How to keep fraudsters away from your Facebook account, before they lock you out 1

How to keep fraudsters away from your Facebook account, before they lock you out

Aneth Ng-Lim

Posted at Nov 28 2022 02:40 PM

While multitasking in the middle of a business meeting, Tessie* (not her real name) received a notification via Messenger chat from a Facebook friend connection. It was a harmless “Kumusta ka?” so she responded and said hello. Little did Tessie realize that her reply would trap her in a web of social media fraud that would lead to mental anguish and financial losses for her Facebook contacts.

And yes, it is both a trap and a web because there is no easy way out, no clear beginning and still no ending to this ongoing attack of fraudsters. Let’s retrace what happened to Tessie and hope her lessons learned will arm you and me when hackers come texting.

What happened: Guise of updating contact information

After exchanging hellos, Tessie’s friend asked for her email and phone number, under the guise of wanting to reconnect. So Tessie gave both, not thinking that it was a strange request. And I say strange because normally people who message you do not need to have 2 more ways to contact you. Maybe one more, but not two. 

What you should do: Delay your reply

One thing that’s common with all scams is the urgency from the fraudster. They want you to reply right away, or do something immediately. That’s because they know that people who wait will likely rethink their actions and start to feel that something’s not right. As for Tessie, she hasn’t spoken to this friend in years, so a few more hours would not have hurt.

What happened: Sharing the two things Facebook will ask for account reset

It turned out that the “friend” asked for Tessie’s email and mobile number because these are the two information that Facebook will ask if a user attempts to change the account password. To verify the request, Facebook will need the email you used to open your account, and your registered phone number.

What you should do: Ask for your “friend’s” number instead

If you get asked for your mobile number and email, suggest you ask for the person’s number, and say you will text him or her the information. This way, you are able to verify the person through another means of contact, not just via Messenger which he or she started. And when you get the mobile number, call it and see who will pick up. If it’s really your friend, then great, you are reconnected. But if no one answers, or there is a strange person on the other line, cut it off right away. It’s possible your “friend’s” account has been hacked.

What happened: Gave up the Facebook security code

After sharing her phone number and email to her “friend”, Tessie got a message from Facebook with a code. And then the same “friend” messaged asking for the code. At this point, Tessie began to feel uncomfortable, but the same friend said she needed the code to start a group chat. Remember Tessie was multitasking? So she was too busy to really pay attention and decided to give up the code. Unfortunately, by doing that, she also gave the hacker access to her Facebook account, and worse, to all her connections and the opportunity to scam them of money.

What you should do: Never share security code to anyone

Remember that security codes are generated for your own use and is never meant to be shared with anyone. If you call your bank and you need a one-time PIN to authorize a transaction or verify your identity, the bank will not ask you for the one-time PIN. Instead they will ask you to key it in. That’s because security codes are meant only for account owners, and usually sent to a verified point of contact, like your registered mobile phone or email. 

What happened: Hacker started reaching out to your contacts

Tessie’s frequent contacts were the first to get the message, asking if they have extra cash to spare. The hacker even offered to pay interest on the loan (asked for P10,000), and offered the excuse of having problems with online banking. Those who were willing to help were then given a GCash number for the funds transfer.

What you should do: Alert everyone you know and tell them not to send money

Tessie’s sisters were about to send money but then saw that the GCash account name did not match so they decided to call Tessie. And that’s when she realized her account had been taken over by a fraudster. She began to message all her family and friends, but the hacker moved faster, and was able to scam several in Tessie’s circle.

What to do next: Report the crime and take action

It took Facebook almost 5 days before they deactivated Tessie’s account. In the meantime, the hacker kept trying to scam more money, and this is how Tessie got a name along with the GCash number. When she tried to search the name in Facebook, she discovered that she is not the first victim, and likely not the last. 

The problem is that the “friend” who messaged Tessie also got her account hacked. So it would seem that the fraudster is getting the next victim/s from the last victim. One of Tessie’s friends ended up disclosing her information to the fraudster, and now her account has also been taken over. 

Tessie decided to take action and she first tried to report the account to GCash. Unfortunately, they need a police report to freeze or deactivate an account. To get Facebook to deactivate her account, Tessie had to seek help from the Department of Justice. And to file a case, she went to the National Bureau of Investigations and presented her case and evidence to the Cyber Crime Division.

That’s a lot of time and effort Tessie carved out from her busy schedule, but she says she feels guilty for all the money her contacts lost to the hacker, as well as the accounts now also compromised. But they are all victims here, and if there’s one thing Tessie’s painful lessons should teach us, is not to be the next one.

* Name withheld by request.

Disclaimer: The views in this blog are those of the blogger and do not necessarily reflect the views of ABS-CBN Corp.