Evie wrote: “Hello Bob! I’m reaching out on behalf of my mother, Joleen. She is convinced her Facebook account has been hacked three or four times, and each time she loses friends. She has gotten messages from ‘friends’ that her account has been hacked. I told her that is how they try to trick people and tried to explain like you did about fake accounts (not hacking). But my conversation with Mom made me wonder if something more is going on. If she were to accept a fake friend request, would it put her own account at risk of getting messed up? I appreciate you! –The real Evie”
My answer: Evie, you’ve asked a great question; many people are struggling with these issues, either as a victim, or as a friend of a victim. A lot of people have been in both situations.
There are three major types of Facebook account attacks. In this article I’ll cover all three, and what to do about them.
Here are the three types of malicious Facebook account attacks:
1. Account Impersonation Attack
2. Account Takeover Attack
3. Fake Friend Attack
1. Account Impersonation Attack
When people say their account has been hacked, they’re almost always incorrect. No one discovered their password. What really happens is that someone copies their Facebook profile picture, and creates a brand new Facebook account using their name. This is impersonation. The goal is to connect with the real account’s friends and send them messages with links to malicious websites that infect their computers or phones. The impersonator doesn’t know your Facebook password. The impersonator can’t alter the contents of your Facebook account. But, because they are using your name and picture, their fake account can be very convincing.
What to do about it:
Never accept a friend request from someone you’re already friends with. Never click on a link in a message with no explanation. Change your profile picture, so the picture on the fake account no longer matches your current picture. Notify your friends on Facebook, and ask them to report and block the fake account.
2. Account Takeover Attack
Sometimes an attacker guesses your Facebook account password and logs into your account from their computer, tablet, or phone. This happened to one of my friends. “He” then sent me a private message on Facebook Messenger, and told me that he was in London. He said he had been mugged, and his passport and all his money had been taken. He asked me to send him some money via PayPal. Instead of doing what “he” asked, I called my friend’s cell phone – and sure enough, he was at work, sitting at his desk in Seattle at that very moment.
If an attacker does figure out your Facebook password, they can alter the contents of your Facebook account. They can make posts, delete posts, and send private messages. Sometimes, they can even change the password and lock you out of your own account!
What to do about it:
If it has already happened to you, the first thing you should do is change your password. Make your new password long and complex. If you haven’t changed your password in a long time, you should still change it right now. Next, turn on Two-Factor Authentication. You can do this from Facebook Settings, under “Login and Security.”
3. Fake Friend Attack
The “fake friend” is a friend request from anyone you don’t know. Maybe you accepted a friend request from this person. Now, they can see everything in your Facebook profile that your friends can see. One of the things they’re most interested in is your list of friends. The Fake Friend Attack is often the first step, and after they have access to your friend list, they create a new account impersonating you and launch an Account Impersonation Attack against your friends.
What to do about it:
Look through your list of friends and see if there are any duplicates. If so, one of them is a fake friend. If you look at the contents of both accounts, you can usually tell which one is real and which one is fake. Report and block the fake friend. Next, look through your list of friends again, and this time look for any friends that you have never met in real life. Think about these accounts carefully. Do you really interact with them, or are they just “sitting there?” Are they obviously friends or relatives of people you do know? If there are no reasons for you to believe the account is legitimate, you should delete them from your friend list. There’s no evidence to support going so far as to block them, but if you don’t know them and you don’t regularly interact with them, it’s safest to delete them.
These three attacks are the most common attacks against Facebook accounts. You really can’t do much about account impersonation except notify your friends as soon as you find out, and ask your friends to report and block the imposter. You can prevent account takeover by using a strong password and setting up two-factor authentication from the Facebook Account Security Settings. You can reduce the risks posed by fake friends by deleting friends you don’t know, if you don’t interact with them in meaningful ways. And never send money to someone only on the basis of interaction on Facebook or Messenger. Call them on the phone first. Make sure they’re really who they say they are.
About the author: Bob Young provides remote tech support to small business, home office workers, and residential clients nationwide. Licensed and insured. Use the Contact Us page to learn more or schedule service.