Stop Posting Your Location

Every photo you upload with a geotag, every "just landed in Goa!" story, every check-in at that new brunch place in Koramangala is a small gift to anyone who wants to know where you are and where you are not. I am not being dramatic. I am telling you what actually happens with that information.

Look, when you post a real-time story from the airport with your boarding pass and a caption like "Jaipur bound!", you have just announced to the entire internet that your flat in Pune is sitting empty. You have also shown people your PNR number, which can be used to pull up your booking details, your phone number, and sometimes even cancel your ticket. People have had their flights cancelled by strangers who found their PNR on Instagram. That is a real thing that has happened in India more than once.

Seriously, the "just landed" story needs to die. Share your holiday photos after you get back. There is zero reason anyone needs to know your exact travel schedule in real time. The same goes for those wedding check-ins at expensive venues in Udaipur or Jim Corbett. You are telling thieves that your house is unoccupied, and you are telling them how long they have before you return. Half the time people even tag how many days the wedding is. Three days of "Sangeet night!" and "Haldi ceremony!" stories means three days of confirmed absence from home.

Restaurant check-ins are another habit that seems harmless but builds a pattern over time. If you check in at the same South Delhi restaurant every Friday evening, anyone watching your profile now knows your routine. That is information you would not hand to a stranger on the street, but you are broadcasting it freely to hundreds or thousands of followers, many of whom you have never met in person.

I had a colleague in Bangalore who posted a story from Kempegowda airport at 6 AM saying "off to Mumbai for the weekend." By that evening, someone had posted a fake sale listing for his motorcycle on OLX with his building address and phone number, presumably to lure buyers to a flat they knew was empty. He found out because a neighbour saw a stranger at his door. The stranger was there to "buy the bike." Nobody could prove who posted the listing, but the timing was not a coincidence.

Stop it. Share memories, not movements.

Woman looking worried at phone showing social media posts with personal info exposed

Your Security Questions Are All Over Your Feed

Think about the common security questions banks and financial apps use. What is your mother's maiden name? What city were you born in? What was the name of your first pet? What school did you go to?

Now think about what you have posted on Facebook and Instagram over the years. That "Happy Birthday Mummy" post with her full name. The nostalgic "throwback to my school days at St. Xavier's, Kolkata" photo. The cute reel of your dog with the caption "My first baby, Bruno, turns 8 today." The "Born and raised in Lucknow, now living in Bangalore" bio line.

You have answered every single one of those security questions publicly. A scammer does not need to hack anything. They just need to scroll your profile for five minutes.

I had a friend in Hyderabad who got a call from someone claiming to be from her bank. The caller knew her full name, her birthday, her mother's name, and the branch where she had her account (she had tweeted a complaint tagging the bank and branch six months earlier). The caller asked for an OTP to "verify a suspicious transaction." She gave it. Lost Rs 47,000 in under two minutes. The information the caller used to gain her trust came entirely from her public social media profiles. Every bit of it.

Seriously, go look at your old posts right now. Search your own name on Facebook. Look at birthday posts, family celebration photos, school reunion albums. All of that is ammunition for social engineering attacks, and it is sitting out there in the open.

Here is a test. Can someone figure out your mother's maiden name from your profile? Can they find your birth date with the year? Your school name? Your first car or first pet? If yes to even two of these, you have a problem. Go remove that information. Change your security questions to answers that cannot be found online. Use random answers and store them in a password manager. "What is your mother's maiden name?" can be answered with "Purple7Bicycle" and nobody on Instagram will ever guess that.

Scammers Build Profiles From Public Accounts

Social engineering is not some high-tech movie hacking scenario. It is a person sitting in a room, going through your public Instagram and Facebook profiles, writing down details, and then calling you with a convincing story. The more personal details they have, the more convincing the story becomes. That is it. That is the whole method.

A 2024 report from an Indian cybersecurity firm found that 68 percent of Indian social media users had their profiles set to public. Not "friends of friends." Public. Visible to literally anyone on the internet. And nearly 40 percent had shared government ID documents through social media at least once. Aadhaar cards. PAN cards. Voter IDs. Sent through Facebook Messenger or posted in WhatsApp groups with 200 members.

Once a scammer has your full name, date of birth, city, workplace, family members' names, and the bank you use (complaint tweets are a treasure trove for that last one, and yes, people regularly tag their bank on Twitter when they are frustrated), they can impersonate bank officials, insurance agents, or government representatives with enough detail to fool most people. They call you by name. They reference your recent activity. They mention your branch. You assume they must be legitimate because how else would they know all this?

Women face a particularly dangerous version of this. A 2024 study found that over 55 percent of cyberstalking cases in India started with the stalker tracking the victim through location tags and geotagged photos on social media. Instagram stories with location stickers, Snapchat location sharing, Facebook check-ins. All of it gives stalkers a real-time map of where someone is.

Phishing emails have also gotten much more targeted. If a scammer knows you just returned from a trip to Rishikesh because you posted about it, they can send you an email that says "Your booking at [hotel name] has a pending charge" with a link to a fake payment page. People click on those because the details match their actual life. The information that makes these scams work is information that people voluntarily publish on their own profiles.

Identity theft cases in India have been rising every year. A large portion of them start with information that was freely available on the victim's social media. Not stolen through hacking. Not obtained through data breaches. Just collected from public profiles by people who knew where to look and what to look for.

Make your profiles private. Remove your birthday year. Stop tagging locations in real time. Take down posts that mention your bank, your workplace address, or your children's school name. These are not hypothetical risks.

Instagram Stories Disappear But Screenshots Do Not

People treat Instagram stories like they are temporary. They vanish after 24 hours, so they feel safe. That is a dangerous assumption.

Anyone can screenshot your story. Anyone can screen-record your story. Instagram does not notify you when someone takes a screenshot of a regular story (only disappearing DM photos get that notification, and even that is easy to work around). So that "temporary" story you posted with your Aadhaar card visible on the table behind you, or your child in school uniform with the school logo clearly readable, or your car's number plate in the background? Someone may have saved it. You would never know.

I have seen people post screenshots of their UPI payment confirmations as stories, showing their bank account details and transaction IDs. I have seen people share photos of their new flat keys with the society name visible, their car registration certificate, their salary slips. All on stories. All because they thought it would disappear.

WhatsApp statuses work the same way. They are visible to all your contacts by default, and anyone can screenshot them. If you have 300 contacts, that is 300 people who can capture and forward whatever you post. And in India, the average WhatsApp user is in several large groups where screenshots circulate freely. Your "temporary" status can end up in groups you have never heard of within hours. I have personally seen screenshots from people's WhatsApp statuses being shared in completely unrelated groups, sometimes with mocking commentary attached. The person who posted the original status had no idea.

Snapchat is not much better, despite its reputation for disappearing content. Snap Map shows your real-time location to anyone on your friends list unless you have manually switched to Ghost Mode. If you added people casually on Snapchat, say from a college freshers' group or a party, those people can see where you are right now. And screenshots of snaps only trigger a notification to the sender. They do not prevent the screenshot from being taken. The notification is a courtesy, not a safeguard.

Look, the rule is simple. If you would not print it on a poster and hang it outside your house, do not put it on a story. Assume everything you post online is permanent, because it very likely is.

Your children's photos are another sensitive area. Parents post photos from school annual days, birthday parties, and family vacations with the kids in school uniforms, name badges visible, school bus numbers readable. Those images circulate far beyond your follower list. Large WhatsApp groups, public Facebook shares, reposts by relatives with public accounts. Law enforcement agencies have repeatedly warned about the risks. India's DPDP Act, 2023 has specific protections for children's data, and your child did not give consent for their school photo to be on the internet. Keep kids' photos in private albums shared with specific family members. Signal chats, small WhatsApp groups, Google Photos shared folders. Not on public feeds. Not on stories.

Lock Down These Settings Right Now

Every social media platform sets your account to maximum visibility by default. That is how they attract engagement and make money from advertisers. You have to go in and manually change things, because they are counting on you not bothering.

Instagram: Go to Settings > Account Privacy and switch to Private Account. Turn off Activity Status so people cannot see when you are online. Go to Privacy > Tags and set it to manual approval only. Turn off the option that shares your stories to Facebook automatically.

Facebook: Go to Settings > Privacy and set "Who can see your future posts?" to Friends. Turn on tag review under Profile and Tagging settings so nothing gets attached to your profile without your approval. Visit the Apps and Websites section and remove every app you do not actively use. Each one of those connected apps has access to some of your profile data.

Twitter/X: Go to Settings > Privacy and Safety. Turn off location information on your tweets. Uncheck the options that let people find you using your email address or phone number. If your account is public, at least make sure old tweets with personal information are deleted.

WhatsApp: Go to Settings > Privacy. Set your profile photo, About section, and Last Seen to "My Contacts" instead of "Everyone." Change the group invite settings to "My Contacts" so random people cannot add you to spam groups or groups with hundreds of strangers. Treat any WhatsApp group with more than ten people as a public space, because in practice, it is one.

Warning: Your photos contain hidden location data. Most phone cameras embed GPS coordinates in every photo you take. When you upload that photo to social media, the location metadata may go with it. On Android, open your Camera app > Settings and turn off location tags. On iPhone, go to Settings > Privacy & Security > Location Services > Camera and set it to Never. Without changing this, every photo you share could reveal your exact coordinates.

One thing people in India specifically overlook is Truecaller. If anyone in your contacts uses Truecaller, your name and number are probably in their database, tagged and searchable by strangers. You can unlist yourself at truecaller.com/unlisting, but be aware it may come back if a contact re-uploads their address book. Check every few months.

The same goes for JustDial. If you have ever called a business through JustDial, your number might be listed publicly. Call their helpline and request removal. It takes about a week.

For LinkedIn, limit what is visible to people outside your network. Go to Settings > Visibility and review who can see your email address, phone number, and connections. Many people have their personal email and phone number visible to anyone on LinkedIn without realising it. That information paired with your job title and company name from LinkedIn, plus personal details from Instagram and Facebook, gives a scammer everything they need for a very convincing call.

Smartphone screen showing social media profile with too much personal information

Do a Quarterly Cleanup

Privacy settings change. Platforms update their interfaces and quietly reset things to default. New apps get installed and request permissions you forget you granted. Old posts sit on your profile gathering dust and gathering data scrapers.

Every three months, set aside 30 minutes and do this: go through your last three months of posts and delete anything that reveals too much about your location, your routine, your finances, or your family's personal details. Remove tags from photos other people posted of you, especially check-in photos and event photos. Review your follower list and remove people you do not know. Check your privacy settings on Instagram, Facebook, Twitter, and WhatsApp because they may have shifted after an app update. Review the apps connected to your Facebook and Google accounts and remove the ones you no longer use. Run a quick search for your name on Google in an incognito window and see what comes up. If something new has appeared that you do not want public, take steps to get it removed.

Seriously, this is not optional. Think of it like clearing out your wardrobe or getting your car serviced. It is boring maintenance that prevents expensive problems later.

The first time you do this, it will take an hour or more. You will find posts from years ago that make you cringe, not just for privacy reasons but because of what you thought was worth sharing in 2019. After the first deep clean, the quarterly reviews take about 20 to 30 minutes. That is a small price to pay for not having your personal life indexed and searchable by anyone with a browser.

Set a calendar reminder. Every three months, go back and clean up old posts, check your settings, and remove dead connections. That is it. Stop overthinking it.