It happened again.
a social media friend request from someone I was pretty sure I was already friends with...
A quick search of my current friends list confirmed my suspicions, and checking their original profile revealed a recent post saying they had been hacked and not to accept any new requests from them. Unfortunately, their warning post was already filling up with scammy phishing comments linking to "someone who could help recover their account"... And I also found in the mutual friends list of the new fake profile that some of our common friends had already fallen prey to this phishing scam and connected with the faker.
This is all too common these days, and if it happens to you, here is a little simple non-technical advice:
If it is your account in question...
First realize that while it is possible you have been hacked, it is actually far more likely that you have simply been spoofed. If someone truly hacks into and gains access to your account (or business page), they will probably quickly lock you out, change the profile name & image, and start churning out scammy garbage. So if you are still able to log in, just change your password to be safe and relax. Panic could prompt you to do something risky (which I will mention in a moment) and is unhelpfully stressful.
Instead of trying to hack your account, it's way easier for scammers to just copy your name and profile photos and pretend to be you. This is called spoofing and is usually done to collect all your friends and create a legitimate-looking profile for spreading disinformation or phishing attempts.
If you've been spoofed, your account itself is probably safe. But a security hole has been opened in your online community. Thankfully there are a few easy things you can do to help plug it up.
Also, be aware that after you post the warning to your profile, it will likely start collecting offers to help you recover your account in the comments. This is where panic will work against you. Do not click or respond to any of these comments. They are all fake. This is especially true if your warning was publicly visible, but even if it was set to friends only, you might have a few friends in your list who have been hacked or were fake to start with. These are the people who will actually trick you into giving them your login information and then fully hack your account. They may be working in coordination with the spoofer, or they may be opportunists who found you through a simple keyword search of "my account was hacked". Either way, relax, remember that you are probably fine, and don't end up getting yourself hacked by secondary scammers through "social engineering".
If you are the one receiving a duplicate friend request...
Yes, it does happen that a friend forgets their password, inadvertently locks themselves out of their account, and fixes the situation by creating a new account and sending you a new friend request. There might even be a post on the new account saying that's what happened.
But even so,
always doublecheck your current friends list for the original and check that profile for a warning from them. Maybe even send a direct message to their original profile asking them about the situation.
If there is nothing there, then watch the new profile carefully for a few weeks. If it starts pumping out posts that seem inconsistent with the original profile or suddenly starts sending you suspicious or scammy direct messages making unusual requests, be very careful about your interactions with it. Do some due diligence research and then make a carefully considered decision on it. Of course this kind of thing always comes down to a case-by-case judgement call, but in most of these cases the best thing is to quietly unfollow, unfriend, and then block that profile. And if you are certain it's a fake impostor account, consider reporting it by clicking the three dots and "Report" from the pop-up menu.
Sometimes a friend truly does get locked out of their account and then needs your help getting back in or paying some medical bills, but now more often than not it's just some imposter trying to scam you...
and both are very unfortunate.
Stay safe and remember that the online safety of one friend is the online safety of us all--
PS: on a related note, especially if you have a business account or run ads on social media, you may often get direct messages claiming that your account is somehow in violation of copyright, community policies, etc. Those are fake attempts to freak you out and get you to hand over your login credentials so they can hack you. Even if you really are in violation of something, that isn't how they notify you. They will let you know very clearly through special dialogue boxes built right into the interface itself when you login to your account. Not through direct messages. Don't reply to those messages at all. If you just leave them in your inbox you will likely notice that after a few days or weeks their profile names and pictures will go blank because their fake accounts were deleted by the platform. So just go ahead and report or delete those messages sooner than later...
To everyone on social media,
If you care at all about your online security and your friends'...
Please, please stop clicking on those game-app-posts that promise to show your true personality traits or spirit animal or whatever if you just touch the month-gemstone-leaf etc....
Those are actually apps created by random third-party developers. When you click on them, you are giving them permission to access ALL the metadata from your account. That's all your photos, posts, likes, friends, contact info, and personal info. The apps require this permission to do whatever calculations they claim that they will do to give you the result they claim they will give you. That's the way they work, and it's not a bug. It's a feature and a normal function of the system.
In the good (very) old days, there were probably a few of these inventive new "games" that were legitimately for fun. But these days (for a long time now) almost all of these apps are actually just phishing for your data. They will scrape all the public and private and hidden data from your account because you not only gave them permission to do so, you basically requested it by clicking them to show you your whatever...
They will then use that huge chunk of data profiling you to target you with their ads in the best case scenario. More often than not they will also sell your data to unscrupulous third parties for inclusion in everyone else's spam marketing lists and phishing hit lists. In the worst case scenarios your data will end up in the darker places of the web and used to hack you, or set up fake accounts to phish and hack your friends or spread disinformation, etc., with your name and face...
This all happens quickly and quietly in the background while on the surface they simply confirm that you are indeed a Lion or a Raven. And they will always tell you that you are 10% Bitch and 997.5% Beautiful Badass. Always.
Well, I'm here to tell you straight up that YOU ARE 1,007.5% PURE BEAUTIFUL BADASS.
Now go and prove it to everyone by showing the confidence and self-awareness to not click on those scammy apps.
Stay safe and beautiful and bad, all in the ratio that fits you best--