How Social Media Stalking Works (And How to Prevent It)
By Rohan Kapoor
Cybersecurity Consultant · CISSP, CEH, M.Tech (IIT Delhi)
Most people I work with assume stalking requires technical skill. It doesn't. The single most common method I've seen across hundreds of consultations is this: someone takes a screenshot of a public Instagram story, runs it through a free reverse image search, finds the same person on LinkedIn, then uses LinkedIn to confirm their employer, and uses that to deduce their commute. Total time: under twenty minutes. Total cost: zero.
This is the reality of modern social media stalking in India. The tools are public. The techniques are simple. And the legal protection is uneven, especially for women, who according to a 2022 NCRB analysis make up over 75% of cyberstalking victims in India — and that's only counting the cases that get reported.
I've spent the last decade as a cybersecurity consultant focused on India. This guide is a security briefing on how social media stalking actually works, and what you can do today to make yourself a harder target.
Threat Model: Who Stalks, and Why
Before you defend, you need to understand who you're defending against. In my casework, social media stalkers fall into four categories:
1. Ex-partners. By far the most common. They already have your old phone number, friends in common, and intimate knowledge of your routines. Their goal is usually monitoring, sometimes harassment, occasionally physical confrontation.
2. Workplace colleagues. Often after rejection. They use LinkedIn and the company directory as starting points and expand outward.
3. Strangers from dating apps. Match goes badly, conversation ends, and they reverse-search your photos to find your real identity. This is increasingly common in tier-one Indian cities.
4. Coordinated harassment groups. Less common but more dangerous. Targets are usually women with public profiles — journalists, activists, performers.
Your defenses change based on which category you're worried about. A jealous ex needs a different threat model than a coordinated harassment campaign.
The Standard Stalker Playbook
Here's the workflow I've seen most often. Understanding it is half the defense.
Step 1: Photo collection. The stalker grabs photos from your most public account — usually Instagram, sometimes Facebook. They don't need to follow you. They just need one screenshot.
Step 2: Reverse image search. They run the photo through Google Images, Yandex, PimEyes, or FaceCheck.ID. Yandex is particularly effective for South Asian faces. PimEyes can find a face across thousands of websites in under thirty seconds.
Step 3: Cross-platform identification. The reverse search produces matches — your LinkedIn, your tagged photos on a friend's account, your old college dance club page from 2018, a cousin's wedding photos from a public Facebook album.
Step 4: Triangulation. Now they have your full name, employer, college, hometown, and a list of friends. They check tagged locations, time-stamped stories, and check-ins to build a pattern of where you are and when.
Step 5: Contact or escalation. Depending on motive, they may message you, message your employer, message your family, or in the worst cases, show up.
This entire process is achievable in an hour by someone with no technical training. That's the threat you're actually defending against.
Do This Now: The Five-Minute Audit
Open Instagram. Open Facebook. Open LinkedIn. For each one, check:
- Is your profile photo searchable by the public? (It almost certainly is.)
- Is your full name visible without logging in?
- Are your tagged photos visible to non-followers?
- Are your stories saved as highlights with location data?
- Is your employer listed publicly?
- Is your hometown or college listed?
If you answered yes to four or more of these, you're a soft target. Most people are. The rest of this guide is about hardening that.
Section 1: Locking Down Instagram
Instagram is the primary stalking platform in India. Here's what to do:
Switch to private. This is the single biggest reduction in attack surface you can make. Settings → Privacy → Private Account.
Remove old tagged photos. Settings → Posts → Remove Yourself From Photos. Go through every tagged photo from before you cared about privacy.
Disable story location sharing. Don't tag locations in real time. If you want to post the cafe, post it the next day.
Hide your activity status. Settings → Privacy → Activity Status → Off.
Restrict story views. Use the Close Friends list aggressively. Default story sharing should be Close Friends, not public.
Audit followers quarterly. Look at your follower list once every three months. Remove anyone you don't actually know.
Section 2: LinkedIn — The Forgotten Risk
People treat LinkedIn as professional, not personal. This is a mistake. LinkedIn often confirms exactly what a stalker needs: your full legal name, current employer, office location, professional history.
Hide your profile from search engines. Settings → Visibility → Edit your public profile → turn off public visibility.
Disable "people also viewed." This feature builds a network of associated profiles. Stalkers use it to map your social graph.
Hide your activity feed. Don't broadcast every comment and like to your entire network.
Don't list your office address. Many people list it. Don't.
Connection requests from strangers — decline. A LinkedIn connection grants access to your contact info, your full network, and often your phone number.
Section 3: Facebook — The Old Threat
Facebook usage among young Indians has dropped, but the legacy data is still there. Old Facebook accounts are gold for stalkers because they often contain a decade of context: school, college, family relationships, old relationships, location history.
Run the Facebook Privacy Checkup. Settings → Privacy Checkup. It walks you through each section.
Set old posts to Friends Only in bulk. Settings → Privacy → Limit Past Posts. This is a one-click option that retroactively restricts your entire posting history.
Remove your phone number and email from public visibility.
Audit "About" section. Hometown, current city, employer, education — set each to Friends or Only Me.
Delete the account if you no longer use it. Dormant accounts are leaking data with nobody benefiting from them.
Section 4: Photo Hygiene Across Platforms
The biggest single mistake I see in my consultations is photo reuse. The same selfie appears on Instagram, LinkedIn, WhatsApp, Bumble, and a college alumni site. Now anyone with one photo can find all five accounts via reverse image search.
Rule: Use different photos on every public-facing platform. Especially never reuse a dating app photo on a public social account, or vice versa.
Bonus rule: Strip EXIF metadata before uploading. Most modern social platforms strip it server-side, but many do not. EXIF metadata can reveal the GPS coordinates of where the photo was taken.
"The most underrated privacy hygiene step is photo segmentation. If you take nothing else from a security audit, take this one." — Eva Galperin, Director of Cybersecurity, Electronic Frontier Foundation
Section 5: The Dating App Bridge
Many stalking cases I handle start with a dating app. The stalker matches with the target, gets a few photos and a first name, and then uses those to find the target's full identity on social media.
The defense:
- Don't reuse social media photos on dating apps
- Don't share your full name until you've met in person and decided to continue
- Use a burner email and a secondary phone number for dating apps
- Consider an anonymous-first platform like Hidnn, where photo-based reverse-searching isn't possible because there are no photos at the start
This is the gap most people miss. Your dating app and your social media should not be findable from each other. Treat them as separate identities.
Section 6: Removing Yourself From People-Search Sites
People-search sites (Truecaller, JustDial, and various data brokers) aggregate your information from multiple sources and make it searchable.
For India specifically, Truecaller is the biggest concern. It exposes your name to anyone with your phone number. There is an unlist process — go to Truecaller's unlist page and submit your number. It takes 24 hours to process.
Beyond Truecaller, search your name in Google with quotes around it. Whatever comes up, check if you can request removal. Mozilla's Privacy Not Included has good guides for major data brokers.
What to Do If You're Already Being Stalked
If you suspect active stalking — meaning someone has demonstrated they know things they shouldn't — escalate immediately. Don't try to handle it alone.
Action 1: Document everything. Screenshots of messages, dates, times, accounts, anything that establishes a pattern. A pattern is what police need to act.
Action 2: Lock down everything in this guide today. Not tomorrow. Today.
Action 3: File a complaint at cybercrime.gov.in. India's national cybercrime portal accepts cyberstalking complaints. You can file anonymously initially, then escalate.
Action 4: If the stalker is known to you, consult a lawyer about a restraining order. Section 354D of the IPC covers stalking, including its digital form, and is bailable but actionable.
Action 5: Tell at least one person in your physical life. Don't isolate.
"Cyberstalking thrives on the victim's isolation and shame. The single most powerful action a target can take is to tell someone." — Inspector Anyesh Roy, formerly of the Delhi Police Cyber Cell
The Hardest Truth
You can't make yourself invisible. Anyone who tells you that you can is selling something. What you can do is raise the cost of stalking high enough that opportunistic stalkers move on, and that determined stalkers leave a clear evidence trail you can use against them.
That's the realistic goal. Not invisibility — friction and accountability.
Your Two-Week Action Plan
If you do nothing else after reading this, do these in order:
Week 1:
- Switch Instagram to private
- Remove tagged photos older than two years
- Hide LinkedIn from public search
- Run Facebook Privacy Checkup
- Unlist from Truecaller
Week 2:
- Audit photos across all platforms for reuse
- Set up a burner email for any new signups
- Enable 2FA on every account that supports it
- Search your own name in Google and document what you find
- Review followers/connections on each platform
After two weeks, you'll be in the top 10% of social media users for stalking resistance. That's not invincible. But it's enough to make most stalkers give up and find an easier target.
FAQs
Q: Is reporting cyberstalking to the police actually effective in India? A: It varies wildly by jurisdiction. Tier-one city cyber cells (Delhi, Mumbai, Bengaluru) are reasonably responsive when you have documentation. Smaller towns are inconsistent. cybercrime.gov.in is the most reliable reporting channel and creates a national-level record.
Q: Can I get a stalker's account deleted from Instagram? A: You can report the account, and Instagram does take action when there's a pattern of harassment. But account deletion alone doesn't stop a determined stalker — they'll create a new one. Documentation matters more than takedowns.
Q: Should I block stalkers or ignore them? A: Block, document, and escalate. Engagement only encourages them. Blocking doesn't always make them go away, but it removes the easiest channel and forces them to use methods that leave a clearer evidence trail.
Q: Are there apps that help detect stalking? A: Some. The Coalition Against Stalkerware tracks known stalker apps. iVerify (iOS) and Lookout (Android) can detect spyware. But the better defense is preventing data exposure in the first place.
Q: Will switching to a VPN help? A: A VPN hides your IP address from networks, but social media stalking is about the data you've already given platforms voluntarily. A VPN does not solve this. It's useful for other purposes, not this one.