The 2026 social media safety checklist (printable)
40 items across 6 categories — account hardening, impersonator monitoring, DM hygiene, follower protection, continuous alerting, and recovery. Bookmark it. Print it. Share it.
Need the 30-second version? Run the GACS social scanner on your own handle now — it surfaces the impersonators currently active in your reply threads.
1. Account hardening (do this once)
The boring stuff that stops 95% of takeover attempts.
- Turn on app-based 2FA (Authy, 1Password, Google Authenticator) on every account — never SMS-only.
- Generate a 24-character unique password per platform using a password manager. Reusing passwords is the #1 cause of takeover in 2026.
- Remove SMS as a backup recovery method on X, Instagram, and TikTok where the platform allows it.
- Add a recovery email that nobody else knows about — not the one printed on your business card.
- Print or save your 2FA recovery codes offline. Don't store them in the same password manager.
- Audit connected apps every 90 days and revoke anything you haven't used in 30 days.
- Lock down your phone number with your carrier (port-out PIN). SIM-swap attacks bypass everything else.
- Enable login alerts so you see new sign-ins in real time.
2. Impersonator monitoring (weekly, 5 minutes)
Find fake versions of yourself before they reach your followers.
- Search your exact handle, display name, and common typos on each platform. Bookmark the search URLs.
- Set a Google Alert for your name plus the words "DM", "giveaway", and "recovery".
- Run your handle through the GACS social scanner weekly to surface impersonators in the reply threads.
- Reverse-image-search your profile picture monthly to find clones.
- Claim your handle on every major platform — even ones you don't use — to deny squatters.
- Pin a post that explicitly lists the URL of your real, authoritative account.
- If you're a creator: add your verified GACS badge to your website and bio link.
3. DM hygiene (every message)
The 2026 scammer's playbook starts with a friendly DM.
- Treat every unsolicited DM about money, investments, recovery, or jobs as a scam until proven otherwise.
- Never click links in DMs. Open a new tab and type the URL by hand.
- Verify support accounts by going to the official website's footer — exchanges and platforms never DM first.
- Voice-clone defense: if a friend asks for money via DM or voice note, call them on a known number to confirm.
- Watch for urgency language: "limited time", "verify now", "your account will be locked". Real platforms don't write like that.
- Hover over every link to see the real destination. Use /link-checker if anything looks off.
- If a job offer arrives via DM and asks you to download a Zoom-alike or sign up on an unknown site, it's malware.
4. Protecting your followers (creators & brands)
Impersonators rarely target you — they target your audience.
- Post a public "how to identify the real me" pinned thread, updated quarterly.
- Use the GACS Creator Safety Toolkit to scan your reply threads for impersonator accounts.
- Announce that you never DM first about partnerships, refunds, giveaways, or financial advice.
- Train your moderators to recognize recovery-scam replies (they always promise to get stolen funds back).
- Report impersonators via the platform's bulk reporting form — single reports rarely get action.
- Encourage followers to bookmark /protect-your-followers and share with their audience.
5. Continuous alerting
Set it once. Get notified when something changes.
- Add yourself to /watchlist on GACS to get email alerts when new impersonators of your handle are detected.
- Subscribe to the daily scam digest at /scam-alerts to see what's trending in your country.
- Set platform notifications for mentions, but mute likes and reposts to keep signal high.
- Turn on Apple's or Android's spam-call screening — 60% of recovery scams now start with a phone call.
6. If something already happened
The first hour matters more than the next month.
- Stop all contact with the scammer. Don't reply, don't "try to get them to slip up". Screenshot everything first.
- Change passwords on every account that shared the compromised one.
- Report to the platform, your bank, and the relevant national authority — see /report-to-authorities for direct links.
- Do not engage with anyone DMing about "fund recovery". 100% of those are follow-up scams. See /recovery-scam-warning-signs.
- File a report on /report so the scammer enters the public database and the next person finds the warning.
- If a loved one was scammed, read /elder-fraud-playbook before the next conversation.
Keep going
- Verify any social account in 30sSpot an X impersonatorHow scammers use AI to impersonate youCreator safety toolkit
Explore the full GACS map
- Run a free scan
Check any social handle, website, or wallet in seconds.
- Scanner FAQ
24 answers on how GACS detects scams and protects privacy.
- Scam Education Hub
Searchable index of every GACS guide, scanner, and article.
- AI scam report
Deepfakes, voice clones, and AI-driven impersonation.
- About GACS
Who we are, how we're funded, and our editorial standards.