Social Media Security Question Scams
Those fun Facebook quizzes and quiz games are secretly stealing your security answers and passwords.
A Game That Isn't Really a Game
Every few weeks, a new one shows up on Facebook. "Find your pirate name! Take the first letter of your mother's maiden name and the street you grew up on." Or: "Your superhero name is your first pet's name plus your birth city." People fill them out, tag their friends, and laugh at the results.
But here's what's actually happening. Someone — a criminal, or someone working for one — created that post specifically to collect the answers people type in the comments. Because those answers? They're almost always the exact same information that banks, email providers, and other websites use as security questions.
It's one of the most effective scams going, because it doesn't feel like a scam at all. It feels like fun. 🚨 This Is Real
Security researchers have documented this scam pattern for years. Criminals post these games deliberately, harvest the answers from the comments, and then use them to bypass security questions on banking and email accounts.
See How It Works: A Real Example
Here's the kind of post you've almost certainly seen. Notice what information it's really asking for: ⚠️Example of a Security Harvesting Post — Do Not Fill This In📘 Shared by a Facebook Friend · 2,847 shares🎄 Find Your Christmas Elf Name! 🎄
It's that time of year! Find out your elf name using this fun chart:
First name: Use the first letter of your mother's maiden name
Middle name: The name of your childhood pet
Last name: The street you grew up on
Mine is Jingle Fluffy Maple! What's yours? 🎅 Tag a friend! Mother's maiden nameSecurity Question ⚠️First childhood petSecurity Question ⚠️Street you grew up onSecurity Question ⚠️
See it now? All three pieces of information are among the most commonly used security questions at banks and websites across the country. Someone who collects those answers from the comments has everything they need to call your bank, answer the security questions, and reset your password.
The Most Common Security Questions — and the Posts That Harvest Them
Here are the security questions used most often — and the kinds of "fun" posts designed to get people to reveal them:
| Security Question | How the Post Asks for It |
|---|---|
| What was your first pet's name? | "Your elf/pirate/rockstar name starts with your first pet's name…" |
| What street did you grow up on? | "…add the street you grew up on for your last name" |
| What is your mother's maiden name? | "Use the first letter of your mother's maiden name…" |
| What city were you born in? | "Your wrestler name is [birth city] + [favourite colour]" |
| What was the make of your first car? | "Road trip name: your first car + the last city you visited" |
| What was the name of your primary school? | "Superhero name: your primary school + your birth month" |
| What is your oldest sibling's middle name? | "Band name generator: oldest sibling's middle name + your favourite food" |
The post doesn't have to use the exact same wording as a security question — it just needs to get you to reveal the answer. Criminals are creative and patient. They have posted hundreds of variations of these games over the years.
It's Not Always a Stranger Who Made the Post
Here's what makes this scam especially tricky: you often see these posts shared by people you know and trust — a cousin, an old neighbour, a friend from church. That makes it feel safe. But that person probably didn't create it. They just saw it on their own feed, thought it looked fun, and shared it — completely unaware of what it really is.
The original post was created by someone you've never heard of, was designed to spread virally, and collects the replies from anyone who fills it out publicly. ⚠️ Public Comments Are the Problem
Even if you only share the result with your friends, the original post creator — and potentially anyone else — can still see your comment. Criminals specifically look for these public comment threads because they're a goldmine of personal information.
What If You've Already Filled One In?
First: don't panic. Filling in one of these posts doesn't mean your accounts have been compromised — it depends on whether someone specifically targeted you with that information. But it does mean it's a good time to take a few protective steps.
- Go back to the post and delete your comment if it's still there
- Check your important accounts — email, bank — for any unusual activity or login attempts
- Update the security questions on your most important accounts, and consider using fake answers (more on this below)
- Make sure you have a strong password and MFA turned on for your email and banking accounts
The Secret the Banks Don't Tell You: Lie on Your Security Questions
This sounds odd coming from someone who just told you to be honest — but when it comes to security questions, the right answer isn't the true answer. It's an answer only you know.
Think about it: "What was your first pet's name?" might be Biscuit. That's the honest answer. But your answer for the bank could be Purple Umbrella, or Grandfather Clock, or any phrase that has nothing to do with your actual life. Write it down somewhere safe at home — but now, even if someone harvests your real pet's name from a social media post, it won't work on your bank account because your answer isn't Biscuit. 💡 Treat Security Answers Like Passwords
Use a made-up answer that has nothing to do with the real question. Write it down in a notebook you keep at home. You're not breaking any rules — the bank just needs a consistent answer that matches, and the wrong answer is far safer than the right one if it can't be guessed or found online.
What to Do When You See These Posts Going Forward
You don't need to lecture every friend who shares one — but you can protect yourself and maybe nudge the people you care about in the right direction.
- Don't fill in any post that asks for information matching the table above — even if it looks fun
- If a close friend or family member shares one, you can quietly message them and let them know
- Be especially cautious with posts that go viral — the wider a post spreads, the more people are collecting the answers
- Remember: a real quiz or personality test doesn't need your mother's maiden name or childhood addressℹ️ It's Not Just Facebook
These posts appear on all social platforms — Facebook, Instagram, X (formerly Twitter), and even in text message chains. The format changes, but the goal is always the same: get you to publicly reveal personal information that matches a security question.
The Bottom Line
Those fun "find your elf name" posts are a well-known method criminals use to collect answers to security questions — the same questions banks and websites use to verify your identity. Never fill in any post that asks for your mother's maiden name, your childhood pet, your first school, your birth city, or the street you grew up on. And on your real accounts, consider using made-up answers to security questions that no one could ever guess from a social media post.
Enjoying this article?
Subscribe to Savvy Silver Tech for full access to every guide, video, and our weekly newsletter — all for $2.99/month.Subscribe — $2.99/mo
Cancel anytime. No contracts.