This is a Public Service Announcement.
There is significant difference between being hacked and being spoofed on Facebook. (Spoofing is also called cloning.) I often see people in a fear spiral when they don’t need to be, and after explaining the difference numerous times it finally occurred to me I could just do a blog post and then share the URL in the future. The spoofers get less of everybody’s time and attention.*
When you’ve taken care of your situation, you also might want to have a look at my how to and why to use Facebook’s new tool to isolate some of your Off-Facebook privacy.
But First, False Warnings via Spam Messenger Text
Are you here because you got this or a similar private Messenger text from a friend?
Resume your daily life, you haven’t been spoofed. The text is pure spam and why anyone would send that message to their entire friends list is beyond me. Maybe ask the person who sent that to you if they really got a fake friend request from you or not. Maybe consider blocking that person from sending you private messages. Unless it’s your Nana. Never block your Nana.
Meanwhile, please take away this tip: If a message you get includes instructions and pleading for you to forward it to all your friends, IT’S SPAM. Friends only send spam to friends if they enjoy a nice breakfast hash with toast.
When Spoofing Has Actually Happened
It begins with the nagging suspicion that something is off – a friend request from someone you’re pretty darned sure you’re already friends with. When that happens here’s what I do:
- I use Facebook search to find my friend’s profile and look at the URL for it. Then I compare it to the URL for the friend request. I see that they’re different. On a mobile device the URLs aren’t obvious, but I can see the new (fake) profile has no recent activity that makes sense for the friend I already know.
- When I look at my real friend’s profile page, I usually already see posts from another friend saying, “YOU’VE BEEN HACKED! CHANGE YOUR PASSWORD!”
- And then usually there is a flurry of postings by the real person about all the mess and time spent on the infuriating, scary steps they are taking to secure their account.
- There is sometimes a friend winding them up into a fear spiral, and the person who is spoofed changes all their email passwords, their bank log ins, etc.
None of which is necessary and none of which takes care of the fake profile.
Not that changing passwords from time to time is a bad thing. But in the case of Spoofing Internet Chicanery, it’s not necessary. But it would be responsible of you to deal with the fake for the sake of your friends.
How to tell the difference? Here you go.
When You’ve Been Hacked on Facebook and/or Messenger
Hacking on Facebook means someone has your password. Danger Danger Will Robinson! They are inside your account, and they can do anything with your account that you can do.
It’s possible they will reset your password so you can’t get into your Facebook or Messenger accounts.
Another tactic by bots is to log into your account, send the same spam message to ALL of your contacts, delete that message from your side of those conversations and then log out. Now all your friends have a virus-infected video or log-in phishing that is from the account they trust. Meanwhile, you have no record of it.
Another common behavior of a hacked account is that your account will suddenly begin tagging friends and posting pictures of spam advertisements. (One of the more common ones is sunglasses ads.) I see this most often with accounts that haven’t been used for years. (And I then I block this abandoned account.)
If any of these things happen, of course your friends will be alarmed, but they may not be able to use Facebook to reach you if you’ve been locked out by a password change. If you’re fortunate a friend will message or email you another way, or you’ll notice the activity yourself right away.
THIS IS A SECURITY EMERGENCY, especially if you’ve used that password on other accounts or you have set up any kind of payment system with Facebook, or used Facebook’s authentication to log into other accounts.
Go to Facebook’s Hacked Accounts Help, immediately. Follow the directions. Change your passwords everywhere, especially email, banking and credit card accounts. Keep an eye on your credit card transactions posted by your bank. And I am so sorry you’re going through this![Hackers can hide the fact that they have hacked you from you, so this is not meant to be an exhaustive response to detecting hacking in your account. This is just the highlights of common hacking behavior.]
When You’ve Been Spoofed on Facebook
Spoofing on Facebook means someone is pretending to be you with another account. I see it happen probably once a week. It’s annoying but fairly harmless in terms of your Internet security. There are no posts you didn’t make on your own profile page, no messages you didn’t write yourself to your friends.
It’s a danger to those people on your friend list, however, especially if any of them are inexperienced in the Ways of Web Wickedness, like your Nana who is on Facebook just to see pictures of the grandkids. So you should deal with it in a timely way, but there’s no need to panic or napalm your existing password arrangements. In fact, changing your password does nothing to a spoofed account.
Spoofers Don’t Have Your Password!
They’ve opened a new account, duplicated the photos on your page and put them on the new one, and they’ve copied your descriptions. It takes literally just a few minutes to do. A visitor might believe that profile was the real you. It’s really disconcerting to see, but there’s no reason to panic, change your passwords or waste a lot of time worrying about it.
Their intent is to fool some of your friends (like your Nana as mentioned above) into accepting a friend request and then they will try to convince the friend to send money. All it takes is one success to make it worth their while doing this to hundreds of people. On the Facebook’s Hacked Accounts Help you’ll even see there’s a FAQ for “Someone is pretending to be my friend and is asking me for money.”
If Someone is Spoofing You
Steps to Take if You’ve Been Spoofed
- Change your profile picture to something very different and caption the photo, “Hey friends, I’m changing my profile picture for now because someone is pretending to be me.” Facebook gives new profile pictures huge exposure and a wide swath of your friends will see it.
- Also post a status update that says “There’s another profile on Facebook pretending to be me. Don’t send them money. Please block them. I’ve reported it to Facebook.” (You’ll still get posts from friends warning you that you’ve been hacked but now you know the difference, right?)
- Go to the thief’s profile and click the three-dot menu button and select “Report this profile.” Follow the instructions. When the person being spoofed reports it the thief’s profile is taken down much more quickly.
- Tangent: Sometimes the thief takes the time to block the person they’re spoofing, making it harder for you to report their fake profile. Ask a friend for the URL of the fake to use in your report. And ask friends to make a report for you. It will take a little longer for Facebook to act.
Steps to Take if a Friend has Been Spoofed
If you’re reading this because a friend is being spoofed, do this:
- Post on your friends wall/timeline and tag them in the post. “Hey so-and-so you’ve been spoofed, you should report it.”
- Include the URL of the faker profile so your friend can go right to it.
- Give them the URL for this blog if you think they might need it for reassurance. ( https://kallmaker.com/difference-hacking-spoofing-on-facebook/ )
- Do a report of your own. It’ll just take longer for Facebook to act on it. (Every once in a while, instead of allowing a report, Facebook tells you to message the friend instead. I have no idea why. Since you already did that you don’t need to do it again.)
- Return to the fake profile and delete the friend request. If offered the opportunity, mark it as spam. (Neither of my mobile devices offers this, but my desktop does.) Then using the three-dot menu again, block the profile permanently.
It will likely take a few hours to a day for the fake profile to disappear.
Don’t Fear or Rage Spiral over Spoofing, Just Move On
That’s it. It’s annoying and disconcerting, but don’t give these asshats more of your time or energy than the situation warrants. Have a cup of tea. Read a book. As you were.
Discourage Future Spoofing
If you want to make your Facebook account less desirable to spoofers, consider making your Friends List private. Mine always has been and to my knowledge I’ve never been spoofed. Nor has it being private had any impact on the number of friend requests I get or my seeing the “people you may know” feature box. Thanks commenter Terry (@HelloMrWilson) for this safety reminder.
* This advice may apply to other social media platforms, but I haven’t gone through it with them. Also, this is only my advice. Your own judgment is best.
If you’re concerned about how apps you use and Facebook share specific data about you and what you watch, read, and buy on the web, please check out my blog on Facebook’s new Off-Facebook Activity tool.
If you found this blog about Facebook Spoofing helpful, you also might find my blog about Infomercials and Credit Card Fraud helpful as well.
I also recommend this extremely thorough guide to protecting your privacy across many popular apps at VPNMentor.com.