I noticed a recent spike (in the last few months) in scammers impersonating genuine accounts on Facebook. This observation was after I saw several of my "Facebook friends" posting that their accounts were hacked. The posts also went on to warn their "Facebook friends" not to shell out any money in case the impersonator asked for it on their behalf. In my opinion, just posting a warning is not done. I think as users, we should educate ourselves as to why this may happen and take necessary steps to avert such scams from happening.
Your Account was not hacked!
If you were a victim to this, let’s get this clear, your Facebook account was not hacked. If it was, it would mean your account was taken over by the bad actor and he/she (the bad actor) has locked you out of your account. You wouldn’t be able to log into your account, let alone post a warning to your friends about it.
Honestly, unless you were using a dumb password (or reused a dumb password), the chance of this happening is quite remote. Facebook has robust security. If at all it happened, you would have received an email from Facebook warning you of a suspicious login and a change in your primary email address.
What’s rather happening is that the bad actor is creating an imposter account with the victim's name, display picture and other private information. The bad actor isn't taking over the victim's account.
We as users are "enablers" of impersonation scams on Facebook
I am assuming you have been using Facebook long enough to recognize a scammer, impersonating your friend, asking you for money. I don’t think you need to be educated on that. And these scams are not new on Facebook. This has been chronic problem since the company’s inception and Facebook has been purging billions of fake accounts for a long time now.
Creating an imposter account impersonating someone else was easy during the early days of Facebook. The company has since brought in robust privacy features. If you have been impersonated on Facebook today, I think you as a user have “enabled” a bad actor to impersonate your account.
While this post focuses on Facebook, it's also important you make your privacy settings robust across all social media websites you have registered to. Users, in general are loose when it comes to making any sort of information public. If a skilled scammer targets you, he/she could gather necessary data about you elsewhere on the web.
Analyzing the root of the problem
Let’s analyze the problem and find out how you could be impersonated. Users are wary these days. Hence, the imposter before sending out “Friend Requests” to your friends should make his/her account look genuinely like yours. Here are some bare minimum information/data the scammer needs to get this done.
The scammer should know your name
This of course, is not in your control. You are searchable on Facebook. Getting hold of your full name on the web is not a difficult thing to do. However here are a few things you could do to ramp up your privacy in this regard.
- Go to "Settings and Privacy"
- Choose the "Privacy" option.
- Under "How people can find and contact you" change your privacy settings for these options.
Never be searchable with your email address and phone number on Facebook. Also don't let Google or other search engines show your Facebook profiles in their search results.
The scammer needs a picture of yours to impersonate your account.
“Your current profile picture and cover photo are public, so they can be seen by anyone on or off Facebook.”
Public photos are downloadable.
The imposter could simply download your display picture (if it's public) and use it for setting up the fake account.
Change the privacy settings of your display photo from “Public” to “Friends”. This way your display photo though visible to the public, cannot be downloaded by someone who is not your friend (public).
Getting a display picture, however is easy. We shouldn't forget the pictures we have uploaded on other social media websites like LinkedIn or Twitter.
The scammer should have a few photos of yours uploaded on the fake/imposter account.
This would make the account look genuine. You would inevitably have some photos that are public (and downloadable). Check the privacy settings of your photos. Most users don't realise this.
You could try typing in a random name on Facebook search, and try checking photos of that account. Most users, if not all, would definitely have some photos that are public.
Change the privacy settings of all your photos (and albums) from “Public” to “Friends”. Alternatively, you could also set it to “Only Me”. However, doing this would make your photos unavailable to your friends too.
The scammer should know something about you to fill in details in the “About” section of the imposter account.
Facebook asks you to fill in details like
- Basic overview
- Work and profession
- Places lived
- Contact and Basic Info
- Family and Relationships
- Other Details
- Life Events
Information such as "Work and Profession", "Contact" and other details can be gathered from sites like Linkedin. Sometimes there is little you could do other than not having social media accounts 😕
This is a wealth of information. Are you sure all of this information on your account is private and closed to the public?
Change your settings to either “Friends” or “Only Me”. Even better don’t fill in these details. Think about it. Why would you want anyone to have access to this information on Facebook?
Sending "friend requests" to your friends
After creating an imposter account (let's say the bad actor is impersonating your account), the scammer very importantly should know your contacts/friends on Facebook.
I have noted that most accounts have the privacy settings of their “Friends" list set to public. Even if users have all other information set to private, I have noticed them being complacent about the information of their “Friends" list.
Now, this is very important to set to private. You see, imposters can get easy access to your “Friends" list. This is how scammers could send your friends “Friend Requests”. Don't allow anyone other than your friends to have access to your "Friends" list information. I would go one step further to set it to "Only Me"!
Locking your Profile
You could save the hassle of changing your Privacy options individually by "Locking" your profile. I think this is a great option to switch on.
Making your profile "privacy" robust makes it difficult for a scammer to impersonate your account. They wouldn't bother trying to impersonate such accounts. He/she would have almost no data about you in order to make the imposter account look genuine.
Recognizing Imposter Accounts
- If you think a "Friend Request" is from someone you think is already your friend, check your "Friends" list to confirm.
- Maybe you got a request from an old friend not on your "Friends" list. Neverthless, check the account.
- Usually an imposter account is "young". Check the upload dates on the photos and posts.
- You could also use the "Filters" option available on anyone's "Profile Wall" to check how old the account is.
- You see, the root of the problem, as far as impersonation scams is concerned lies in giving easy access to your private data (photos, Friends list, details "About" you, likes etc) to random blokes you may not know (public).
- Avoid accepting friend requests from people you may not know. This may include someone you may not know, but may have a few mutual friends. Wanting to have thousands of Facebook friends is just vanity (I have been guilty of this too, in the past).
- Don't allow random people (public) to send you "Friend Requests". Change the privacy settings for this option to "Friends of Friends".
- Additionally, in case you have loads of photos uploaded on Instagram, make it private and allow only people you know to follow you.
- If you want to quickly get to know your privacy settings on Facebook, do a "Privacy Checkup".