Fred Got Hacked! The Secrets Of The Facebook “Friend Request” Scam

Fred Got Hacked! The Secrets Of The Facebook “Friend Request” Scam

You know the drill by now. You log in to Facebook and there it is: a Friend request from your good mate, Fred Nurk, who you’ve known for years. Ordinarily, you’d click Confirm without a moment’s hesitation, except… you could have sworn Fred was already your Facebook Friend. What’s going on? Has he been hacked? Have you?

It turns out the answer is no… with exceptions. Most likely, Fred’s account has been cloned.

It’s pretty easy to spot a cloning scam, once you get past the initial urge to click Confirm.  There is plenty of evidence that all is not as it seems, and from that you can glean a pretty good idea of what’s really going on.  Let’s go through the clues.

Will The Real Fred Nurk Please Stand Up

Let’s start by testing our theory that this is not the real thing. Go to the search bar in your Facebook page and type your friend’s name.  Oh look! That’s Fred right there, with his Friends and photos and all the rest.  And does it say that he’s already your Friend, exactly as you thought.  Check out the tiny tick mark next to the Friends button on the right:


So it would appear that whoever the “Fred Nurk” is that sent you a Friend request just now, it’s not your Fred.

Stop and linger a while on the real Fred’s page.  Notice how, under his name, it says “136 friends”?  Also, notice how his Intro is filled in, and he’s made a post recently.  Scroll down and see all his other posts.  You may even recognise some of them.  These are all good signs: they show that this particular Fred Nurk is a real person.

Now let’s compare him with Fake Fred.

How To Spot When A Facebook Account Has Been Cloned

Go back to your home page.  Click on Fake Fred’s name, and examine his page.  Most likely, it will look something like this:

You can immediately see that Fake Fred doesn’t have many Friends. Also, look at the posts: there are none! Or in some cases there are a few, but they’re all very very generic, reposts of a viral video or a holiday greeting, suspiciously international. Nothing you recognise from Real Fred at all.  And the reason for all that?  It’s because the entire profile was probably only created a few hours ago. That’s what we call account cloning, and it happens a lot.

How Do Scammers Profit From Impersonating You?

Right then. Definitely a scam.  But why?

That’s an important question.  Facebook may seem nothing more than a way to remain jealous of your friends’ social lives and have arguments with total strangers.  But for some people, it’s a source of income, either through advertising or scams.  They seek out new Friends so they can appear to be trustworthy.  You saw it yourself, above: the real Fred Nurk seems more trustworthy because he has more Friends, people who trust him to be who he says he is.  The scammers yearn for that sort of respectability, so they try to steal it.  As George Burns said, “The key to success is sincerity. If you can fake that you’ve got it made.”

Once a fake profile is trusted, one of two things happen.  Either it starts pushing advertisements, which will be seen by many more people than if they tried from scratch with strangers, or else it tries other scams.  One popular one is the “stranded in London” scam: a month or two after you accepted that fake Friend request, your friend Fred suddenly messages you to say he’s in London visiting relatives and he’s just been mugged.  It’s the middle of the night there and everything is closed — can you send him some money over the internet to help him out until he can get everything sorted out with his bank?  You’d be a monster to just ignore him, surely!  So off goes a bit of money, enough to help out a friend in need… and the scammers win again.

Meanwhile, Real Fred knows nothing of this — at least until you see him around the shops and ask how he got back home so fast.  Cue a very confused mate wondering if you’ve been hallucinating…

Pretend You’re A Hacker Too: It’s Not Hard To Clone A Facebook Account

How it happens is pretty simple.  Try this: make up a name of someone you don’t know.  Let’s pick Jane Franklin, a good Tasmanian name.  I don’t know her – do you?  No matter.  Search for her in the Facebook search box, and pick one of the search results at random.  There’s a good prospect: a volunteer firefighter, pillar of the community, 735 friends, clearly a real person.  She’ll be our guinea pig for this imaginary demonstration.

What you do is make a new Facebook account and copy everything over from Jane’s account: name, profile picture, description, whatever you can find.  Just click to save an image and load it in, easy as pie.  Make your copy as exact as possible, so as to fool the maximum number of people.  Then — this is the sneaky bit — go to the real Jane’s Friends list and send a Friend request to every one of her Friends, using that Facebook account you just created in her name.  Then just sit back and wait while careless people who didn’t read this article click Confirm, and you have a bunch of new targets to play with.  Now you can do with your “Friends” what you wish.  Isn’t scamming fun!

Did you notice something missing from the above instruction?  That’s right: there’s no mention of any hacks, tricks or exploits that require superior IT skills.  Anyone could do that, given enough free time.  Which is, by the way, the real answer to the question “has Fred (or Jane) been hacked?”  No they haven’t, because a hack is a whole different thing, involving vulnerabilities in a computer system being exploited by clever but nasty people.  This isn’t a vulnerability exactly, because all of the above features — searching, listing Friends, copying images — are completely open and available to anyone.

Time To Solve The Problem: Let’s Tell The Scammer To Get Lost

All right, then.  Not a hack, just an opportunity to be fooled in you’re not paying attention.  So what do we do about it?

First, let’s deal with Fake Fred.  You’ve had that Respond button sitting there.  Let’s click it, and choose Delete Request.

Next, let’s ensure that Fake Fred doesn’t try again.  Click the dotdotdot menu next to his name and choose Block.  Block him and you’ll never hear from him again, just the way you want it.

After that, there’s one more step you can take, optionally.  See, you’re not the only person to have received a fake Friend request from Fake Fred.  Many of the others will be frantically contacting Real Fred to let him know he’s been “hacked”, even though you know he hasn’t, really.  So drop him a line, at his real page, to reassure him.  I suggest something like this:

But What Can I Do To Stop My Account Being Cloned?

As you saw above, this sort of thing isn’t the result of any vulnerability or error in the Facebook website.  There is one thing you can do to make it less likely that you personally will be the next Real Fred who gets copied, and that is to hide your Friends list.  If the scammers can’t see your Friends, they don’t know who to send a Friend request to after they’ve copied your account.  That’s a pretty effective barrier, so it may be worth doing.  To change it, go to the Facebook settings page here (don’t bother following the official Facebook instructions; they’re out of date) and choose an option for “Who can see your friends list?” other than Public.

Beyond that, the only real solution is to be suspicious of strange things, like the Friend request from someone who is already a Friend.  The scammers who do this stuff are aiming at people who are a little too careless, and they’re easily beaten if you keep your eyes open.  A little bit of paranoia is a good quality to have.  Don’t believe everything you see, because it might be another Fake Fred out to fool you.  Good luck!