Facebook Spoofing/Cloning - Not As Scary As It Seems

Back to Useful Bulk

“I’ve been hacked! Don’t accept any invitations from me!”

Any user of Facebook has likely encountered this status message, or themselves been the user writing this message to their friends.

As of the time of this writing (December 2021), this particular scam to exploit users of Facebook continues to be popular and probably somewhat effective.

Profile Spoofing

Despite the apparent violation of one’s Facebook account, in most of these cases, no actual compromise of their account has been made. Their passwords have not been guessed (although most users almost certainly have weak and guessable passwords - which is a bad practice and may eventually lead to grief). When I have interrogated friends who have been spoofed to determine the nature of their exploit, none appear to have actually had their accounts’ security breached. Instead, the scammers are simply creating a new account with exactly the same name and profile photo, and then sending Friend Requests to that user’s existing Facebook Friends from a publicly-viewable list. 

This hoax is referred to as “profile spoofing” or “profile cloning.”

Importantly, these Bad Actors haven’t figured out how to access your private Facebook account information - they don’t have your password. If they did, they’d just be posting from your actual account. On the contrary, they are taking advantage of your non-private Facebook information to create another user that looks like you, with the intention of taking advantage of your Facebook Friends. By default, Facebook has made the list of Friends of any Facebook user publicly viewable. Their reasoning is practical, if also self-serving - when you’re searching Facebook’s users for an old acquaintance with an common name, seeing their friend’s names helps you identify whether it’s the “John Brown” that you actually know, so you don’t have to send Friend Requests to 293 users named John Brown.

How the spoofing is done is simple: One of the things Facebook doesn’t let you hide in your Privacy Settings is your Profile Picture. Even if it’s a tiny “thumbnail” photo, anyone can copy the thumbnail (or larger image, if you’ve provided one) and download it to their computer. They can then upload that image when they create a new account with your user name (Facebook can’t prevent people from making an account with an existing name, since many people have identical names). So now the spoofers have an account with the same Profile Name and Profile Picture as yours.

Next, the spoofer takes advantage of the default Facebook privacy settings which make your Friend List view status “Public.” Posing as you, they can send Friend Invites to any or all of the users on your Friend List, and can claim to have been forced to abandon the original account for any reason - sometimes claiming that they were “hacked.” If they have already fooled other Friends of the legitimate user to Friend them, that only reinforces their hoax, if the Invited Friend looks at their Friend List to confirm whether it is the person they know, and sees recognizable names of mutual acquaintances.

Why do spoofers do this? What do they get out of it?

Once spoofers convince the Friends of the real users that they are their real-life acquaintances, they can attempt any number of confidence (con) scams, from asking for financial help, to simply sending the would-be victims to a web page which infects their computers with a profit-oriented virus or Trojan Horse. If this seems like a lot of effort for a small reward, know that these tasks can be automated to be done by computers (“robots” or “bots”), and in some areas of the world (which are nonetheless Internet-connected), labor rates are low enough to pay humans to do this manually.

What can I do about it?

You can’t hide your Facebook Profile Name or Profile Picture, but you can deprive spoofers of the most important ammunition in this con game by hiding your Friend List from public view. Here’s how (in a desktop web browser):

To recap: Changing the Privacy setting of your Friends List to anything but “Public” will prevent would-be spoofers from using this easy path to attempt scamming your existing Friends.

What Else Can I Do to Keep My Logins Secure? 

Control Your Passwords

Despite the fact that this spoofing exploit does not involve passwords, I highly recommend that you establish a regimen of using difficult-t0-guess (several characters; NO real words; mixed-case; some numbers; some symbols) passwords, and avoid using the same password at more than one site (so that hackers that guess one of your passwords can’t have a free ticket to try every other website with your login - which they do easily with a software robot). If you visit a lot of sites that require passwords, consider using a password manager program or service (i.e., 1Password, Dashlane). Using these tools, you need only remember a single, complicated and secure password, and the password manager keeps an encrypted record of all the websites, user IDs and passwords - even automatically filling the information on a web browser or app when requested. The more full-featured managers support multiple users on a cloud-synced account, so all the family can access and update stored passwords or any secure data such as account numbers from any of their devices.

Multi-Factor Authentication

If any of your online sites are savvy enough to offer “multi-factor authentication” (MFA; also called “2-factor authentication” [2FA] or “2-step authentication”) support, I highly recommend that you avail yourself of this helpful tool against unwanted access to your accounts. MFA requires that a user logging in for the first time from a location or device to respond to a “challenge” via some other communication path which you alone control. This can be as simple as a text message to a cell phone, or an email to a different account. 

As an alternative to receiving a code via text message or email, mobile authenticator apps such as Authy or Google Authenticator (both free) use a sophisticated strategy to generate a Time-based One-Time Password (TOTP) for services that support it (Google, PayPal, Dropbox, Facebook and AOL are among the accounts I have which support MFA with a mobile authenticator app, I use Authy). When anyone attempts to log in (with a valid ID and password) to a service supporting TOTP MFA for the first time from a device, they are challenged with a request for a (usually 6-8 digit) number generated by an app that you have configured at some time in the past. You only need do this when you’re logging in from a new mobile device or computer, and it takes only seconds to launch the app and retrieve the short PIN number from the app. The PIN changes after a short time (typically 30 seconds) to limit the risk of the PIN being seen or overheard. You will not have to use MFA under typical daily use circumstances. A bad guy who has obtained or guessed your password still can’t access your account without access to this additional token which you alone control. It may be a bit involved to configure, but once you’ve used the procedure a few times, it’s quick and easy, and provides a significant level of confidence that you alone can access your accounts.


Back to Useful Bulk

©2021 Ellsworth Chou