend lists and follower counts

• Turn off location services in app settings

• Disable facial recognition features where available

Remove personal contact information from public view

• Never post your email address publicly

• Never post your phone number publicly

• Remove your birthday or change it to display only month/day without the year

• Avoid listing your hometown, current city, workplace, or school

Minimize profile information that enables phishing

• Remove or obscure your full date of birth

• Do not list schools attended, graduation years, or degrees

• Avoid sharing children's names, ages, or schools

• Remove relationship status and family member tags

Content Sharing Practices

Think of all interactions as public and permanent

• Before posting anything, ask: "Would I mind if this was on the front page of a newspaper?"

• Assume every post, comment, and photo will be archived indefinitely by third-party services

• Remember that "private" content can still be viewed through numerous methods and screenshots

Be extremely careful about what you upload

• Review photos and videos for background details that reveal locations, addresses, or identifiable landmarks

• Avoid posting images showing street signs, house numbers, car license plates, or workplace signage

• Do not post photos of boarding passes, tickets, or documents containing personal information

• Be cautious about sharing achievements that reveal employer details or work locations

Delay location-revealing content

• Wait until after you have left a location before posting content that reveals where you were

• Never post real-time updates from restaurants, hotels, airports, or vacation destinations

• Avoid check-ins and location tags entirely, or apply them only after returning home

• Disable automatic location tagging in your phone's camera settings

App Permissions and Integrations

Audit and revoke unnecessary permissions

• Review which apps have access to your social media accounts

• Revoke access to any apps you no longer use or recognize

• Deny app permissions for contacts, call logs, messaging history, and camera unless absolutely essential

• Deny continuous location tracking unless required for core functionality

Avoid third-party login integrations

• Do not use "Sign in with Facebook/Google/Twitter" buttons for other services

• Create separate accounts with unique credentials for each service

• Regularly audit connected apps in your account settings and remove unused integrations

Advanced Security Checklist: For High-Risk Users

Executives, influencers, journalists, activists, high-net-worth individuals, and anyone who believes they are being targeted should implement these additional protections.

Metadata and Location Protection

Remove EXIF metadata from photos before uploading

Most smartphones automatically embed GPS coordinates, device information, and timestamps in photos. Remove this data using trusted tools:

Recommended metadata removal tools:

• Metadata2Go (metadata2go.com) - Browser-based, processes files client-side for privacy, supports photos and PDFs

• ExifTool (command-line tool) - Industry-standard open-source tool, maximum control, processes files locally

• Native phone options:

  • iPhone: Use the "Options" menu when sharing photos and toggle off "Location" and "All Photos Data"

  • Android: Use Files app to "Remove location data" before sharing

Note on ExifCleaner: While ExifCleaner.com is popular, it has not been updated since March 2022 and may have security vulnerabilities. The desktop ExifCleaner app processes files locally (which is good for privacy), but the lack of maintenance makes it risky for current use.

Disable location services systematically

• Turn off GPS in camera settings to prevent automatic geotagging

• Disable location history in Google Maps, Apple Maps, and social apps

• Review and delete existing location history from Google Timeline and similar services

• Turn off Wi-Fi and Bluetooth when not needed to prevent location triangulation

Consider GPS spoofing near your home

• Use GPS spoofing apps (Android) or VPN location masking to obscure your actual location when posting

• Particularly important if others in your household post content that could reveal your address

Facial Recognition and Image Protection

Implement image cloaking technology

• Download Fawkes from the University of Chicago SAND Lab (sandlab.cs.uchicago.edu/fawkes)

• Install the desktop application for Mac or Windows

• Process photos through Fawkes before uploading to social media

• Fawkes makes imperceptible pixel-level changes that prevent facial recognition systems from identifying you

• Cloaked images function normally on social platforms but resist automated face matching

Use privacy-focused profile pictures

• Avoid high-resolution frontal face photos as profile images

• Consider using illustrations, avatars, or side-angle photos instead

• Update profile pictures infrequently to limit training data for facial recognition systems

Identity Protection and Doxxing Prevention

Use different usernames across platforms

• Avoid reusing the same username on multiple social networks

• Create unique handles that cannot be easily connected to your real identity

• Use a username generator to create distinct identities for different contexts

Consider using false information for low-engagement accounts

• If you only want to read content without posting, create accounts under alias names

• Use false contact details, birthdates, and location information for "read-only" profiles

• Use a separate email address created specifically for social media accounts

Set up family verification protocols

• Create code words or verification phrases with family members and colleagues

• Use these phrases to verify any urgent financial requests or emergency situations before acting

• Establish out-of-band verification procedures (calling directly rather than responding to messages)

Request data broker removal

• Search for your name, address, and phone number on people-search sites

• Submit removal requests to data brokers like PeekYou, Acxiom, Clearview AI, and Spokeo

• Use automated removal services like:

  • Brightside - Conducts deep OSINT scans, identifies which data brokers hold your records, files opt-out requests on your behalf, and verifies completion (most removals complete within 30 days)

  • DeleteMe - Automated data broker removal with ongoing monitoring

  • Privacy Bee - Removes data from broker sites and provides ongoing protection

• Repeat manual removal requests quarterly as information reappears

Network and Device Protection

Use a VPN consistently

• Install a reputable VPN service on all devices

• Activate the VPN whenever accessing social media, especially on public Wi-Fi

• A VPN masks your IP address and prevents correlation between sessions

Conduct regular digital footprint audits

• Search for your name, usernames, email addresses, and phone numbers quarterly

• Review search results for unexpected information exposure

• Set up Google Alerts for your name and variations to monitor new appearances

• Screenshot and document concerning content before attempting removal

For high-net-worth individuals and public figures: Engage security specialists

• Work with cybersecurity or privacy professionals to conduct formal digital footprint audits

• Develop posting policies and guidelines for family members and staff

• Establish protocols for managing public-facing accounts and personal accounts separately

• Consider executive protection services that include digital threat monitoring

Account Management

Delete old accounts and content

• Remove social media profiles you no longer actively use

• Delete posts that may have aged poorly or reveal too much personal information

• Use platform-specific tools to bulk-delete old content (Twitter Archive Eraser, Redact for Reddit)

Create separation between personal and professional presence

• Maintain separate accounts for personal and business use

• Use different email addresses, phone numbers, and device identifiers for each

• Never cross-post content between personal and professional accounts

Taking Action

Start with the essential security checklist today. Work through each section systematically, beginning with account security and privacy settings. Dedicate 30 minutes per platform to review settings, revoke unnecessary permissions, and remove sensitive information from your profile.

For high-risk users, schedule time this week to implement advanced protections. Download privacy-focused authenticator apps like 2FAS or Aegis, use Metadata2Go or ExifTool to remove EXIF data, install Fawkes for image cloaking, audit your data broker presence with Brightside, and establish family verification protocols.

The threats will continue evolving, but your defense must evolve alongside them. Implementing these measures significantly reduces your vulnerability to the growing array of bad actors who view social media as a hunting ground. You cannot control how platforms use your data, but you can control what you share and how well you protect your accounts.