By Mariel Klosterman

Junior at Beacom College of Computer and Cyber Sciences, Dakota State University

When you search “sock puppet accounts” using Google, there are a few definitions that show in the search results, and they all follow a common theme. The most common definition is found on Wikipedia’s entry: A sock puppet or sockpuppet is an online identity used for purposes of deception. Daniel Kats, Senior Principal Researcher for NortonLifeLock Research, held a similar view in his article, “Identifying Sockpuppet Accounts on Social Media Platforms:” “We define a sockpuppet as a fictitious online identity created for the purposes of deception.”

Sock puppet accounts are mainly known to those outside the information security field as accounts used for disinformation purposes, such as swaying your opinion about a topic or a product. However, this is not the only way to use a sock puppet account.

In this 4-part blog series, up-and-coming cybersecurity researcher Dakota State University Junior, Mariel Klosterman, describes the how sock puppets are used by malicious actors and OSINT investigators, types of sock puppet accounts, and how to create a sock puppet for information collection. This week she explores how sock puppets can be used for beneficial purposes.

In this digital age, a lot of information is available online, including Personally Identifiable Information (PII). Many employers use OSINT to find information on current and perspective employees. Traditional background checks, however, do not provide everything an employer might want to know. Often, that information is found on social media accounts. OSINT investigators can play a vital role in tracing information not readily available via criminal background checks and property records—with using sock puppets.

Unfortunately, it does not come without difficulties.

Aside from those acquainted with or interested in open source intelligence (OSINT), the beneficial aspects of sock puppets are vastly underreported. There is pressure on social media platforms to institute safeguards to prevent malicious actors from creating and using sock puppet accounts. Hence, accounts believed to be sock puppets have a high likelihood of being removed. Many platforms now require a phone number to register an account and have also banned the use of VoIP phone numbers. In most cases, the same phone number cannot be used—making it more difficult for OSINT investigators to create accounts to facilitate their research.

Due to these safeguards, OSINT investigators must go to extra lengths to create sock puppets. The difficulty lies in determining the level of anonymity and level of persistence. Anonymity is when a person cannot be linked to the account, no matter how deep someone looks for the link (in movie terms “untraceable”). The higher the desired level of anonymity, the more work you have to do in order to create an anonymous connection to the sock puppet. Persistence is when you want to be active on the platform. The higher the desired level of persistence, the more work you have to put into creating the sock puppet’s persona.

Like what you’re reading? Download the entire Hg Summer Factsheet, 21st Century Sock Puppets: Pulling the Wool Over on You, for free today!

Mariel Klosterman, a junior at Dakota State University, is currently majoring in Network and Security Administration. Her areas of interest are defensive security and open-source intelligence (OSINT). Ms. Klosterman has conducted significant research relating to sock puppet accounts, which are an integral part of OSINT and digital investigations. She has organizational experience writing security policies, conducting security assessments, and implementing data protection controls and training. She is an accomplished speaker, presenting on a wide range of topics in the cyber arena to local professional groups including InfraGard South Dakota. Ms. Klosterman is passionate about security and enjoys sharing her knowledge and skills working for CybHER. Check out her latest projects at