Facebook: Hacked versus Cloned

“I think my Facebook account has been hacked. Sorry everyone.”

Anyone who uses Facebook, and has a decent number of Facebook friends, will see this message from time to time.

People get confused about exactly what’s happened, and therefore how to prevent this from happening and how to fix this if it does.

The key thing to understand is that there are two distinct things that can happen to you: Hacked, and cloned.

Facebook Hacked

This is when someone else is able to log in to your Facebook account.

Consequences

There are several things that can happen if someone gains access to your account:

• Commonly, they will use your account to message or tag your friends. They want to find other people whose accounts they can control. So they’ll try the same trick on them that you fell for.
• They might message your friends to ask for money, or to perpetuate some other scam.
• They could access groups / posts / photos that are not public, and use them for malicious purposes.
• If you’ve used the same password for other sites, say Amazon, they could then log in to your account there too. They could potentially spend your money on those sites, using saved card details.
• Worst case, they could change your password and lock you out of your own account. That means they can continue impersonating you forever. Knowing you will not want to rebuild your Facebook world from scratch, they could try to get you to pay for access to your own account.

How does this happen?

Almost always, the hacker needs your password, so they’ll try to find it out.

To do that, they’ll knock up a website that looks like a genuine Facebook login screen, and try to socially engineer you to log in to “Facebook”. You’ll enter your username and password, but instead of logging you in (you were probably logged into Facebook already) they’ll capture those details. They can then use those same details to log in to the actual Facebook.

There are many ways they could trick you into logging in again. Old fashioned phishing emails (you have a new message, click here to read it) still do the rounds. The one I’m seeing more often, at the moment, is a Facebook Messenger message from a Facebook friend. (The friend in question has been hacked, so this is the hacker using their account to try and get to yours.) The message says something like, “Is this you in the video?”. There’s a link to click on, to see the “video” your friend has found that might have you in it. Only there is no video. The link tells you that you need to log in to Facebook to see the video, and then goes nowhere.

How to prevent this

Have your wits about you. Don’t click on dodgy links like the one just described. Maybe it was you in a video. Maybe it wasn’t. But you have better things to do with your time. The social engineering will be a different, but similar, trick next year. If ever you click on a link on the web, or in an email, and the result is a prompt to log in to Facebook: Stop! Do not log in. Before logging in to Facebook, always check the address bar in your web browser to make sure the domain you’re on really is Facebook (.com), not something else.

Other than that general alertness, the other thing to do is set up “two factor authentication”. Normally, you use a username and password to log in. Your password is “one factor”; it’s something you know. Two factor authentication adds a second factor, something you have. Someone needs both to log in. Go to your Facebook settings screen, go to Settings and Privacy, and you’ll see “Use two-factor authentication”. Turn that on.

Now, to log in, someone needs your password and a 6 digit number that is sent by text to your mobile phone. If you accidentally give a hacker your password, they still can’t log in.

Note: They can still use that password to log into any other websites that use it, so don’t use the same password for multiple sites, and use two-factor authentication wherever it’s offered to you.

Facebook Cloned

This is completely different from, although often confused with, being hacked. This is when someone creates a new Facebook account designed to look like it’s you.

Consequences

They will make sure your profile picture, cover picture, job, etc. are the same as your real account.They will then look at your actual Facebook account, and see who your friends are. They’ll then work their way down that list of friends, and use the fake account to send all those people a friend request.

Some of your friends will be confused. They’ll think they were already friends with you on Facebook, but maybe they never did set that up, or maybe for some reason you got unfriended from them. Either way, they’ll look at the profile picture, recognise it, and accept the friend request.

The more of your friends become friends with the fake, the more credible the fake account becomes. When other friends of yours see the friend request, they’ll then see that they have “8 mutual friends” with you. This makes it look more that it’s the real you.

Once they have become friends with your friends, they'll then typically reach out to them on Messenger. They’re after money. Typically, there’s some story about you being in Berlin on business, your passport has been stolen (or some such), so you need some urgent funds to get home. Or a thousand variations on that.

How does this happen?

Very, very easily. Most people have their profile picture, cover picture, and list of friends public. I am not advising that you change that practice. The point is, it’s very easy to set up a fake account that looks like you.

How to prevent this

Because it’s so easy to do, it’s much harder to prevent. In fact, you can’t.

But what you can do is be alert to the fact this happens. If you get a mysterious friend request from someone you already know, don’t blindly accept it. Do the following

• Use the search tool at the top of Facebook to search for your actual friend with the same name. It is just possible that the friend request comes from the person you actually know. So search for them, find their account, and check you’re still friends with them. At this point, you know the friend request is fake.
• Report them. Because it’s easy to clone, it’s easy for Facebook to see that the account is fake. Go to the friend request in your notifications, and go to the profile for the fake account (click on the account picture).
  • On Facebook desktop, tap the three dots to open a menu, and choose “Find support or report”.
  • On Facebook mobile, tap the three dots to open a menu, and choose “Report profile”.

• You then follow the wizard to say that you’re reporting them for impersonating a friend, and choose which friend. It takes Facebook minutes to see that the account your reporting is a clone of the real one.
• Sadly, they don’t always act on this straight away. Time is money, literally, because while the fake account is up people could be being fleeced. So lastly, let the person know they’ve been cloned, and get them to report the fake account. The fake account may have blocked the person they’re copying, so they may not be able to see the account to report it. The impersonator won’t block it straight away, as they need to see the account to pull their list of friends etc. Also message a few mutual friends to ask them to report the fake.
• People often then change their password, etc. But this is a clone, not a hack, so that won’t help. But what you can and should do is change your profile picture or cover picture, having blocked the fake account. Then your friends can quickly distinguish the real you from the fake you.

Questions / comments?

I hope you’ve found this helpful. I’ve offered a quick primer on being hacked / cloned, the difference between the two, what criminals hope to gain from doing this, how the attacks happen, and how to protect yourself.

If you’ve got questions or comments, do put them below. I may not know the answers to questions, but let’s use the comments to keep helping each other. None of us wants our online accounts to be used to exploit others, or to be the victim of crime ourselves.