Naturally, I asked what happened. She explained that she had received a message on Facebook Messenger from a friend named Alex, asking for help setting up a new Facebook page. The request seemed a bit off, but it was Alex, so she trusted it. Soon after, strange things began to happen.
It turns out Alex’s Facebook account had also been hacked, and someone was impersonating her to trick others, including my friend.
Let’s break down what probably happened. Although I’m not certain how Alex’s account was compromised, I suspect a similar scam. Molly (my friend) received a message from “Alex” through Facebook Messenger, which said, “Hi Molly, I’m creating a Facebook page and need a trusted friend to help verify my identity.” Molly, trusting the message, responded, “Hi Alex, no problem! What do you need me to do?” The imposter replied, “What’s your phone number? I need to send a code to verify my identity.”
This was the first red flag. Alex was a close friend of Molly’s, so why would she need Molly's phone number if she already had it? Unfortunately, Molly didn’t catch on to this inconsistency and went ahead and provided her phone number.
After Molly shared her phone number, “Alex” (the scammer) said, “Okay, you’ll receive a code on your mobile. Once you get it, please send it to me. Thanks.” Molly, unaware of the scam, provided the code. Behind the scenes, the scammer was using this code to reset the password to Molly’s Facebook account, which required text verification. With the code, the scammer successfully gained full control of her account.
This was the second red flag. When creating or verifying anything on Facebook, you should use your own mobile number. You wouldn’t use a friend’s mobile number because you would need the code sent to their phone every time you tried to log in to your account. Always be cautious when asked to provide verification codes, especially when the request seems unusual or out of character.
Alex, or rather the scammer posing as Alex, requested a second code from Molly's phone. By this point, Molly was becoming suspicious and asked, “Wouldn’t it be easier if I just called you?” The scammer replied, “I just need this final code, and then you can call.” Trusting the request, Molly provided the code. This was all the scammer needed to change the email address associated with Molly’s Facebook account.
Soon after, Molly received an email notification at her backup email address, alerting her that her Facebook email had been changed to an unfamiliar address. Realising something was wrong, Molly contacted me, saying, “I think my Facebook account has been hacked.”
I quickly logged into her computer, and together, we tried to access her Facebook account. Although the password had been changed, we were able to reset it using Facebook’s ‘Authorized Device’ method, which allows users to add trusted devices as an extra layer of authentication. Once inside the account settings, we saw the changed details, but just then, we were logged out of the account.
The scammer had used Facebook’s ‘Log out of all connected devices’ feature, which forcibly kicked us out. When we tried to log back in, the system informed us that we were using an old password and that it had been changed only seconds ago. This time, we were unable to use the trusted device feature to regain access to the account and were completely locked out.
We tried several methods provided by Facebook to recover the account but had little success. Later that night, we noticed that Molly’s Facebook page started displaying posts about cryptocurrency scams, claiming, “I just made all this money by investing in crypto.” Soon after, Molly’s friends began reaching out, asking if she was the one contacting them via Messenger.
This type of scam isn’t unique to Facebook; it can happen on any social media or email account using a known contact to trick victims.
We all need to be mindful of what we share on social media and the consequences if our accounts are compromised. In Molly’s case, she lost all her memories, photos and more, ultimately having to create a new account from scratch.
A few years ago, I had another person reach out in a panic after their Instagram account was hacked in a similar manner. Unfortunately, they had stored some private photos that were never meant to be public, which were also taken in the hack. While they eventually regained access to their account months later, the data was already out there and the damage was done.
In the cybersecurity community, there’s a saying: “Trust no one, verify everything.” This means that even if someone you know contacts you electronically with unusual requests related to online accounts, it’s always best to pick up the phone and call them directly to confirm.
I hope you found this information helpful and that it will aid in protecting you against these types of scams. As always, feel free to reach out to me at askatech@mmg.com.au if you have any questions.