Naturally, I asked what happened. She explained that she had received a message on Facebook Messenger from a friend named Alex, who asked her for help setting up a new Facebook page. The request seemed a little odd, but it was Alex, so she trusted her. Soon after, strange things started happening.
It turned out that Alex’s Facebook account had also been hacked and someone had been posing as her to trick others, including my boyfriend.
Let’s analyze what probably happened. Although I’m not sure how Alex’s account was compromised, I suspect a similar scam. Molly (my girlfriend) received a message from “Alex” via Facebook Messenger saying: “Hi Molly, I’m creating a Facebook page and need a trusted friend to help me confirm my identity.” Molly trusted the message and replied: “Hi Alex, no problem! What should I do?” The scammer replied: “What’s your phone number? I need to send a code to confirm my identity.”
That was the first warning sign. Alex was a close friend of Molly’s, so why would she need Molly’s phone number if she already had it? Unfortunately, Molly didn’t notice this discrepancy and gave her phone number anyway.
After Molly gave out her phone number, “Alex” (the scammer) said, “Okay, you’ll get a code on your phone. Once you have it, please send it to me. Thanks.” Molly, who was unaware of the scam, gave out the code. Behind the scenes, the scammer used this code to reset the password for Molly’s Facebook account, which required a text verification. Using the code, the scammer successfully gained complete control of her account.
This was the second warning sign. Whenever you create or verify anything on Facebook, you should use your own mobile number. You wouldn’t use a friend’s mobile number because you would need the code sent to their phone every time they try to log into your account. Always be cautious when asked to provide verification codes, especially if the request seems unusual or out of character.
Alex, or rather the scammer posing as Alex, requested a second code from Molly’s phone. At this point, Molly became suspicious and asked, “Wouldn’t it be easier if I just called you?” The scammer replied, “I just need this last code and then you can call.” Molly trusted the request and provided the code. That was all the scammer needed to change the email address linked to Molly’s Facebook account.
Shortly after, Molly received an email notification to her backup email address informing her that her Facebook email address had been changed to an unknown address. When Molly realized something was wrong, she contacted me and said, “I think my Facebook account has been hacked.”
I quickly logged into her computer and together we tried to access her Facebook account. Although the password had been changed, we were able to reset it using Facebook’s “Authorized Device” method, which allows users to add trusted devices as an additional layer of authentication. In the account settings, we saw the changed details, but were logged out of the account at that moment.
The scammer had used Facebook’s “Log out of all connected devices” feature, which forcibly kicked us out of the account. When we tried to log in again, the system told us that we were using an old password and that it had been changed just seconds ago. This time, we couldn’t use the “Trusted Device” feature to access the account again and were completely locked out.
We tried several methods offered by Facebook to recover the account, but had little success. Later that night, we noticed that posts about cryptocurrency scams were appearing on Molly’s Facebook page, claiming, “I just made all this money by investing in cryptocurrencies.” Shortly after, Molly’s friends started contacting her, asking if she was the one who had contacted them on Messenger.
This type of scam is not unique to Facebook; it can occur on any social network or email account, using known contacts to trick victims.
We all need to be aware of what we share on social media and the consequences if our accounts are compromised. In Molly’s case, she lost all of her memories, photos and more and ultimately had to create a whole new account.
A few years ago, another person contacted me in a panic after their Instagram account was hacked in a similar way. Unfortunately, they had saved some private photos that were never meant to be public and that were also taken in the hack. Although they regained access to their account months later, the data was already there and the damage was done.
There’s a saying in the cybersecurity community: “Trust no one, verify everything.” This means that even if someone you know contacts you electronically with unusual requests about online accounts, it’s always best to pick up the phone and call the person directly for verification.
I hope you found this information helpful and that it helps you protect yourself from these scams. As always, you can contact me at the following address: [email protected] if you have any questions.