From posting pictures of your trip to Spain to reviewing music, chatting with friends and buying shoes, Facebook has become an online community unto itself, enabling us to connect, explore and browse without ever leaving the site. When Facebook launched back in 2004, it was only accessible to a handful of college students, and the site looked a lot different than it does today. You might not be surprised that there are about as many Facebook users as there are citizens in China, but you may not know that nearly 84 percent of Facebook users live outside of the U.S. and Canada.
With so many users worldwide, there’s no doubt about Facebook’s impact on everyday life. But despite the ubiquity of social media, its security isn’t all that it’s cracked up to be. As people form relationships, upload photos and wax poetic about their political beliefs, cyber criminals take these opportunities to hack into unsuspecting accounts for malicious reasons of their own. Facebook hacking isn’t just a possibility – it’s a reality.
Between impersonator accounts and fake profiles, Facebook has unintentionally welcomed hackers with open arms almost since the start, and it’s a problem that’s only getting worse as hackers get more sophisticated and technology gets even better. Even now, with Internet security a top priority for companies everywhere, examples crop up showing us yet again how vulnerable we are to attack. Why does it happen, and how can you prevent it? Facebook takes cybercrime seriously – as does the U.S. government – and there are ways to reduce your risk of being hacked.
How to Get Hacked on Facebook
You might assume that a strong password and online vigilance would prevent your account from getting hacked, and while these are good strategies, they aren’t always enough. In 2013, Nir Goldshlager, a so-called “white hat” hacker, identified a serious flaw in Facebook’s Applications security. The bug allowed him to bypass security authorizations on pre-installed Facebook apps, such as Messenger, and tap into user accounts without permission. A white hat hacker is someone who identifies security issues for a living by trying to hack into a company’s system, and they’re usually rewarded for their efforts. In addition to awarding Goldshlager, Facebook remedied the security flaw immediately.
In March 2016, another white hat hacker proved that Facebook’s security system still needs work. Anand Prakash, an Indian product security engineer, found a loophole in Facebook’s “reset password” feature, a system that lets you reset your forgotten password by giving you a 6-digit code to log in.
On the regular site, you have a limited number of attempts to log in using that code before the system kicks you out. Prakash tested the feature on two of Facebook’s beta sites and discovered that these systems allowed an unlimited number of password attempts. Using brute force methods, he was able to hack into his own account without needing a password. Facebook awarded him $15,000 for his efforts – called a “bug bounty” in the industry – and quickly fixed the problem.
While it’s clear that Facebook takes great pains to find and address security loopholes, sophisticated hackers can easily bypass the system. If Prakash hadn’t discovered the flaw, then all 1.6 billion Facebook users would have been at risk for Facebook hacking. Think about how much information is stored on your personal account. From payment methods to personal information, a hacker would have a field day with the amount of data available via simple brute force tactics.
The Reality Behind Fake Profiles
You’ve seen fake profiles before: celebrities that aren’t really managing their accounts, your friends’ pets and kids, and other pages designed as inside jokes among friends. These accounts are okay since their intended purpose isn’t to harm, threaten or scam you out of money. Most people can spot a fake, but it’s not always easy to know when your friends’ accounts have been hacked. From phony business pages to imposter accounts, you need to know how to identify a real page from a fake one. The difference could save you time, frustration, money and even your life.
First, there are some terms that you should know. In this case, “fake” and “imposter” aren’t always interchangeable because the intent isn’t always the same.
- Facebook cloning: When someone makes an exact copy of your or a business’s Facebook page, it’s called Facebook cloning. The imposter will steal your images, posts and critical information, create a page that mimics your real one, and communicate on Facebook as if she were you. These accounts are referred to interchangeably as cloned accounts, impersonator accounts or imposter accounts.
- Fake account: A fake account is a made-up Facebook page that someone creates from scratch. He might use real images that he finds online, such as stock photos, but the account is phony. These accounts can be set up with good intentions, like with celebrity fan pages or your friend’s new baby, or they can be used for malicious purposes, like swindling money out of unsuspecting people.
- Fake profile picture: Anyone can lift photos from the Internet to use as their profile pictures. Facebook pirates and imposters use fake profile pictures to lure people into thinking that their accounts are real. Sometimes, it’s hard to tell if a profile picture is real or not. Good hackers can create very convincing profiles.
- Facebook hacker: A Facebook hacker is someone who hacks into an account and uses the account without permission. Hackers don’t always go through the trouble of creating cloned accounts. Instead, they might just log in to your existing profile, post on your behalf and steal your information. Hacking is a deliberate act, and while your friends might play a prank on you by logging in using your password to post silly statuses, a real hacker won’t just do it for fun. Black hat hackers usually want to steal money.
- Facebook pirate: Facebook pirates are those who steal data from your profile, whether by creating a duplicate or impersonator page, or by directly hacking into your account and taking your information.
As the name suggests, an imposter account is an account that’s created without the original person’s or business’s consent. You might have seen pages for companies like Disney World that offer too-good-to-be-true giveaways for sharing the post or clicking “Like.” Here are a few tips for identifying an imposter business, media figure or brand page:
- First and foremost, Facebook verifies professional pages for authenticity. If you see a blue check mark next to the page and on posts, then that entity is a verified public figure, brand or media company. If the check mark is grey, the page is a verified business or organization. The lack of a check mark means the page has not been verified.
- Professional pages will give you detailed information, such as their company history, product specs, contact info and more. National brands are better about keeping their social media posts current than local businesses, but do some digging to see if you can verify the page for yourself. If the page has no contact information whatsoever, you’re probably dealing with a fake site.
People create fake or duplicate brands and businesses as ploys to steal money, information or your identity. Facebook governs how a business can conduct itself on the site, so if you see something suspicious, report the activity. If those sweepstakes sound too good to be true, then they probably are. Poor grammar, oddly phrased sentences or inconsistent details – such as a logo discrepancy – are also good indicators that you’re seeing a fake page.
You might not have trouble spotting a fake professional page. But what about your friends’ accounts? Have you ever gotten a friend request from someone you were already friends with? This might be a simple case of your friend deactivating and reactivating his account, but it could also be a sign of Facebook cloning. And while cloning might not seem like a big deal at first, it’s considered a form of identity theft, which makes it a serious cyber crime.
As outlined above, Facebook cloning happens when an imposter steals all of your information and creates a duplicate page. What’s the point in that? For starters, a Facebook pirate can gain valuable information by cloning your account. Hackers and pirates alike want information – data that they can use to steal money, create fake identities and accomplish larger criminal goals.
When your account gets cloned, the hacker has access to your friends’ lists and possibly other critical information, such as your email address and any payment methods that you’ve got tied with Facebook. Once he has your information, an imposter can manipulate your friends into giving him money. A post about your trip to Philadelphia, for instance, could be manipulated by a pirate to say that you’ve been stuck without access to cash and need assistance. A Facebook impersonator is smart, meticulous and dedicated. She won’t just stop at cloning your account. She’ll block access to the duplicate account from you, which means that you might not even realize what’s happening until one of your friends presses a bit further.
What to Do After You’ve Been Hacked
Despite every precaution, sometimes the hackers win. If you’ve been hacked, then there are ways to recover depending on the situation. First, verify that you’ve been hacked by someone other than a prankster friend. You may have simply left your Facebook page open or vulnerable to a sneaky spouse. If your account has been hacked instead of duplicated, then do the following:
- Report the issue to Facebook using the “hacked” walkthrough available on its site. You’ll need your login info to access the page.
- Update your privacy settings and password to reduce the chance of this happening again. Go through your Facebook apps and delete anything that’s been added without your knowledge. Also, review your own page and delete any posts that you didn’t make.
- Tell your friends what happened, and warn them about any suspicious posts or messages that they might’ve seen coming from your account.
If your account has been duplicated, then you can report the cloned page as long as the Facebook pirate hasn’t blocked your access. If he hasn’t, then simply go to the imposter page and click the link to report it. Facebook will follow up on the request, but you should know that this process can take weeks or even longer to resolve. After all, Facebook has to verify that you are who you say you are – in other words, that you’re not the one who’s copying your imposter.
If you don’t have access to the duplicate page, then you’ll have to take steps outside of Facebook to rectify the situation. File a report with your local police department, and report the cyber crime to the Internet Crime Complaint Center, which is administered by the federal government. These actions may not resolve your situation entirely, but they will alert the appropriate governing authorities about the identity theft. Again, let your friends and family know about it so that they don’t fall victim to scams for money or information. Monitor your bank and credit card statements for suspicious activity, and alert the corresponding institutions to fraudulent charges.
Reducing the Risk of Facebook Hacking
How do Facebook pirates gain access in the first place? It boils down to two important factors: your Facebook privacy settings and your trust in other people. Unfortunately, some of Facebook’s security features leave a lot to be desired. In a maddening twist, you can report that your account has been cloned only by doing so from the duplicate page. If the Facebook pirate who stole your identity has any sense, she’ll have blocked your access to the cloned page, thereby making it impossible for you to do anything about a duplicate account.
More often than not, hackers want to steal your money and information, but there are more sinister reasons behind Facebook hacking. One of these is to spread malware to your friends and family. By acting as you, a Facebook pirate can encourage friends to click on links and videos that effectively load up their computers with viruses. Worst-case scenario, your friends will have every keystroke monitored by the hacker, who can then access bank accounts, online shopping accounts and credit cards.
Fortunately, these instances are rare, and Facebook has some specific security features in place to help you avoid this kind of activity and recover if you’re a victim. While Facebook cloning still needs to be addressed, the company does have a specific procedure for reporting straightforward hacking – where someone hacks into your account and uses it as if she were you rather than creating a duplicate page. Here are some ways to avoid or at least reduce the risk of getting hacked:
- Choose a strong password. You’re probably tired of being told to choose a good password, but the truth is that your password is your first line of defense against hacking. Picking your anniversary date, your mom’s maiden name, or your favorite pet and a number just won’t cut it anymore. Opt for a random word, a symbol or two, and a number. If you have trouble remembering this sequence of characters, invest in a secure password manager to keep everything in one place. Better yet, change your password a few times a year, and don’t use the same password for every website.
- Adjust and routinely update your privacy settings. Facebook gives you almost total control over who sees what when it comes to your posts. You can sort by your friends list, set people up as “acquaintances,” and hide or block things that you don’t want to deal with. Every few months, take some time to adjust your privacy settings to a point that makes you comfortable. For example, you could set all photo sharing to “friends except acquaintances,” making it impossible for friends-of-friends to see your photos. You should also consider a two-step authentication process when logging in. That might get tiresome, but it’s better than leaving your account open for attack.
- Don’t accept friend requests from strangers. Speaking of friends-of-friends, you can reduce your likelihood of getting hacked by only accepting and adding people you know in real life. Hackers lie. They may pose as mutual friends, work colleagues or classmates. Ignore any friend request from a person you’ve never met. If you get a request from someone you’re already friends with, call that person and ask if it’s really him.
- Keep identifying information to a minimum. As convenient as it can be to tie your online accounts and applications with Facebook, doing so puts all of your accounts at a higher risk should something happen. Keep information such as your full birth date, phone number, address and personal details to a minimum. Don’t link your credit or debit card with your Facebook account unless you have a good reason, like you own a business and need to pay for ads. The less you put online, the less hackers can access.
- Clear out your cookies, and log out when you’re done. Cookies are virtual reminders for your browser about where you’ve been online. They get stored in a temporary folder so that you don’t have to log in to every website over and over. They also track your data for targeted ads. Every so often, clear your cookies folder, which is kept on your browser under settings, so that you have to log back in to access accounts. When using Facebook, make sure to log off when you’re done, especially if you’re using a public computer.
These tips can be applied to most websites, especially social media outlets, but there are other, Facebook-specific tips for avoiding getting scammed. These include turning on the notification that alerts you every time you log in from an unrecognized device and enabling the “https” feature for secure connections. You can modify your security settings by going into your account and clicking on the settings link, followed by the security link. Facebook will walk you through the process for setting everything up. You can’t always prevent the worst from happening, but following these steps could help you to reduce the risk substantially.