A Facebook scam reported by several of EverSafe’s members, and by many others, according to news reports and online forums, is a powerful lesson about the importance of protecting your Facebook and other online accounts with two-factor authentication or passkeys.
With two-factor authentication (2FA), you add an extra layer of security to your accounts by requiring two forms of identification, such as your email address and a mobile phone number, or a mobile device app. Using a passkey is even more secure.
2FA and passkeys generally prevent brute-force attacks on your Facebook account, in which hackers enter your username and then cycle through thousands of different password attempts until they gain access and take control.
A Facebook scam, in which hackers gain control of people’s accounts, shows why a secondary security layer for your account is so important.
Read more on securing your Facebook account below.
If Your Facebook Account is Taken Over
Once a Facebook account is compromised, scammers post as you, claiming you are selling discounted, expensive items, such as a car, on behalf of an elderly or recently deceased relative.
The hacker instructs your friends to send a private message if they are interested in buying the item. The scammer will try to get a friend to send a deposit, even though they haven’t yet seen the item that’s for sale.’
Scams like this have been reported in many states, with unsuspecting Facebook friends losing thousands of dollars.
- In Georgia, a man said at least three of his Facebook friends had given money to an imposter who was controlling his profile. The hacker appeared to be helping an uncle sell some high-priced items, including vehicles and a hot tub.
- In New Jersey, a bad actor who took over a Facebook account staged a fake estate sale and collected deposit money from the real account owner’s friends.
- In Colorado, an account-takeover hacker posted that they were selling various items because they had placed a parent in assisted living and needed money to pay for their care.
- In New York, a scammer posted the account owner’s late father’s supposed possessions, including tractors and four-wheelers. Premium concert seats were posted too.
The lesson for all Facebook users is to beware of a friend who suddenly offers multiple items for sale, especially for reasons that appear designed to appeal to your emotions.
The Scammer’s Grip
When our members, one on the East Coast and one on the West Coast, belatedly discovered that their accounts had been hacked, they tried to change their passwords.
But the hacker was one step ahead of them. The bad actor had enabled two-factor authentication on our members’ accounts, which they had not enabled themselves.
That enabled the intruder to control their accounts because they used their own phone number for 2FA. So, when the real account owners tried to change their passwords, they were unable to receive authentication codes because the system was sending them to the hacker.
In one case, the hacker deleted a victim’s husband from her list of Facebook friends, making it much easier to conduct the scam undetected. Meanwhile, the hacker was chatting with the victim’s other Facebook friends and asking them to pay for goods via Zelle.
One friend, who was about to send the hacker a deposit for a car, finally grew suspicious. “Hey,” he wrote, “how do we know each other?” “I’m sorry,” replied the hacker, “but is this not a time to remember things as I’m growing older?”
Protecting Your Facebook Account From Takeover
If your account is taken over, reports suggest it can take weeks for Facebook to help you regain control. So, the best path forward is to add protection to your account.
Start with a strong password, preferably generated by a password manager. According to the passphrase generation site Use a Passphrase, a seemingly complex password like ‘MyDogBell@!’ can be brute-force discovered by a scammer in about 3 hours.
Set up two-factor authentication. With 2FA, after you enter your username and password, a code is texted to your mobile device. You then must enter that code to access your account. 2FA can be set up in the Facebook Meta Accounts Center.
Even better, if you access Facebook from a device that supports fingerprint recognition, facial recognition, or a device passcode, you can set up a passkey.
Yes, an additional layer of Facebook account security is less convenient than basic username-and-password access. However, if you want to minimize the chances of being the victim of an account takeover scam, it’s well worth it.
