Fred Got Hacked! The Secrets Of The Facebook “Friend Request” Scam

You know the drill by now. You log in to Facebook and there it is: a Friend request from your good mate, Fred Nurk, who you’ve known for years. Ordinarily, you’d click Confirm without a moment’s hesitation, except… you could have sworn Fred was already your Facebook Friend. What’s going on? Has he been hacked? Have you?

It turns out the answer is no… with exceptions. Most likely, Fred’s account has been cloned.

It’s pretty easy to spot a cloning scam, once you get past the initial urge to click Confirm.  There is plenty of evidence that all is not as it seems, and from that you can glean a pretty good idea of what’s really going on.  Let’s go through the clues.

Will The Real Fred Nurk Please Stand Up

Let’s start by testing our theory that this is not the real thing. Go to the search bar in your Facebook page and type your friend’s name.  Oh look! That’s Fred right there, with his Friends and photos and all the rest.  And does it say that he’s already your Friend, exactly as you thought.  Check out the tiny tick mark next to the Friends button on the right:

 

So it would appear that whoever the “Fred Nurk” is that sent you a Friend request just now, it’s not your Fred.

Stop and linger a while on the real Fred’s page.  Notice how, under his name, it says “136 friends”?  Also, notice how his Intro is filled in, and he’s made a post recently.  Scroll down and see all his other posts.  You may even recognise some of them.  These are all good signs: they show that this particular Fred Nurk is a real person.

Now let’s compare him with Fake Fred.

How To Spot When A Facebook Account Has Been Cloned

Go back to your home page.  Click on Fake Fred’s name, and examine his page.  Most likely, it will look something like this:

You can immediately see that Fake Fred doesn’t have many Friends. Also, look at the posts: there are none! Or in some cases there are a few, but they’re all very very generic, reposts of a viral video or a holiday greeting, suspiciously international. Nothing you recognise from Real Fred at all.  And the reason for all that?  It’s because the entire profile was probably only created a few hours ago. That’s what we call account cloning, and it happens a lot.

How Do Scammers Profit From Impersonating You?

Right then. Definitely a scam.  But why?

That’s an important question.  Facebook may seem nothing more than a way to remain jealous of your friends’ social lives and have arguments with total strangers.  But for some people, it’s a source of income, either through advertising or scams.  They seek out new Friends so they can appear to be trustworthy.  You saw it yourself, above: the real Fred Nurk seems more trustworthy because he has more Friends, people who trust him to be who he says he is.  The scammers yearn for that sort of respectability, so they try to steal it.  As George Burns said, “The key to success is sincerity. If you can fake that you’ve got it made.”

Once a fake profile is trusted, one of two things happen.  Either it starts pushing advertisements, which will be seen by many more people than if they tried from scratch with strangers, or else it tries other scams.  One popular one is the “stranded in London” scam: a month or two after you accepted that fake Friend request, your friend Fred suddenly messages you to say he’s in London visiting relatives and he’s just been mugged.  It’s the middle of the night there and everything is closed — can you send him some money over the internet to help him out until he can get everything sorted out with his bank?  You’d be a monster to just ignore him, surely!  So off goes a bit of money, enough to help out a friend in need… and the scammers win again.

Meanwhile, Real Fred knows nothing of this — at least until you see him around the shops and ask how he got back home so fast.  Cue a very confused mate wondering if you’ve been hallucinating…

Pretend You’re A Hacker Too: It’s Not Hard To Clone A Facebook Account

How it happens is pretty simple.  Try this: make up a name of someone you don’t know.  Let’s pick Jane Franklin, a good Tasmanian name.  I don’t know her – do you?  No matter.  Search for her in the Facebook search box, and pick one of the search results at random.  There’s a good prospect: a volunteer firefighter, pillar of the community, 735 friends, clearly a real person.  She’ll be our guinea pig for this imaginary demonstration.

What you do is make a new Facebook account and copy everything over from Jane’s account: name, profile picture, description, whatever you can find.  Just click to save an image and load it in, easy as pie.  Make your copy as exact as possible, so as to fool the maximum number of people.  Then — this is the sneaky bit — go to the real Jane’s Friends list and send a Friend request to every one of her Friends, using that Facebook account you just created in her name.  Then just sit back and wait while careless people who didn’t read this article click Confirm, and you have a bunch of new targets to play with.  Now you can do with your “Friends” what you wish.  Isn’t scamming fun!

Did you notice something missing from the above instruction?  That’s right: there’s no mention of any hacks, tricks or exploits that require superior IT skills.  Anyone could do that, given enough free time.  Which is, by the way, the real answer to the question “has Fred (or Jane) been hacked?”  No they haven’t, because a hack is a whole different thing, involving vulnerabilities in a computer system being exploited by clever but nasty people.  This isn’t a vulnerability exactly, because all of the above features — searching, listing Friends, copying images — are completely open and available to anyone.

Time To Solve The Problem: Let’s Tell The Scammer To Get Lost

All right, then.  Not a hack, just an opportunity to be fooled in you’re not paying attention.  So what do we do about it?

First, let’s deal with Fake Fred.  You’ve had that Respond button sitting there.  Let’s click it, and choose Delete Request.

Next, let’s ensure that Fake Fred doesn’t try again.  Click the dotdotdot menu next to his name and choose Block.  Block him and you’ll never hear from him again, just the way you want it.

After that, there’s one more step you can take, optionally.  See, you’re not the only person to have received a fake Friend request from Fake Fred.  Many of the others will be frantically contacting Real Fred to let him know he’s been “hacked”, even though you know he hasn’t, really.  So drop him a line, at his real page, to reassure him.  I suggest something like this:

But What Can I Do To Stop My Account Being Cloned?

As you saw above, this sort of thing isn’t the result of any vulnerability or error in the Facebook website.  There is one thing you can do to make it less likely that you personally will be the next Real Fred who gets copied, and that is to hide your Friends list.  If the scammers can’t see your Friends, they don’t know who to send a Friend request to after they’ve copied your account.  That’s a pretty effective barrier, so it may be worth doing.  To change it, go to the Facebook settings page here (don’t bother following the official Facebook instructions; they’re out of date) and choose an option for “Who can see your friends list?” other than Public.

Beyond that, the only real solution is to be suspicious of strange things, like the Friend request from someone who is already a Friend.  The scammers who do this stuff are aiming at people who are a little too careless, and they’re easily beaten if you keep your eyes open.  A little bit of paranoia is a good quality to have.  Don’t believe everything you see, because it might be another Fake Fred out to fool you.  Good luck!

Say Goodbye To Your Old Computer, Safely!

Domino, a small black cat, peers up at the camera from his position in the centre of a pile of Christmas presents.
Domino was waiting to see if his Christmas presents contained a new mouse.

Christmas has been and gone, and most of us are now in possession of a fridge full of leftovers and perhaps a spare room full of interstate relatives.  If you’re one of the lucky ones who also gained a new computer this season, you might be wondering what you can do about the old computer it replaces.

You could just stick it in a cupboard, but do you need more clutter?  On the other hand, chucking a whole computer in the bin seems wasteful, and can be pricey if you don’t have a local free e-waste disposal service.  Passing it on to someone else, whether to a younger relative or a buyer on Gumtree or Facebook Marketplace, feels like the responsible choice.

Be Good For Goodness Sake: Keep Cybersecurity In Mind

It would take the shine off any new computer to have to use it to chase up a data breach or a stolen bank account. Santa Claus himself might sound like an invasion of privacy, watching you day and night, but we outsource so much of our daily lives to our computers that we may not be aware of how many opportunities we’re providing to hackers when we give away or sell an insecure device.

Don’t Say Goodbye Too Soon: Make Sure Everything Is Backed Up

Any computer grows to contain a large portion of your life, for the time you used it.  Photos, documents, music and email are all worth keeping, but are you sure you have it all when it’s time to upgrade?  Photos, documents and music are pretty easy – just copy them onto a memory stick or a backup disk drive and install them safely on your new machine.  But what about emails?

There are two possibilities: either your mail is stored on a corporate server somewhere on the internet, or it’s all downloaded to your computer.  In the latter case, which is becoming rarer but can still happen, you must absolutely ensure you’ve got everything in your backups: all the folders, all the attachments, and all the contacts.  How to do this depends on so many details it could be a whole article by itself, but as long as you remember to ask someone in the know, you’ll be fine.  Forgetting to ask could make for disappointment the next time you really urgently need to look up that important email from months or years ago.

Remember Your Passwords – Even The Ones You Forgot

One extra piece of data stored on most computers is the password vault from your web browser.  What’s that, you say?  There are passwords in my computer?  Then why do I write them down in a little book and keep it safe in my drawer?

Writing passwords down is definitely a good idea, as long as they really are safe – a hacker can read a computer from far away, but a notebook is pretty much perfectly secure.  Old school is best, when it comes to security!  But if you didn’t take special steps to prevent it, your computer can still remember passwords in a more hackable way without you realising.  Don’t worry!  It’s possible to get at these passwords, copy down the ones you might have missed into that notebook, and then erase them so they don’t come back to trouble you.

The exact steps to get at your password vault depend on what software you use to reach the internet (another whole article!), but again, if you have an expert around, a reminder is all it will take for them to find the right settings and cross off one more worry.

Say Goodbye So You Can Say Hello: Unlink Your Accounts

Many applications – thinking here of Microsoft 365, formerly known as Microsoft Office, but there are others – have a limit to the number of computers they can be installed on.  When you’re ceasing to use a computer entirely, then, it’s important to tell them you would like to move your licences over to the next machine.  In the case of Microsoft 365, this requires logging in to your Microsoft Account, which is a good thing to learn how to do before you give up on the old computer, because you’ll absolutely need it to set up the new one.  Remember, licences are transferrable, but they do require a bit of hoop-jumping to get right.  One more to add to the TODO list!

Don’t Leave A Trace: Give Your Computer Amnesia

With everything definitely backed up and safely restored to your new computer, it’s time for scorched earth.  Your old computer still contains all the personal documents, passwords and even financial data that you copied off.  Do you want some stranger getting hold of that?  No!  So it’s necessary to get rid of it all.

There are an assortment of ways to delete things one at a time, but they all require far too much effort.  Computers have a much easier method, which also happens to be much more reliable: the factory reset.

You can find the full instructions for a factory reset in your computer’s help menu, and you’ll find an interesting option: “military grade” erasure.  Remember that computer disk drives store all your data in ones and zeroes in magnetic or electronic form, and when you delete a file you’re not always deleting every trace of every one and zero.  A supposedly deleted file can often be recovered, either through simple free software or else with the assistance of a professional forensics business.  Military grade erasure is for people who really, truly, absolutely do not want their data recovered: it overwrites every piece of data dozens or hundreds of time with random numbers, so that not even the thousands-of-dollars-an-hour forensics labs can get it back.  That’s overkill for your old wedding photos, perhaps, but may just be ideal if you stored important financial data on that machine.

Whether you choose the super-dooper erase option or not, a factory reset will restore a Windows or Apple computer to as-new condition, with no trace of your old data, settings and passwords left behind.  And as a bonus, it prepares your computer for its new owner, allowing them to have the fun of setting everything up from scratch much as you just did with your new Christmas present.

Playing Santa: Pass It On With Peace Of Mind

Once you have all your files safely copied over and erased, you really can say goodbye.  Second-hand computers are like second hand cars: they might not look as flash as the bright shiny new toy, but someone can get plenty of good value out of pre-loved hardware.  With the peace of mind of knowing you’ve lost nothing and given away no secrets, you get to play Santa yourself and make someone else happy.  Sounds like just the thing for the season!

 

Facebook – When It All Goes Wrong

‘Tis the season to have problems with Facebook, it seems.

A couple of days ago, a friend ran into trouble because she’d lost admin access to her business’s FB page. She was selling the business, including the page, but the new owners never received their login emails, and she had no way to get back in and resend because she’d revoked her own privileges. I solved this, after some fiddling, by discovering that the “owner” of the page was not her personal FB account but a business account under the same name, hidden in an obscure place. Once I got that reconnected, everything was sorted and she was able to transfer ownership. Win!

Then today I heard from a new client who had a very similar problem. She had Two Factor Authentication (2FA) on her business FB page, using her phone to authenticate, but her phone had suffered a mishap of the sort that no mere bowl of rice could undo. This time, the clue was in the message her computer was giving: “Facebook will ask for identification when accessed on a new device or browser”. Turns out she was still logged in to her old FB account, with all the business access, in a different web browser. I got in and reset the 2FA, and now she has everything she needs.

What does this tell us? Two things.

First, Facebook makes this sort of thing incredibly complicated, which is a serious problem given how much we all rely on it:

  • Multiple accounts of different types, attached to different menus that all look 90% identical.
  • “Security” that mainly exists to reassure you that you’re safe, without ever providing anything that anyone could call real safety.
  • And “help” that quite simply doesn’t exist: big companies like Facebook, Google, Apple and Microsoft save money by just not employing support staff.

This is all pretty bad.

But second, all of the above can be dealt with if you don’t give up. It may take some serious detective work, and it definitely helps to have all your computers and other devices in one spot in case we have to rummage around for that one bit of information that will answer all our questions. But it can be done!

My advice, which probably sounds a bit self-serving but I think I can justify it: if you have trouble, give Huon Computer Solutions a call. Fixing this sort of nonsense is What I Do. Maybe I can fix it for you too.

Using PayID to send and receive payments

Nobody likes cheques, right?  Irritating to write out, dreadful to deal with, and there’s got to be a better way.  But credit card facilities are expensive, and nowadays nobody carries cash for fear it will be covered in evil germs.  So what to do?  How do you send and receive money without the delays of cheques and the fiddly inconvenience of cash?

Enter PayID.  It’s a way to send money from your bank account to someone else’s, or to receive it from someone else’s bank account to yours.  It’s simple to set up, simple to use and very fast in operation.  A typical transfer using PayID only takes a couple of minutes to go through, which is better than direct deposit payments while also being much simpler.

To use it to send money, you need a bank account, obviously, and also the ability to access your bank account on your phone, tablet or computer.  So, your banking app, in other words.  Here are the instructions for the five main Australian banks:

To receive money is even easier, once you get yourself set up.  To do that you can call or visit your bank and let them do it for you, or follow these instructions yourself:

It’s pretty simple. Give it a go. Anything’s got to be better than cheques, right?

Do I Have A Virus?

There’s an old rule called Betteridge’s Law of Headlines.  It says “Any headline that ends in a question mark can be answered by the word no.” So, for example, if the headline is “Can chocolate cure cancer?” you can save the trouble of reading the article.  So if you want to save yourself time right now, you can answer the question “Do I Have A Virus?” with “No”, and voila! Free time!  If, however, you would like a little more detail, read on…

(more…)